There is a significant lack of confidence among IT leaders regarding their internet-of-things (IoT) security plans, according to a Viakoo survey of 150 U.S. IT leaders.

While 95% of IT leaders reported having IoT security plans in place, only 51% expressed confidence in their effectiveness. Moreover, over two-thirds of respondents wish they had approached their security plans differently to address vulnerabilities more swiftly.

The survey also highlighted key gaps in current IoT security strategies. Despite recognizing the importance of agentless security solutions, only 35% of IT leaders feel successful in implementing them.

Additionally, there is a growing concern over the escalating threat landscape, with data breaches, ransomware attacks and supply chain attacks ranking among the top emerging IoT threats.

To address these challenges, IT leaders are planning to ramp up investment in security stacks. However, the survey reveals a significant lack of knowledge and confidence among boards, with only 63% feeling adequately informed about IoT security to make informed decisions.

John Gallagher, vice president of Viakoo Labs at Viakoo, said organizations gain confidence when they can see that there is a complete process from finding vulnerabilities to remediating them and are able to do so quickly.

“With IoT device and application systems, organizations should use application-based discovery so that they can have a highly accurate starting point for assessing IoT vulnerabilities and a clear path to remediating vulnerabilities one application at a time,” he explained.

App-Based Asset Discovery for IoT

The survey revealed that starting with network-based asset discovery allowed many organizations to see that they were swimming in low-accuracy data and missing the tightly coupled device and application nature of IoT security.

Gallagher advises that, instead of going “a mile wide and an inch deep” with network-based asset discovery, organizations should start with application-based asset discovery that will show with high accuracy the combined device and application threats within an IoT system.

“By starting at an application level, organizations will more quickly reduce their IoT attack surface and deliver board-worthy results on IoT remediation,” he said.

Sarah Jones, cyber threat intelligence research analyst at Critical Start, said the expanding realm of IoT devices faces a critical security challenge due to weak practices, rendering them vulnerable on multiple fronts.

“This vulnerability is evident in several areas: Firstly, default passwords, often unchanged and easily guessed, serve as an invitation for brute-force attacks,” she said.

Secondly, resource limitations such as processing power impede timely software updates, providing attackers with windows of opportunity to exploit known vulnerabilities.

“Thirdly, the scarcity of resources in many devices hampers the implementation of robust security measures like encryption, while the absence of user interfaces on some devices complicates monitoring and adjustment of settings,” Jones explained.

Moreover, insecure communication channels, characterized by unencrypted data transfer and outdated protocols, expose sensitive information and render devices susceptible to known exploits.

“Fragmented management across diverse ecosystems and limited visibility into device activity also pose challenges in implementing consistent security policies and addressing issues promptly,” she said.

In this dynamic landscape, evolving threats present an added layer of complexity as attackers continually devise new methods to exploit vulnerabilities, necessitating a constant struggle to stay ahead.

She pointed out the compromise of IoT devices can fuel the creation of botnets, amplifying the scale and impact of malicious activities such as distributed denial-of-service (DDoS) attacks.

John Bambenek, president at Bambenek Consulting, said network segmentation of uncontrolled or undercontrolled devices is usually one of the key oversights in many organizations.

“Making sure the manufacturer is monitored for software updates and patches being released is both an important and cheap mechanism to ensure security,” he explained.

Many of these devices also support logging to a SIEM, and those logs can then be used to write detection rules to find compromises as they occur so remediation can be quick.

He explained that the best tools professionals have in discussing IoT are case studies of near-peers who have run into issues and to convert the discussion from a technical perspective to risk.

“Boards are never going to understand the nuances of an embedded operating system, but they can understand that a competitor had an IoT breach that led to someone kicking over Active Directory and the company being down for days, causing lost revenue,” Bambenek said. “Show that the risks have been realized by others and at what cost.”