IoT Connected Devices Pose Significant Risk to Organizations

Security flaws in connected devices are plaguing the digital landscape, impacting a broad range of industries.

According to data from Forescout, IT devices account for more than three-quarters (78%) of the affected devices, while internet-of-things (IoT) devices comprise 14% of the total vulnerable devices. Operational technology (OT) and internet-of-medical-things (IoMT) devices constitute 6% and 2%.

AWS Builder Community Hub

Nearly 80% of IT device vulnerabilities are classified as high severity, indicating significant challenges posed to IT teams, as these flaws could potentially lead to devastating attacks.

Although IoMT devices exhibit fewer vulnerabilities, 80% of them are classified as critical, posing significant risks to sensitive medical data and patient safety. More than half of the vulnerabilities found in OT and IoT devices are of a critical nature.

Another concerning trend identified across all industries is the inadequate usage of endpoint protection.

At least 10% of devices equipped with endpoint protection have it disabled, with government and financial services sectors the worst offenders; nearly a quarter of devices in these areas neglect this crucial security measure.

On a more positive note, there is some progress being made in managing risk within the government sector, with the highest risk reduction observed between 2022 and 2023.

However, concerning indicators of compromise (IoCs), such as known malicious IPs and domains, remain prevalent in government networks, accounting for 63% of all IoCs detected.

Health care and financial services sectors also face a considerable number of IoCs at 19% and 8%, respectively.

The report also sheds light on the most exposed devices on the internet, with IT network infrastructure and security appliances topping the list, while IoT devices, particularly IP cameras, are a close second, constituting nearly a quarter (23%) of all IoT devices exposed.

Network attached storage (NAS) and voice over internet protocol (VoIP) devices follow at 7% and 3%.

Office equipment like printers and NAS devices in government (19%) and OT devices in financial services (6%, largely UPS) are also at risk.

Reducing the IoT Attack Surface

Bud Broomhead, CEO at Viakoo, says Forescout deserved kudos for highlighting where organizations need to focus to contain and reduce their attack surface.

“All security teams have resource limitations and, by highlighting the most urgent security threats, Forescout is providing valuable and actionable guidance,” he said. “It’s worth noting that 13 of the 20 riskiest devices are the same as last year.”

He pointed out that while these devices themselves are known to be risky, some fault still lies with organizations that have yet to deploy mechanisms—such as automated remediation and cybersecurity hygiene—that would address those risks.

“Forescout’s analysis brings clarity to the issue of what constitutes organizational risk by reporting on the severity of vulnerabilities and not just the number of them,” Broomhead added.

For example, while IT systems have 78% of vulnerabilities and IoT “only” 14%, the fact that more than half of IoT vulnerabilities are critical helps to focus where remediation efforts need to be taking place.

“When you consider that IoT, OT and IoMT are forms of cyber-physical systems where exploited vulnerabilities can cause physical damage and impact, having this focus on their remediation needs is even more important,” he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, explained that IoT devices could be problematic for multiple reasons.

“They’re often intended for ‘inside only’ deployments where they should never be exposed to the open internet, making security less of a priority as it’s assumed they’re much safer deep in the environment,” he said.

This can lead developers to focus on improving performance and functionality, while security is an afterthought, at best.

“Also, these often lack the compute power of a larger system which can lead to resource constraints that, in turn, put performance ahead of security,” he added. “Finally, they are often considered ‘set it and forget it’ devices, which means they may not get patched even when patches are available.”

From Broomhead’s perspective, the fact that the highest risk reduction was found in government is a reflection on CISA’s leadership and their ability to issue Binding Operational Directives to government agencies so that action is taken on finding and remediating vulnerabilities.

“As more organizations are facing board-level attention to bringing IoT/OT threats under control, what CISA has done within the government sector can be a blueprint for further action,” he said.

White House Addresses IoT Security Concerns

And, of course, last week the White House announced an initiative in partnership with Amazon, Google and Samsung, among others, to tackle the issue of security and the IoT, though mostly with regard to consumer appliances and devices.

As Security Boulevard reported, the Biden administration and White House and the Federal Communications Commission (FCC) unveiled a plan for a cybersecurity certification and labeling program that would make it easier for enterprises and consumers to see which smart devices are more secure and less vulnerable to attacks.

The idea is to put a “U.S. Cyber Trust Mark” logo on a broad array of wirelessly connected devices–such as smart refrigerators, microwaves, televisions and fitness trackers–that meet specific criteria laid out by the National Institute of Standards and Technology (NIST). It’s similar to other government programs, such as Energy Star, which inform consumers about devices and machines that meet certain environmental standards laid out by the Environmental Protection Agency (EPA).

The U.S. government and the private sector have discussed the issue for months.

The voluntary labeling program, which the White House expects will begin running in 2024, will give buyers a way to compare the security of competing products and act accordingly.

“This new labeling program would help provide Americans with greater assurances about the cybersecurity of the products they use and rely on in their everyday lives,” the administration said in a press release. “It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 209 posts and counting.See all posts by nathan-eddy