IT experts call for a bill of materials (SBOM) for device software in IoT Security Report 2022

Industrial controls, production and the smart home are often “insufficiently” protected against hackers


Düsseldorf/Germany, May 12, 2022 – Shampoo, cookies, canned soup and medicines all have one thing in common: the listing of all ingredients on the package and their traceability back through the manufacturer to the producer of the individual ingredient. Important smart industrial controls, intelligent production plants and devices such as routers, network cameras, printers and many others bring their firmware with operating systems and applications directly along – without a precise proof of the software components contained. Often this means immense risks of infestation by hackers and data thieves in companies using these controls and devices.

As part of the “IoT Security Report 2022” study, 75 percent of the 318 IT industry professionals and executives surveyed in consequence advocate a precise proof of all software components, the so-called “Software Bill of Materials” (SBOM) for all components, including all software contained in an endpoint.

“Within the scope of our research over the past few years, virtually all devices connected to a network have contained sometimes more, sometimes less hidden flaws in the firmware and applications, an accurate content statement of software components is therefore extremely important for an organization’s IT to verify and maintain security levels,” says Jan Wendenburg, CEO of ONEKEY (formerly IoT Inspector).

The company has developed a fully automated security and compliance analysis for the software of control systems, production equipment and smart devices and makes it available as an easy-to-integrate platform for companies and hardware manufacturers.

Manufacturers neglect security

As a result, there is not much confidence in the manufacturer-side security of IoT devices: 24 percent of the 318 respondents consider this to be “not sufficient”, with a further 54 percent considering it to be “partially sufficient” at most. Hackers keep an eye on vulnerable devices for some time now – and the trend is rising. 63 percent of IT experts confirm that hackers are already misusing IoT devices as a gateway into networks.
In companies in particular, confidence in the security measures around IoT is low: only a quarter of the 318 respondents see complete security guaranteed by their own IT department, while 49 percent see it as only “partially sufficient”. And 37 percent of IT professionals surveyed for the IoT Security Report 2022 have already experienced security-related incidents with endpoints that are no normal PC clients.

“The risk is constantly increasing as connected manufacturing continues to expand. In general, the number of networked devices is expected to double in a few years,” says Jan Wendenburg of ONEKEY. In addition to the automatic analysis platform for checking device firmware, the company also operates its own test lab, where the hardware of major manufacturers is tested and vulnerability reports, so-called advisories, are published on a regular basis.

Unclear responsibilities in companies

Another risk: industrial control systems, production facilities and other smart infrastructure endpoints are often in company use for more than ten years. Without compliance strategies, however, there are usually no update policies in most companies either. In addition, often there is a very unclear situation around responsibilities: among the 318 company representatives surveyed, a wide variety of people and departments are responsible for IoT security.

These range from CTO (16 percent) to CIO (21 percent) to Risk & Compliance Manager (22 percent) to IT Purchasing Manager (26 percent). In 21 percent of the companies, external consultants even handle the purchasing of IoT devices and systems. By contrast, only 23 percent perform the simplest security check – an analysis and testing of the included firmware for security vulnerabilities.

“This is negligent. An examination of the device software takes a few minutes only, and the result clearly indicates the risks and their classification into risk levels. This process should be part of the mandatory program before and during the use of endpoints – from routers to production machines,” Jan Wendenburg of ONEKEY sums up.


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150