This week, we have a guest post from Christian Koch, Senior Manager GRC & IoT/OT at NTT Security.

From state-sponsored hacking campaigns to smart home vulnerabilities, the IoT world is increasingly dominated by cybersecurity challenges. Awareness of the potential implications needs to improve not only among consumers but also at a corporate level where IT/OT siloes, supply chain risk and a continued focus on functionality over security threatens to play into the hands of attackers.

On the rise

The IoT scare stories are hitting the headlines thick and fast these days. Although attacks on conventional IT systems are arguably more numerous, the potential impact of IoT threats will ensure they get top billing. We’re not just talking about data theft and privacy concerns here, but potential physical harm to critical infrastructures and the people that rely on them.

A new report claims Russian hackers have infiltrated hundreds of US electric facilities in a long-running campaign. Previous alarms have been raised by the UK’s National Cyber Security Centre (NCSC) about similar attacks on British telecommunications, media and energy sectors. That’s not to mention the now-infamous attacks on Ukrainian energy providers that left hundreds of thousands without power in December 2015 and 2016.

Compared to these, reports of vulnerabilities in connected cars, smart CCTV cameras and baby monitors might seem like small fry, but they represent a real and growing threat to all of us.

When it comes to consumer IoT, the onus must be on the manufacturer to take a lead. There are clear signs that security and privacy concerns are holding back investments in the smart home — meaning there’s a real opportunity for those vendors with the ambition to differentiate on security.

IT versus OT

But what happens in the enterprise? Companies are increasingly exposed not just via their SCADA systems but also the growing number of connected appliances and building components in offices and facilities. Has that smart fridge in the boardroom been approved by IT? How about the connected lift, fire alarm or air conditioning system? Too often the focus for security teams is on the traditional endpoint and server infrastructure. We want to benefit from the efficiencies that connected systems bring us without bringing them into the corporate security sphere.

Part of the challenge here is the traditional barrier between IT and OT teams. While the former concentrates first on the integrity and confidentiality of components, the latter is solely focused on availability. So, when they come together, they speak the same language yet don’t understand each other. Organizations must get better at breaking down these siloes if they want to safeguard IoT systems. They must also pay more attention to the growing risks presented by the complex supply chain. Like many manufacturers, maintenance firms are more interested in functionality than security.

Out with the old

There is hope for the future, in that we’ll slowly start to see a new breed of OT professionals coming through who are more digitally savvy and cyber risk aware. But as long as the old equipment still stands there will be challenges. Monolithic SCADA systems are often built and never updated because of the costs and complex dependencies involved. A one-day maintenance window is more likely to be used for functionality updates than security patches. Yet as they’re fitted with connectivity they become unwittingly exposed to the outside world.

Against this backdrop, it’s vital for organizations to gain visibility into IoT systems at a network and application layer, understanding what normal behavior looks like so they can spot the signs of potential attacks. But the bigger picture demands a focus on security over functionality. The BSI’s new IoT kitemark is a welcome move, helping buyers identify products they can trust to be reliable and secure. Hopefully in the next 5-10 years, secure IoT products will be the rule rather than the exception.

To find out more, listen to Christian Koch in conversation with Enterprise Times’ Ian Murphy.