In the rush to jump into the digital age, Industrial Internet of Things (IIoT) devices are hitting the market in many cases with little or no security, or, in that same rush to implement IIoT, users are not applying defensive measures to safeguard against a potentially widening attack surface.
And the catch is the number of cyberattacks, data breaches and overall business disruption caused by unsecured Internet of Things (IoT) and IIoT devices are increasing because companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies, a new report found.
IoT and IIoT offers compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.
The following top 10 risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and industrial security provider, Dragos:
1. Not having a security and privacy program
2. Lack of ownership/governance to drive security and privacy
3. Security not being incorporated into the design of products and ecosystems
4. Insufficient security awareness and training for engineers and architects
5. Lack of IoT/IIoT and product security and privacy resources
6. Insufficient monitoring of devices and systems to detect security events
7. Lack of post-market/ implementation security and privacy risk management
8. Lack of visibility of products or not having a full product inventory
9. Identifying and treating risks of fielded and legacy products
10. Inexperienced/immature incident response processes
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind,” said Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP. “Today all sorts of products are becoming a part of cyber: From ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.
“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy,” said Robert M. Lee, chief executive at Dragos Inc. “When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable.”
More than 4,200 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, “The Internet of Things and cybersecurity: A secure-by-design approach,” held May 30.
A majority (81 percent) of respondents indicated information security is accountable for the securing of connected products in their organization. The information security team is still primarily where boards look to drive their cyber agenda but as the 2019 Future of Cyber survey indicates, cyber is becoming everyone’s responsibility. It is critical to understand that if you are the plant manager you likely have the responsibility to the safety and liability of the operation. But the challenge is that everyone does have a role to play. Ultimately, the CEO is going to be held accountable.
How confident are respondents that their organizations’ connected products, devices, or other “things” are secure today? Not very.
Not Entirely Sure
More than half of respondents (51 percent) were somewhat confident, while 23 percent were uncertain or somewhat not confident, with only 18 percent feeling very confident in their organizations’ ability to secure connected products and devices, the survey found.
A positive revelation was when 41 percent of respondents indicated they look to industry and professional organizations for guidance in driving security-by-design within their organizations. Another 28 percent said they look first to regulatory bodies and agencies that set the standards; and 22 percent indicated their leading practices were developed internally for providing that guidance in driving security-by-design.