Companies operating within the industrial and energy and utilities sectors are responsible for protecting the critical infrastructure we all rely upon to live. However, these companies must also operate their businesses more effectively and efficiently to meet consumer and government expectations. To achieve these objectives, companies are leveraging new technologies, including the Internet of Things (IoT).

IoT devices cover a very broad spectrum of purpose, and companies are deploying these interconnected devices in their operations at a rapid pace. They use them to collect operational data, monitor operational technology performance, control processes at the edge, and capture consumer usage and performance. For this reason, the growth of the IoT within the industrial and energy sectors is poised to increase in the coming years, which is in line with Gartner’s prediction that there will be more than 26 billion connected devices by 2020. But along with this rapid increase in IoT devices comes a proportional increase in risk.

Internet of Threats: Securing the Internet of Things

Working with Oxford Economics, the new IBM Institute of Business Value (IBV) report, “Internet of Threats: Securing the Internet of Things for Industrial and Utility Companies,” aimed to understand how organizations protect themselves against the cybersecurity risks posed by deploying IoT technologies in their operations and factories. It also leveraged the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a common baseline to determine the capabilities needed to identify, protect, respond to and recover from IoT cyber incidents.

Oxford Economics interviewed 700 executives in 20 countries who have deployed or are in the process of deploying IoT technology in their plants and operations. Those interviewed are responsible for oversight of security and are using industrial control systems (ICS) and/or supervisory control and data acquisition (SCADA) in their operations. In total, 120 executives from the energy and utilities sector participated in the study, with 77 from power and 43 from water.

The report revealed the most common application, the most vulnerable part of deployments and the greatest cybersecurity threat perceived by the executives interviewed. Oxford Economics engaged these business leaders to share the most common type of IoT cybersecurity incident they’ve observed and what could have the highest impact to their critical business operations. They also shed light on the primary drivers for cybersecurity and how spending is aligned with IoT adoption.

What Does the Report Mean for the Energy, Environment and Utilities Sectors?

The IBM report highlighted a significant level of immaturity among many organizations when it comes to managing IoT risks. One key reason is the shortage of security professionals with the necessary knowledge to develop an effective security program for managing risks associated with the ever-changing threats within this industry. For example, energy and utilities companies are seen as targets for terrorists, nation-state actors and traditional cybercriminals due to the far-reaching impact of such attacks. As a 2017 Information Security Forum report titled “Industrial Control Systems: Securing the Systems That Control Physical Environments” stated, “In today’s modern, interconnected world, the potential impact of inadequately securing ICS can be catastrophic, with lives at stake, costs extensive and corporate reputation on the line.”

Despite these known risks, the IBV report noted how vulnerable companies still are today. As organizations invest billions to transform the way they provide their services, they must keep pace with security. The study found that, on average, these companies are spending 7 percent of their IT budgets on deploying and maintaining new IoT technologies and only 1 percent on securing IoT technologies. This is why governments are mandating more control over these environments through new regulations. Although more regulation may slow the ability to innovate and advance, it is critical to weave security into all new energy and utilities solutions to avoid a catastrophic outcome.

Addressing IoT Security Gaps

The IBV report detailed the security gaps within these industries while also providing keen insight into what security solutions companies in this sector should consider. This study is a good reference to use as a baseline for establishing a security strategy, and organizations should work with a trusted security services partner to plot a road map to help them protect their critical operations from ever-increasing threats.

Download the full report

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…