Conf42: Incident Management 2022


Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices

Brian Contos
CSO @ Phosphorus Cybersecurity

Brian Contos's LinkedIn account Brian Contos's twitter account

Enterprise Internet of Things (IoT) security today is analogous to IT security in the mid 1990s. It was a time when security awareness was limited, countermeasures and best practices weren’t broadly applied, and attackers explored, compromised, controlled, and exfiltrated data from systems with minimal resistance. In short, enterprise IoT security sucks as bad today as that unpatched Windows NT 3.51 server with an RS-232 connected modem that IT forgot about.

Working globally with Fortune 500 enterprises and government agencies we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.

Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have about five IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. There are over 46 billion connected devices today and 30 billion (65%) of those devices are IoT. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know:

● What IoT devices we have - guesses based on legacy asset discovery solutions are consistently off by at least 50% ● When our firmware was last updated - in many cases the firmware is end of life and the average IoT firmware age is six years ● If our credentials follow organizational policies - passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm ● How vulnerable our IoT devices are - at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs

While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.

Attendee takeaways: ● Discover your IoT devices, diagnose their security, and define their limitations ● Employ tactics to improve your IoT security and communicate their status to stakeholders ● Restate key findings derived from the interrogation of two million production IoT devices

Awesome conferences for

Priority access to all content

Community Discord

Exclusive promotions and giveaways