How Much Do Organizations Understand the Risk Exposure of IoT Devices?
Deloitte and Dragos, Inc. Share Top Risks to Organizations in Current IoT Environment
- In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work. Organizations should better understand how to manage the risks created by known and unknown Internet of Things (IoT) and Industrial IoT (IIoT) devices.
- Security-by-design saves time: it takes longer to retroactively fix issues than it does to do it correctly the first time when building the product.
- Security-by-design reduces cost: it costs more to mitigate the risk of vulnerability exploitation than to implement security in the beginning.
- According to a recent Deloitte poll, nearly half of respondents (48%) realized it is imperative, when developing or deploying secure-by-design connected products and/or devices, that both of these conditions exist:
- DevSecOps embedded throughout the design/acquisition, implementation, and deployment lifecycle.
- Cross-functional technology that includes teaming with legal, procurement and compliance across pre- and post-market deployments.
Why it matters?
The number of cyberattacks, data breaches and overall business disruption caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies.
IoT and IIoT are a set of business and technology innovations that offers many compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.
Why is security-by-design important?
Deloitte and Dragos are teaming on a number of client initiatives to help organizations embed a security-by-design approach and to manage the risk of industrial control systems (ICS) and operational technology (OT) environments by enabling them to better monitor and assess threats. Organizations can benefit from a better understanding of threats in this environment, which can then be used to develop and embed cybersecurity strategies into organizational and technology strategy.
Security-by-design (for designing an IoT/IIoT product) is about incorporating cybersecurity practices by default into the product’s design as well as (for onboarding an acquired IoT/IIoT product) incorporating cybersecurity practices by default into the environment in which the IoT product is implemented.
Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.
The following top risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and Dragos in a recent Deloitte Dbriefs webcast, The Internet of Things and cybersecurity: A secure-by-design approach:
Top 10 security risks the current IoT environment poses
- Not having a security and privacy program
- Lack of ownership/governance to drive security and privacy
- Security not being incorporated into the design of products and ecosystems
- Insufficient security awareness and training for engineers and architects
- Lack of IoT/IIoT and product security and privacy resources
- Insufficient monitoring of devices and systems to detect security events
- Lack of post-market/ implementation security and privacy risk management
- Lack of visibility of products or not having a full product inventory
- Identifying and treating risks of fielded and legacy products
- Inexperienced/immature incident response processes
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.”
– Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP
“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable.”
– Robert M. Lee, CEO at Dragos Inc.