The Mocana Spring 2011 Device Security Report found that 64% of respondents said that attacks on smart devices already required the regular attention of their IT staff, or would this year. The San Francisco-based company surveyed 15,000 IT professionals in its customer database.
“There is anxiety about the security of smart devices, but it is not stopping enterprises from utilizing and widely deploying them”, Adrian Turner, chief executive officer of Mocana, told Infosecurity.
Mocana defines smart devices as non-PC devices – such as machine-to-machine and industrial control automation, smartgrid technology, medical and automobile electronics, and smartphones – that connect to the internet. “We view a smart device as anything that is connected to a network and that is either directly or indirectly IP addressable”, Turner explained.
Enterprises appear to be saying,“We know there’s a problem but we are going ahead in any event and deploying these smart devices and mobile devices and keeping our fingers crossed”, Turner said, adding, “That has really big business implications and potentially liability implications. If something goes wrong and there is a general approach in the market place that, ‘Yes, we know these devices are insecure but we are going to deploy them', this raises questions about when something goes wrong, who is ultimately responsible.”
A full 63% of respondents to the survey said their organization had already deployed smart devices, and 54% said that security issues around non-PC devices had already caused disruption to their networks.
“The security model of anti-virus protection and scanning a system doesn’t work for the threat landscape of today, particularly for these classes of devices”, Turner said.
In addition, 73% of those surveyed believe a significant attack on non-PC devices is imminent in the next 24 months. Yet a majority of respondents said their organizations still did not regularly update or patch against smart device threats.
“Patching is a huge issue. The challenge you have with some of these smart devices is you’ve got other people in the value chain, like a service provider or a carrier, that also want to communicate with the device and deliver patches….You’ve got a set of patches delivered by the carrier and patches that the enterprise controls; it is a hugely complex problem”, Turner explained.
“In medical devices, you’ve got regulation. The FDA [Food and Drug Administration] views a medical device patch as a medical device that has to go through a 90-day certification process before it can be delivered to the device. So you’ve got medical devices being unplugged from the wall, patches going through the certification process and being delivered to the device, and then months later the device being plugged back into the wall. The system is broken”, he stressed.
Turner favors a mandatory patch system for smart device critical patches, so that end users do not have a choice about patching their systems. “The reality is that a single device…can create vulnerabilities for the network as a whole,” he concluded.