A lack of budget for Internet of Things (IoT) security efforts is making Australian and New Zealand IT executives the world’s most anxious when it comes to IoT security, new figures have shown as a raft of initiatives seek to lock down exposure to IoT devices and industrial IoT sensors, meters and other mission-critical controls.
Fully 63 percent of ANZ respondents to the Forrester Research-ForeScout Technologies IoT and OT study said they were anxious about IoT security, compared to 54 percent in the US and 45 percent in Germany. This was attributed to IoT security’s added maintenance and costs (cited by 54 percent), fear of complexity (41 percent), the potential damage of a security breach (35 percent), and the lack of experts to manage the IoT solution (35 percent).
Lack of budget was the most high-cited challenge for securing IoT devices, but only 31 percent of ANZ decision-makers said their organisation was planning to allocate more budget for IoT security – well behind the 44 percent response rate globally.
Although businesses are investing heavily and quickly in IoT – Gartner previously predicted that efficiency-minded businesses would deploy 3.1 billion connected ‘things’ this year and 7.5 billion in 2020 – security protections for the devices have trailed far behind as adopters slowly pivot to address the new security challenges the devices create.
The new figures suggest that many companies are still struggling to justify the investment in IoT security, likely because they either minimise the threat those devices pose or because they have failed to translate it into clear business terms. Yet this is unlikely to be a consolation when a new-generation ransomware attack uses an IoT exploit to penetrate the corporate network, actively spreading malware to every device it can reach.
Despite the growing threat, many companies are still struggling to figure out the best type of approach to take in dealing with it. Respondents to the Forrester survey reported ongoing confusion about who is responsible for IoT security, with 37 percent attributing it to line-of-business practitioners, 34 percent to dedicated line-of-business IT staff, and 29 percent handballing the responsibility to the security operations centre.
This lack of co-ordinated response will leave many organisations struggling to gain the visibility they need to enforce IoT security – particularly as IoT-related data is increasingly shunted through cloud services designed for ease of access and management.
This shortcoming, warns Ixia ANZ general manager Ardy Sharifnia, reflects the visibility challenge many organisations are facing as their move into the cloud creates new security and operational “black spots”.
“Most organisations are using the cloud without visibility, and we are finding certain areas that represent a real problem that has become more and more prevalent,” he told CSO Australia. “The issue at the core is the west-to-east [internal] traffic between virtual instances in the cloud. As the cloud grows, there is the possibility that there will be black spots even with the best intentions of the providers.”
Whereas enterprise-level cloud deployments are generally run as initiatives with IT-department oversight, IoT deployments are often happening on an ad-hoc basis due to purchases of consumer-grade devices by employees or investments by operational units that have historically maintained their own competencies and practices around security.
This has left vulnerabilities within industrial operations, where IIoT has emerged as a subset of the IoT market focused on operational technology (OT) rather than information technology. IIoT investments will represent a significant part of business IoT spending, which Gartner has forecasted will represent 57 percent of IoT spending this year.
Sensing an opportunity, security vendors have moved to fill in the void in IIoT security. Fortinet, for one, recently extended its Fortinet Security Fabric framework to address IIoT threats with FortiGuard Industrial Security Service – which adds “application control and defence signatures specific to critical infrastructure”.
Tenable recently joined forces with industrial-control giant Siemens to deliver Industrial Security from Tenable – a solution that Tenable calls an “OT-dedicated passive vulnerability detection solution” that targets safety-critical industrial control systems, SCADA and other systems.
“Cyberattacks against the O&G and utilities sector are on the rise and growing more sophisticated and aggressive by the day,” said Leo Simonovich, vice president and global head of Industrial Cyber and Digital Security with Siemens Energy in a statement.
“Passive monitoring of all assets in these systems is critical to detecting and addressing vulnerabilities before they can be exploited and lead to disruption of essential public services like electricity, gas, and water.”