State of IoT Security: Budget Ranks Least of Challenges

In Keyfactor’s first global IoT security report, respondents revealed that security has shifted in leaders’ minds. They understand the importance of IoT security and have put a budget behind it.

Security budgets averaged $446,015 and were predicted to rise 19% over the next two years and 45% over the next five years. 

Yet, organizations have trouble applying their budget to prevent attacks effectively. In fact, as much as 52% of the average budget is at risk of being diverted to cover the cost of successful breaches on IoT devices. 

Check out the report: Navigating the State of IoT Security >>

Stakes are rising as legislative bodies set their sights on solving the challenge of IoT security. Governments across the world are calling for product designers and manufacturers to embrace secure-by-design principles in order to better protect critical infrastructure. The Matter standard and NIST’s device labeling program encourage more secure products and give consumers more confidence in making secure purchasing decisions. 

Though these standards have not reached the level of compliance regulation, they indicate where the legislative attitude is headed. Still, the report showed that 98% of organizations experienced a certificate-related outage in the past 12 months. Outages on manufacturing lines cost the average OEM organization $2.25 million.

So, if budget and priority aren’t obstacles, why is IoT security still elusive? 

It’s unclear whether security practitioners are hindered more by the wrong tools or by the wrong methods. More than likely, both play a factor.

Ninety-four percent of North American organizations agreed that they need improved IoT security. Sixty-two percent of organizations said they are “as protected as they can be.

These numbers seem contradictory, but together they indicate an awareness of risk and a lack of understanding of how organizations can improve security to cover those risks. 

On the equipment manufacturers’ side of things, 42% of OEMs cited the lack of clarity around best practices to implement security across multiple global manufacturing sites as a top challenge to securing their manufacturing and production lines. They also said their top challenge to securing the IoT devices they manufacture was the inability to quantify the threat impact of third-party IoT devices.

There’s a lot organizations don’t know when it comes to device security. IoT manufacturers are experts in their field, but not necessarily in the security of their devices. What’s certain is that without a vision for total device security starting at initial design and the knowledge of the tactical milestones it will take to achieve that vision, any steps forward will amount to a mere shot in the dark. 

Ninety-four percent of respondents said their organization uses a PKI solution to issue digital identities and/or manage certificates on the IoT and IIoT devices they use and/or manufacture.

At first glance, this seems positive. Organizations are undoubtedly moving away from spreadsheets to track certificates. However, a closer look reveals that organizations still aren’t as sophisticated in their tooling as they should be.

27% use a native internal tool only.

These tools are likely home-grown solutions that offer limited automation, visibility, and scalability. They tend to be riskier and harder to manage.

44% use a combination of internal and third-party solutions.

This statistic is likely driven by a host of vendor-specific tools that only manage certificates issued by that vendor’s certificate authority. Seeing as the average organization uses nine different CAs, vendor-specific coverage only adds complexity and obscures visibility.

More tools don’t mean more coverage. Certificates — including both those used by IoT devices and those deployed in the IT environment — are best managed through a single, universal hub. Doing so lays the best foundation for automation and gives holistic insight into the state of the certificate landscape across the entire enterprise.

Forty-one percent of OEMs said they would have to modify their production facilities to incorporate new processes that would enable better security. Meanwhile, 32% of OEMs said they lack the infrastructure to support change at scale, while 30% said they lack the infrastructure to support any change at all.

Manufacturing environments come with their own unique dynamics that make it difficult to modernize systems and implement new processes. These legacy systems are complex, and sometimes there’s a fear of reliance on software that could introduce undesired downtime.

These dynamics may be somewhat intractable. But they can’t remain unknown or unaccounted for. Organizations must create a vision for device security, then seek solutions and vendors who can help execute that vision and enable the flexibility organizations need to thrive in the future. Make no mistake, changes are coming for OEMs. Legacy systems won’t be sustainable forever. New regulations, a changing threat landscape, and security-conscious consumers will force organizations to adapt or perish.

Every individual IoT device affords an attacker a potential entry point into the organization’s network. The risks of IoT security go beyond protecting the reputation of the organization — they extend to the critical infrastructure that supports our very way of life.

The IoT world is ripe for innovation, and it shows progress that more leaders are positioning security as a key driver of innovation rather than a barrier to it. As that innovation unfolds, IoT manufacturers and user organizations must make good use of their IoT security budgets and work to understand the state of IoT within their operations.