IoT systems in business and operational environments have increased the attack surface and introduced new risks to the confidentiality, integrity and availability of critical data and systems at many enterprises.
Security leaders need to update their organization’s threat profile to account for these risks and implement a formal plan for proactively managing them. Otherwise they risk becoming soft targets for adversaries looking to exploit vulnerable IoT environments to spy, steal data, launch distributed denial of service (DDoS) attacks, escalate privileges and disrupt operations in other ways, analysts say.
“IoT devices present a unique risk because organizations typically have hundreds of these devices on their IT and OT [operational technology] networks each expanding the attack surface and increasing organizational risk,” says Kyle Miller, chief engineer and senior associate at Booz Allen Hamilton.
In recent years, internet-connected devices have proliferated within traditional IT and in operational environments. Organizations looking to remake themselves as connected enterprises have deployed IoT sensors and devices on plant floors, on equipment, in the field and elsewhere resulting in a massive data deluge.
Within enterprises, everything from facilities management and security monitoring systems to printers and lighting systems are being connected to the internet. Analysts expect that over the next few years, enterprises will deploy billions of IoT devices to support myriad use cases. That will force organizations to reconsider the following factors when developing their threat models.