Growing Industrial IoT endpoint security concerns

The Industrial Internet of Things (IIoT) thrown several new concerns regarding security leading to much confusion about what constitutes an endpoint and unrealistic perspectives on protecting systems and data, according to the 2018 SANS Industrial IoT Security Survey report.

More than half of those taking the SANS survey reported that the most vulnerable aspects of their infrastructure are data, firmware, embedded systems or general endpoints. At the same time, respondents indicated that the debate continues over the definition of an IIoT endpoint.

Barbara Filkins

“What really jumped out was the disparity in confidence as to how secure IIoT really is,” said Barbara Filkins, SANS Analyst Program Research Director and survey report author. “This disparity represents a major cultural change in how industrial organizations must approach the security risks in a world of IIoT.”

The survey uncovered other potential endpoint issues. For example, only 40% said they apply and maintain patches and updates to protect IIoT devices and systems, and 56% noted difficulty in patching as one of the greatest security challenges. Almost 40% said identifying, tracking and managing devices represented another significant security challenge.

Finally, the survey unveiled a chasm between the OT, IT and management perceptions of IIoT security. Only 64% of OT departments reported being somewhat-confident or confident in their ability to secure their IIoT infrastructure, as opposed to 83% of IT department respondents and 93% of company leaders.

“The discrepancy in defining IIoT endpoints is the basis for some of the confusion surrounding responsibility for IIoT security,” according to Doug Wylie, Director of the Industrials & Infrastructure Business Portfolio at SANS Institute. “Many practitioners likely are not adequately identifying and managing the numerous assets that in some way connect to networks—and present a danger to their organizations. For this reason, it is important for company IT and OT groups to agree to a common definition to help ensure they adequately identify security risks as they evolve their systems to adapt to new architectural models.”