IT study reveals glaring vulnerabilities: Industry must protect IoT controls

Industrial controls, production and the smart home are often "insufficiently" protected against hackers Düsseldorf/Germany, May 12, 2022 - Shampoo, cookies, canned soup and medicines all have one thing in common: the listing of all ingredients on the package and their traceability back through the manufacturer to the producer of the individual ingredient. Important smart industrial controls, intelligent production plants and devices such as routers, network cameras, printers and many others bring their firmware with operating systems and applications directly along - without a precise proof of the software components contained. Often this means immense risks of infestation by hackers and data thieves in companies using these controls and devices. As part of the "IoT Security Report 2022" study, 75 percent of the 318 IT industry professionals and executives surveyed in consequence advocate a precise proof of all software components, the so-called "Software Bill of Materials" (SBOM) for all components, including all software contained in an endpoint. "Within the scope of our research over the past few years, virtually all devices connected to a network have contained sometimes more, sometimes less hidden flaws in the firmware and applications, an accurate content statement of software components is therefore extremely important for an organization's IT to verify and maintain security levels," says Jan Wendenburg, CEO of ONEKEY (formerly IoT Inspector). The company has developed a fully automated security and compliance analysis for the software of control systems, production equipment and smart devices and makes it available as an easy-to-integrate platform for companies and hardware manufacturers.

Manufacturers neglect security

As a result, there is not much confidence in the manufacturer-side security of IoT devices: 24 percent of the 318 respondents consider this to be "not sufficient", with a further 54 percent considering it to be "partially sufficient" at most. Hackers keep an eye on vulnerable devices for some time now - and the trend is rising. 63 percent of IT experts confirm that hackers are already misusing IoT devices as a gateway into networks. In companies in particular, confidence in the security measures around IoT is low: only a quarter of the 318 respondents see complete security guaranteed by their own IT department, while 49 percent see it as only "partially sufficient". And 37 percent of IT professionals surveyed for the IoT Security Report 2022 have already experienced security-related incidents with endpoints that are no normal PC clients. "The risk is constantly increasing as connected manufacturing continues to expand. In general, the number of networked devices is expected to double in a few years," says Jan Wendenburg of ONEKEY. In addition to the automatic analysis platform for checking device firmware, the company also operates its own test lab, where the hardware of major manufacturers is tested and vulnerability reports, so-called advisories, are published on a regular basis.

Unclear responsibilities in companies

Another risk: industrial control systems, production facilities and other smart infrastructure endpoints are often in company use for more than ten years. Without compliance strategies, however, there are usually no update policies in most companies either. In addition, often there is a very unclear situation around responsibilities: among the 318 company representatives surveyed, a wide variety of people and departments are responsible for IoT security. These range from CTO (16 percent) to CIO (21 percent) to Risk & Compliance Manager (22 percent) to IT Purchasing Manager (26 percent). In 21 percent of the companies, external consultants even handle the purchasing of IoT devices and systems. By contrast, only 23 percent perform the simplest security check - an analysis and testing of the included firmware for security vulnerabilities. "This is negligent. An examination of the device software takes a few minutes only, and the result clearly indicates the risks and their classification into risk levels. This process should be part of the mandatory program before and during the use of endpoints - from routers to production machines," Jan Wendenburg of ONEKEY sums up.