At Your Own Risk: Managing Internet of Things (IoT) Risks for Industrial and Utility Companies
Companies operating within the industrial and energy and utilities sectors are responsible for protecting the critical infrastructure we all rely upon to live. However, these companies must also operate their businesses more effectively and efficiently to meet consumer and government expectations. To achieve these objectives, companies are leveraging new technologies, including the Internet of Things (IoT).
IoT devices cover a very broad spectrum of purpose, and companies are deploying these interconnected devices in their operations at a rapid pace. They use them to collect operational data, monitor operational technology performance, control processes at the edge, and capture consumer usage and performance. For this reason, the growth of the IoT within the industrial and energy sectors is poised to increase in the coming years, which is in line with Gartner’s prediction that there will be more than 26 billion connected devices by 2020. But along with this rapid increase in IoT devices comes a proportional increase in risk.
Internet of Threats: Securing the Internet of Things
Working with Oxford Economics, the new IBM Institute of Business Value (IBV) report, “Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies,” aimed to understand how organizations protect themselves against the cybersecurity risks posed by deploying IoT technologies in their operations and factories. It also leveraged the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a common baseline to determine the capabilities needed to identify, protect, respond to and recover from IoT cyber incidents.
Oxford Economics interviewed 700 executives in 20 countries who have deployed or are in the process of deploying IoT technology in their plants and operations. Those interviewed are responsible for oversight of security and are using industrial control systems (ICS) and/or supervisory control and data acquisition (SCADA) in their operations. In total, 120 executives from the energy and utilities sector participated in the study, with 77 from power and 43 from water.
The report revealed the most common application, the most vulnerable part of deployments and the greatest cybersecurity threat perceived by the executives interviewed. Oxford Economics engaged these business leaders to share the most common type of IoT cybersecurity incident they’ve observed and what could have the highest impact to their critical business operations. They also shed light on the primary drivers for cybersecurity and how spending is aligned with IoT adoption.
What Does the Report Mean for the Energy, Environment and Utilities Sectors?
The IBM report highlighted a significant level of immaturity among many organizations when it comes to managing IoT risks. One key reason is the shortage of security professionals with the necessary knowledge to develop an effective security program for managing risks associated with the ever-changing threats within this industry. For example, energy and utilities companies are seen as targets for terrorists, nation-state actors and traditional cybercriminals due to the far-reaching impact of such attacks. As a 2017 Information Security Forum report titled “Industrial Control Systems: Securing the Systems That Control Physical Environments” stated, “In today’s modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line.”
Despite these known risks, the IBV report noted how vulnerable companies still are today. As organizations invest billions to transform the way they provide their services, they must keep pace with security. The study found that, on average, these companies are spending 7 percent of their IT budgets on deploying and maintaining new IoT technologies and only 1 percent on securing IoT technologies. This is why governments are mandating more control over these environments through new regulations. Although more regulation may slow the ability to innovate and advance, it is critical to weave security into all new energy and utilities solutions to avoid a catastrophic outcome.
Addressing IoT Security Gaps
The IBV report detailed the security gaps within these industries while also providing keen insight into what security solutions companies in this sector should consider. This study is a good reference to use as a baseline for establishing a security strategy, and organizations should work with a trusted security services partner to plot a road map to help them protect their critical operations from ever-increasing threats.