Survey Surfaces Raft of Industrial IoT Security Challenges

A survey of 800 senior IT managers, senior IT security managers and project managers responsible for industrial internet-of-things (IIoT)/operational technology (OT) found 94% reported their organization experienced a security incident in the last 12 months.

The survey, conducted by Barracuda Networks, also found 87% of organizations that experienced an incident were impacted for more than one day. More troubling still, a full 93% reported having failed when it comes IoT/OT security projects. The most common reasons cited for those failures were that the technology took too long to implement (55%), the technology was too expensive (41%), no one took clear responsibility for the project (39%) and the organization could not source technology that met their needs (38%).

Stefan Schachinger, product manager for network security for Barracuda Networks, said many of those failures could be attributed to the complexity of the security platforms that OT personnel are being asked to install and maintain. Most OT staff lack the same level of cybersecurity expertise found in a traditional IT department, he noted. Less than half of organizations (49%) can apply security updates themselves, the survey found.

Despite these issues, nearly three-quarters (72%) of respondents either already implemented or are in the process of implementing IIoT/OT security projects. Oil and gas companies (50%) are generally much farther ahead than manufacturing (24%) and health care organizations (17%), the survey found. Notably, three-quarters of organizations (75%) that have completed IIoT and OT security projects said they have not experienced a major incident.

The biggest security challenge many of these organizations will face is a bias toward air-gapped platforms that could only be accessed via a local laptop or USB stick, said Schachinger. Many of those devices are loaded with malware designed to be injected into an IoT environment when connected, he noted.

In contrast, when multifactor authentication (MFA) is enforced via the cloud those IoT environments wind up becoming more secure, said Schachinger. Only 18% of organizations, however, currently restricted network access using MFA, the survey finds. It’s also important to limit access to IoT environments based on the role of the individual, said Schachinger. Too many organizations give end users unrestricted access to IoT environments which can cause major cybersecurity issues when credentials are compromised, he said. Currently, only 43% of organizations implemented segmentation between IT and OT to limit access should an IIoT environment be compromised, the survey found.

Unfortunately, critical infrastructure is becoming a bigger target as global tensions increase. A full 89% of respondents said they are very or fairly concerned about the impact that the current threat landscape and the geopolitical situation will have on their organizations. Organizations running any type of critical infrastructure should assume attacks will become more targeted in the weeks and months ahead, noted Schachinger.

Ultimately, IoT is driving a major expansion of the attack surface that organizations need to defend. The challenge is the tools and processes being used to defend that attack surface depend far too much on legacy approaches that were never designed to be used at this level of scale by OT teams.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 746 posts and counting.See all posts by mike-vizard