Companies operating within the industrial and energy and utilities sectors are responsible for protecting the critical infrastructure we all rely upon to live. However, these companies must also operate their businesses more effectively and efficiently to meet consumer and government expectations. To achieve these objectives, companies are leveraging new technologies, including the Internet of Things (IoT).

IoT devices cover a very broad spectrum of purpose, and companies are deploying these interconnected devices in their operations at a rapid pace. They use them to collect operational data, monitor operational technology performance, control processes at the edge, and capture consumer usage and performance. For this reason, the growth of the IoT within the industrial and energy sectors is poised to increase in the coming years, which is in line with Gartner’s prediction that there will be more than 26 billion connected devices by 2020. But along with this rapid increase in IoT devices comes a proportional increase in risk.

Internet of Threats: Securing the Internet of Things

Working with Oxford Economics, the new IBM Institute of Business Value (IBV) report, “Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies,” aimed to understand how organizations protect themselves against the cybersecurity risks posed by deploying IoT technologies in their operations and factories. It also leveraged the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a common baseline to determine the capabilities needed to identify, protect, respond to and recover from IoT cyber incidents.

Oxford Economics interviewed 700 executives in 20 countries who have deployed or are in the process of deploying IoT technology in their plants and operations. Those interviewed are responsible for oversight of security and are using industrial control systems (ICS) and/or supervisory control and data acquisition (SCADA) in their operations. In total, 120 executives from the energy and utilities sector participated in the study, with 77 from power and 43 from water.

The report revealed the most common application, the most vulnerable part of deployments and the greatest cybersecurity threat perceived by the executives interviewed. Oxford Economics engaged these business leaders to share the most common type of IoT cybersecurity incident they’ve observed and what could have the highest impact to their critical business operations. They also shed light on the primary drivers for cybersecurity and how spending is aligned with IoT adoption.

What Does the Report Mean for the Energy, Environment and Utilities Sectors?

The IBM report highlighted a significant level of immaturity among many organizations when it comes to managing IoT risks. One key reason is the shortage of security professionals with the necessary knowledge to develop an effective security program for managing risks associated with the ever-changing threats within this industry. For example, energy and utilities companies are seen as targets for terrorists, nation-state actors and traditional cybercriminals due to the far-reaching impact of such attacks. As a 2017 Information Security Forum report titled “Industrial Control Systems: Securing the Systems That Control Physical Environments” stated, “In today’s modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line.”

Despite these known risks, the IBV report noted how vulnerable companies still are today. As organizations invest billions to transform the way they provide their services, they must keep pace with security. The study found that, on average, these companies are spending 7 percent of their IT budgets on deploying and maintaining new IoT technologies and only 1 percent on securing IoT technologies. This is why governments are mandating more control over these environments through new regulations. Although more regulation may slow the ability to innovate and advance, it is critical to weave security into all new energy and utilities solutions to avoid a catastrophic outcome.

Addressing IoT Security Gaps

The IBV report detailed the security gaps within these industries while also providing keen insight into what security solutions companies in this sector should consider. This study is a good reference to use as a baseline for establishing a security strategy, and organizations should work with a trusted security services partner to plot a road map to help them protect their critical operations from ever-increasing threats.

Download the full report

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read