Securing the endpoint is the biggest concern for respondents to a new SANS Institute paper on the Industrial Internet of Things (IIoT), with patching a persistent challenge.
The 2018 SANS Industrial IoT Security Survey includes responses from over 200 security, IT and OT professionals in organizations ranging in size from less than 1000 to over 50,000 employees.
A majority (56%) cited patching problems as one of their biggest security challenges, with only 40% claiming to apply and maintain security updates to protect IIoT systems.
In fact, there appeared to be confusion over what constituted an endpoint in the IIoT sphere, leading the report authors to call for a “cultural change” in how industrial organizations approach security risk.
“The discrepancy in defining IIoT endpoints is the basis for some of the confusion surrounding responsibility for IIoT security. Many practitioners likely are not adequately identifying and managing the numerous assets that in some way connect to networks — and present a danger to their organizations,” argued co-author Doug Wylie.
“For this reason, it is important for company IT and OT groups to agree to a common definition to help ensure they adequately identify security risks as they evolve their systems to adapt to new architectural models.”
The findings are concerning given the growth of IIoT, presenting hackers with an ever-expanding attack surface.
SANS found that most organizations globally are forecasting a 10%-25% growth in the volume of connected devices, which will lead to a doubling in size of systems connected to these devices every three to seven years, the report claimed.
Worryingly, a third (32%) of respondents said that IIoT devices connect directly to the internet, and are therefore not protected by current security controls. Nearly 40% revealed that identifying, tracking and managing devices was a significant security challenge.