Critical infrastructure executives complacent about IoT security, study shows

A survey reveals there is little concern about the security of energy firms' devices on the internet of things (IoT) despite the risks

Only 8% of IT professionals in the energy sector are concerned about cyber criminals attacking industrial controllers, which are increasingly being connected to the internet, a study has revealed.

Yet 88% are not confident in the secure configuration of their industrial controllers, according to a survey of IT professionals and executives from energy, retail and financial services organisations in the UK and US.

And fewer than one in four IT professionals are confident in the secure configuration of internet of things (IoT) devices that are already on enterprise networks.

These IoT devices include internet phones, sensors for physical security, smart controllers for lights, heating, ventilation and air conditioning, point-of-sale devices and industrial controllers.  

Nearly a quarter of critical infrastructure employees polled by Atomik Research for security firm Tripwire said they had already connected an IoT device to their company network.

The study did not include smartphones, tablets or laptops because Tripwire said the security risks associated with these devices are relatively well understood.

Employees who work from home also have an average of 11 internet-connected devices on their home networks, according to the Enterprise of Things whitepaper on the impact of IoT devices on enterprise security.


Misunderstanding the risks

And while 6% of executives expect that business efficiencies and productivity will force them to adopt IoT devices despite the security risks, only 46% say the risks associated with IoT have the potential to become the most significant risk on their networks.

The 2014 Trustwave Global Security Report identifies retailers as the top industry target for cyber criminals, accounting for 35% of the attacks studied. 

However, nearly half of retail IT professionals polled for the Tripwire study said they were “not concerned” about cyber criminals targeting IoT devices on their network.

Research firm IDC anticipates there will be over 28 billion IoT devices installed by 2020, up from an estimated 9.1 billion at the end of 2013.

These devices are expected to deliver an overall global economic value add of $1.9tn, of which 80%  will be derived from services.

While the IoT marketplace is lucrative, new devices will open additional attack vectors for enterprise networks, according to Tripwire.

“The reason many enterprises are relatively ‘unconcerned’ about the security of IoT devices is because they misunderstand the risk,” said Chris Conacher, security development manager at Tripwire.

“They may believe they have ‘solved’ the security problem, when they have not. Alternatively, they may believe there is no security problem when there is.”

Strategic dangers

According to Conacher, organisations often believe they have nothing of value that would interest an attacker, but this is rarely true.

“For attackers there is always something to be gained, and they’re not always looking for data that has financial value,” he said.

Conacher said attackers commonly target information that can be used to create the illusions of legitimacy for phishing campaigns or user credentials that can be used to gain access to a connection point from which to attack corporate partner.

Paul Simmonds, Global Identity Foundation chief, said the study highlights the need to build security and identity into the internet of things in a standard way, so IoT devices can be put into whichever environment is required – home, business or national critical infrastructure.

“A plethora of cloud-based solutions unique to each manufacturer, suppler or even device will lead to chaos and insecurity,” he said.

Craig Young, security researcher for Tripwire said it is far more likely that employees will be infected with malware outside the enterprise.

“Employees routinely download suspicious apps from third-party app stores and then connect to the corporate network over a cheap home router with dubious firmware,” he said.

According to Young, the risk of cross contamination from home networks can be very serious unless security controls are enforced.

“Unfortunately, most people assume that virtual private networks (VPNs) solve all remote connection problems, but this is just not true,” he said.

Consumer devices

Young points out that while consumer-focused IoT devices present minimal direct risk to the enterprise, many of them connect back to a supplier’s infrastructure via the internet to store user data.

“Successful attacks against these back-end infrastructures provide attackers with user credentials and other information that could enable them to gain a foothold into an employee’s home network.

“From there it’s entirely possible for an attacker to install keyloggers or other malware designed to steal the user credentials necessary to log into corporate networks. In general, people seriously underestimate how easily attackers can move around inside networks once they gain access,” he said.

Read more on Hackers and cybercrime prevention