How Much Do Organizations Understand the Risk Exposure of IoT Devices?

Why it matters?
The number of cyberattacks, data breaches and overall business disruption caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies.

IoT and IIoT are a set of business and technology innovations that offers many compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.

The following top risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and Dragos in a recent Deloitte Dbriefs webcast, The Internet of Things and cybersecurity: A secure-by-design approach:

Top 10 security risks the current IoT environment poses:

1. Not having a security and privacy program
2. Lack of ownership/governance to drive security and privacy
3. Security not being incorporated into the design of products and ecosystems
4. Insufficient security awareness and training for engineers and architects
5. Lack of IoT/IIoT and product security and privacy resources
6. Insufficient monitoring of devices and systems to detect security events
7. Lack of post-market/ implementation security and privacy risk management
8. Lack of visibility of products or not having a full product inventory
9. Identifying and treating risks of fielded and legacy products
10. Inexperienced/immature incident response processes

Key quotes

Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.

—Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP

Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable.

—Robert M. Lee, CEO at Dragos Inc.

About the online poll
More than 4,200 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, “The Internet of Things and cybersecurity: A secure-by-design approach” held May 30, 2019. Answer rates differed by question.

 
A majority (81 percent) of respondents indicated that information security is accountable for the securing of connected products in their organization. The information security team is still primarily where boards look to drive their cyber agenda but as the 2019 Future of Cyber survey indicates, cyber is becoming everyone’s responsibility. It is critical to understand that if you are the plant manager you likely have the responsibility to the safety and liability of the operation. But the challenge is that everyone does have a role to play. Ultimately, the CEO is going to be held accountable.

Organizational confidence in security
How confident are respondents that their organizations’ connected products, devices, or other "things" are secure today? Not very. More than half of respondents (51 percent) were somewhat confident, while 23 percent were uncertain or somewhat not confident, with only 18 percent feeling very confident in their organizations’ ability to secure connected products and devices. This may be as a result of there being an overall lack of standardization across industries for security and awareness of cyber risks and connected devices.

Guidance for security-by-design
A positive revelation in the poll results was when 41 percent of respondents indicated that they look to industry and professional organizations for guidance in driving security-by-design within their organizations. Another 28 percent said that they look first to regulatory bodies and agencies that set the standards; and 22 percent indicated their leading practices were developed internally for providing that guidance in driving security-by-design.

According to Peasley and Lee, it is a favorable strategy for organizations to understand leading practices and standards of peer organizations first, and then look to the regulatory bodies that are starting to shape standards and regulations and help inform the standards and regulations that are to come.

These results conflict with another question regarding whether their product teams use a defined set of product cybersecurity requirements as input for requirements selection. Twenty-eight percent use an industry defined framework, and 41 percent indicated a custom framework, while 30 percent of respondents indicated “No” that they didn’t use a defined set of requirements. The results of this question indicate there is still much work to do across the industry to influence and inform on standards for cybersecurity.