It’s only a matter of time before a high-profile IoT cybersecurity breach results in penalties and fines being levied that are simply too high to ignore.
The Internet of Things (IoT) world was the recipient this week of the proverbial warning shot across the bow when researchers revealed they have discovered 11 vulnerabilities in a VXworks real-time operating system from Wind River that could potentially impact as many as 200 million devices.
More troubling still, many of the operating systems these devices are running were initially developed long before the development teams that first built them had a greater appreciation for cybersecurity.
Wind River says it worked closely with Armis, an IT security firm, to make sure patches are available to address these vulnerabilities before publicly disclosing them. The challenge is not only are there millions of these devices to update, many organizations might not even be aware of precisely where these devices are located because they were installed by operations teams years ago.
It’s now only a matter of time before organizations routinely find themselves trying to patch operating systems installed in some case of thousands of devices, says Stan Lowe, global chief information security officer for Zscaler, a provider of cloud-based cybersecurity software and services.
“This is just the tip of the iceberg,” says Lowe.
A survey of more than 3,000 IoT decision-makers published this week by Microsoft suggests organizations are now at least starting to fully appreciate the scope of the cybersecurity challenge they now face. A full 97% of the survey respondents admitted they security concerns when implementing IoT. Those concerns, however, don’t appear to be holding back IoT projects. A total of 85% of the survey respondents have implemented at least one of more IoT project.
It’s fairly obvious that the potential productivity gains that might be derived from investing in an emerging technology is once again trumping the attenuated cybersecurity risks. Cybersecurity professionals will find themselves trying to patch applications and systems long after they have been deployed in production environments. The challenge many of them will face is because all these systems are interconnected it becomes much easier for malware to start to laterally propagate across the entire IoT environment. Worse yet, that malware could also theoretically leap from IoT systems into their back-office IT environments.
The good news is organizations ranging from National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, to the Global Cybersecurity Alliance, an arm of the 45-year old International Automation Alliance (ISA) are now all moving to address various aspects of cybersecurity alliance. The trouble is the fruits of those efforts are now likely to manifest themselves in a way that will have a meaningful impact on the billions of embedded systems already installed. Most organizations are going to have to make difficult investment decisions concerning to what degree it’s going to be worth patching those systems on a regular basis versus replacing them with a more modern system that has more robust cybersecurity capabilities.
Regardless of the path chosen, IoT cybersecurity is quickly becoming an expensive proposition. Those costs may not have risen to the point where they are giving organizations cause for IoT pause. However, it’s only a matter of time before one or more high-profile IoT cybersecurity breaches results in penalties and fines being levied that are simply too high to ignore.