Confusion over who is responsible for IIoT end point security, reveals SANS survey

Arun Shankar
August 5, 2018 3:55 pm

Organisations hold disparate and unrealistic views on protecting the Industrial Internet of Things IIoT, in which endpoints are considered to be the most vulnerable aspects, despite confusion over what actually constitutes an endpoint. These are the key findings of the 2018 SANS Industrial IoT Security Survey report, which examines the security concerns around the rapidly growing use of IIoT.

IIoT is the subset of the Internet of Things that focuses specifically on the industrial application of connected physical devices within critical infrastructure such as electricity, manufacturing, oil and gas, transportation and healthcare. The installed base of IoT devices is forecast to triple from 23.1 Billion in 2018 to 75.4 Billion in 2025.

“The industrial and manufacturing organisations in the Middle East are aligned with the global trend of leveraging IIoT to drive innovation in areas such as data analytics, process optimisation, automation, and artificial intelligence. What is more, because they are not hindered by legacy IT infrastructures, they have a greater ability to innovate at a faster pace. What organisations must not fail to do is to understand and evaluate the security implications of IIoT, as the effects of poor IIoT security could be far reaching,” explained Ned Baltagi, Managing Director, Middle East and Africa at SANS.

The SANS report found that most organisations globally are forecasting 10 to 25% growth in their connected devices. This growth rate will cause the systems connected to IIoT devices to double in size roughly every three to seven years. This will ultimately result in increased network complexity as IT and OT become more connected, more demand for bandwidth, and the need for personnel skilled in best security practices related to the design, build and operation of IIoT systems.

Of over 200 respondents surveyed, more than half reported the most vulnerable aspects of their IIoT infrastructure as data, firmware, embedded systems, or general endpoints. At the same time, however, the survey reveals an ongoing debate over the definition of an endpoint.

According to Doug Wylie, Director of the Industrials and Infrastructure Business Portfolio at SANS Institute, “The discrepancy in defining IIoT endpoints is the basis for some of the confusion surrounding responsibility for IIoT security.”

“Many practitioners likely are not adequately identifying and managing the numerous assets that in some way connect to networks, and present a danger to their organisations,” he adds. “For this reason, it is important for company IT and OT groups to agree to a common definition to help ensure they adequately identify security risks as they evolve their systems to adapt to new architectural models.”

The survey also uncovered a wide gap between the perceptions of IIoT security by OT, IT and management, with only 64% of OT departments claiming to be confident in their ability to secure IIoT infrastructure, compared to 83% of IT departments and 93% of business leaders.

“The report highlights a real disparity across organisations in the level of confidence as to how secure the IIoT really is,” said Barbara Filkins, SANS Analyst Programme Research Director and survey report author. “This disparity represents the need for a major cultural change in how industrial organisations must approach the security risks in a world of IIoT.”

Key takeaways

  • The discrepancy in defining IIoT endpoints is basis for confusion surrounding responsibility for IIoT security.
  • Most organisations globally are forecasting 10 to 25% growth in their connected devices.
  • More than half reported the most vulnerable aspects of IIoT infrastructure are data, firmware, embedded systems, endpoints.
  • Practitioners are not managing assets that in some way connect to networks and present danger to organisations.
  • It is important for company IT and OT groups to agree to identify security risks as they evolve systems to new architectural models.
  • The survey uncovered wide gap between perceptions of IIoT security by OT, IT and management.
  • 64% of OT departments claimed to be confident to secure IIoT infrastructure compared to 83% of IT departments and 93% of business leaders.
  • The report highlights real disparity across organisations in how secure IIoT really is.
  • Need for cultural change in how industrial organisations approach security risks in a world of IIoT.

Key findings

  • 32% of IIoT devices connect directly to the Internet, bypassing security layers
  • 40% said managing devices represented significant security challenge
  • 40% reported applying patches to protect IIoT devices
  • 56% cited difficulty in patching as one of greatest security challenges

Survey snapshot

  • Sample size 200+
  • Industries represented include energy, utilities, cybersecurity, government, public sector, oil and gas production, delivery, and manufacturing.
  • Organisations size from less than 1,000 to over 50,000
  • Respondent roles mainly security administrator, analyst, security manager, director, other IT roles and OT roles.

 

Tags: