Companies operating within the industrial and energy and utilities sectors are responsible for protecting the critical infrastructure we all rely upon to live. However, these companies must also operate their businesses more effectively and efficiently to meet consumer and government expectations. To achieve these objectives, companies are leveraging new technologies, including the Internet of Things (IoT).

IoT devices cover a very broad spectrum of purpose, and companies are deploying these interconnected devices in their operations at a rapid pace. They use them to collect operational data, monitor operational technology performance, control processes at the edge, and capture consumer usage and performance. For this reason, the growth of the IoT within the industrial and energy sectors is poised to increase in the coming years, which is in line with Gartner’s prediction that there will be more than 26 billion connected devices by 2020. But along with this rapid increase in IoT devices comes a proportional increase in risk.

Internet of Threats: Securing the Internet of Things

Working with Oxford Economics, the new IBM Institute of Business Value (IBV) report, “Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies,” aimed to understand how organizations protect themselves against the cybersecurity risks posed by deploying IoT technologies in their operations and factories. It also leveraged the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a common baseline to determine the capabilities needed to identify, protect, respond to and recover from IoT cyber incidents.

Oxford Economics interviewed 700 executives in 20 countries who have deployed or are in the process of deploying IoT technology in their plants and operations. Those interviewed are responsible for oversight of security and are using industrial control systems (ICS) and/or supervisory control and data acquisition (SCADA) in their operations. In total, 120 executives from the energy and utilities sector participated in the study, with 77 from power and 43 from water.

The report revealed the most common application, the most vulnerable part of deployments and the greatest cybersecurity threat perceived by the executives interviewed. Oxford Economics engaged these business leaders to share the most common type of IoT cybersecurity incident they’ve observed and what could have the highest impact to their critical business operations. They also shed light on the primary drivers for cybersecurity and how spending is aligned with IoT adoption.

What Does the Report Mean for the Energy, Environment and Utilities Sectors?

The IBM report highlighted a significant level of immaturity among many organizations when it comes to managing IoT risks. One key reason is the shortage of security professionals with the necessary knowledge to develop an effective security program for managing risks associated with the ever-changing threats within this industry. For example, energy and utilities companies are seen as targets for terrorists, nation-state actors and traditional cybercriminals due to the far-reaching impact of such attacks. As a 2017 Information Security Forum report titled “Industrial Control Systems: Securing the Systems That Control Physical Environments” stated, “In today’s modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line.”

Despite these known risks, the IBV report noted how vulnerable companies still are today. As organizations invest billions to transform the way they provide their services, they must keep pace with security. The study found that, on average, these companies are spending 7 percent of their IT budgets on deploying and maintaining new IoT technologies and only 1 percent on securing IoT technologies. This is why governments are mandating more control over these environments through new regulations. Although more regulation may slow the ability to innovate and advance, it is critical to weave security into all new energy and utilities solutions to avoid a catastrophic outcome.

Addressing IoT Security Gaps

The IBV report detailed the security gaps within these industries while also providing keen insight into what security solutions companies in this sector should consider. This study is a good reference to use as a baseline for establishing a security strategy, and organizations should work with a trusted security services partner to plot a road map to help them protect their critical operations from ever-increasing threats.

Download the full report

More from Energy & Utility

Today’s biggest threats against the energy grid

2 min read - Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats. Physical threats to the energy grid Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid…

2022 industry threat recap: Energy

3 min read - In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023. This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack. Despite the overall drop in threats, however, the industry remains…

X-Force 2022 insights: An expanding OT threat landscape

9 min read - This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

3 min read - The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today