In 2015 security firm, IOActive, analyzed 20 mobile applications that connected to industrial control systems (ICS). Last year, it reprised the research and discovered 147 issues in the 34 applications selected for analysis. This represents an average increase of 1.6 vulnerabilities per application.What might this mean in the age of Industrial IoT? The full report \u201cSCADA and Mobile Security in the Internet of Things Era\u201d can be downloaded here. And we spoke to Jason Larsen, director of advisory services at IOActive to learn more.\u00a0Roughly what percentage of the SCADA app universe does the 34 randomly tested apps represent?There were roughly 140 apps in Google Play and 200 in the Apple App Store.\u00a0Did the level of increase in vulnerabilities between 2015 and 2017 surprise you?Usually when a problem is pointed out, the code quality increases. My gut tells me that since this is a new environment, the failure is in processes and procedures. Since industrial control vendors haven\u2019t historically used mobile environments, it\u2019s likely that many of these applications were hired out to third-party developers who used the same rapid development strategies they use for everything else. I wouldn\u2019t be surprised if most of these were pilot projects where the contracting language wasn\u2019t in place to require security coding practices and security testing. One of the reasons we do this kind of research is to focus industry on the problem.How much awareness is there about this problem?The code quality of the average mobile application has been pretty well documented. There may be some assumptions that industrial control software has been programmed and tested to a higher standard than your average app.What is the biggest implication for security professionals about these findings?This research highlights that while apps can be securely programmed, they shouldn\u2019t be assumed to be good just because process control software is more thoroughly tested. Mobile applications should always be reviewed before being deployed in a production environment.Who will ultimately be accountable for these types of vulnerabilities?There\u2019s not much an end-user can do to fix bugs in a mobile application themselves.\u00a0The fixes will need to be done by the vendors.What do you think is the most important way to tackle this? Maybe mandatory security standards for developers, better regulation of app stores, better security on mobile devices, a mix of these, or something else entirely?A good start would be transparency.\u00a0If an application is built using secure programming practices and has gone through a review, documenting that would go a long way.\u00a0Is insecurity of Industrial IoT the most important security consideration at the moment?Most mobile and IIoT is being deployed in test environments and limited cases, but if history is any indication, they will become a much bigger part of the infrastructure in the future. Everyone that tried to fight WiFi when it first came out eventually lost. The real danger is the transition phase where these devices are being adopted for minor tasks and test environments. These first devices may open up security holes way before the rest of the architecture is ready to deal with those risks. \u00a0IOActive tests control systems all over the world and the number of interesting ways into a control network is very large. The control network perimeter can be breached.\u00a0That\u2019s where a good security architecture and safety program comes into play. We expect mobile and IIOT to only grow in popularity.Are mobile applications the main point of insecurity for these systems \u2013 are there other areas that go under the radar?\u00a0Control network perimeters are becoming more porous like all other networks. I wouldn\u2019t say this attack pathway is the main attack pathway, but in five years it will likely become one of the most common. ICS administrators already have their hands full with wireless communications, just-in-time manufacturing, integrated scheduling, and all the other things that make modern environments run.\u00a0Many of those systems could use a hard look.\u00a0Why we think mobile deserves a closer look is because the attacker community\u2019s existing skillset can be directly leveraged against it. This means that it could rapidly become a major problem.