ANZ businesses hungry for IoT, unprepared for its risks

Australian and New Zealander companies are rushing to tap internet of things (IoT) devices for post-COVID digital transformation. But most ANZ companies must double down on IoT security—or risk compromising the very digital-transformation initiatives they are trying so hard to fast-track.

Predictions of strong growth come from recognition that “IoT-based use cases can assist in delivering remote and distributed operations across the enterprise,” IDC said in a recent report, with a prediction that ANZ companies’ IoT spending will recover from a COVID-19 slump this year and grow by 9.5% annually through 2025.

Strong expenditures across manufacturing, utilities, and transportation would continue to drive over half of overall IoT spending, IDC predicted, with the construction and utilities sectors leading the growth in 2021. Key use cases include manufacturing operations, production asset management, electricity smart grids, and freight monitoring. Software such as IoT management applications and analytics software will be the fastest-growing sectors in the IoT segment.

“Other than cloud and AI/machine learning, IoT or industrial IoT is one of the top three technologies which will enable remote operations for enterprises, thereby improving productivity during these challenging times,” IDC market analyst Sharad Kotagi noted in the report.

More IoT means more security risk

Yet as companies extend the interconnectedness of their organisations, a large and growing body of evidence suggests their cybersecurity exposure will also continue to grow.

The pandemic-driven explosion in remote work was a dry run, cloud-security firm Zscaler found in a new study that analysed 300,000 IoT-specific malware attacks blocked by the company’s platform over the course of just two weeks in December 2020.

Manufacturing and retail-industry devices accounted for 59% of the 575 million device transactions analysed by Zscaler, which found a wide range of 3D printers, geolocation trackers, data-collection terminals, and payment terminals, among others, were flooding corporate networks with data.

Despite their mission-critical nature, 76% of the monitored IoT devices were sending their data in plain text – “meaning,” said Zscaler CISO Deepen Desai, “that a majority of IoT transactions pose great risk to the business.”

As industrial IoT (IIoT) devices are increasingly added to the mix by companies seeking to automate operational technology (OT) processes, that risk will rapidly be extended to new business domains—creating new risk from promising but insecure technologies that are often being rolled out without overarching security and management oversight.

IoT-related vulnerabilities in the critical manufacturing sector grew by 148% in the first half of 2021 alone, according to a recent Nozomi Networks IoT security report that also identified a 44% spike in ICS-CERT vulnerabilities this year.

Vulnerabilities in software supply chains, such as those that enabled the compromise of SolarWinds and Kaseya enterprise applications, were continuing to emerge, the report noted, and insecure IoT security cameras are continuing to surge “at an alarming rate”.

“As industrial organisations embrace digital transformation, those with a wait and see mindset are learning the hard way that they weren’t prepared for an attack,” said Nozomi CEO Edgard Capdevielle in the report. “We encourage organisations to adopt a postbreach mindset prebreach, and strengthen their security and operational resiliency before it’s too late.”

A long road to secure IoT

The suggestion that businesses are unprepared for IoT-based attacks comes as no surprise given the results of a recent Fortinet report, in which 71% of surveyed ANZ businesses surveyed admit feeling unprepared for a cyberattack.

Indeed, fully two-thirds of Australian businesses admitted that a cybersecurity breach would either create significant costs for the business or end it completely.

Analyst firm Gartner has gone a step further, recently predicting that by 2025 cybercriminals will have used IoT breaches to “weaponise” OT environments to the point where a human being is harmed or even killed.

Companies with large numbers of assets “struggle to define appropriate control frameworks,” said Gartner senior research director Wam Voster in the report, noting that risk-management leaders in companies running operational environments “should be more concerned about real world hazards to humans and the environment” than just theft of their data.

A range of efforts have sought to define appropriate control frameworks for OT environments. In those environments, the growing number of IoT devices will be a key confounder as surging numbers continue to challenge control capabilities.

Australia’s Therapeutic Goods Administration, for example, has published cybersecurity guidelines for medical devices and in May 2021 offered guidance for IoT and other equipment manufacturers around their regulation.

Aiming to help customers manage the exposure being created by growing IoT use within OT environments, recent months have seen IoT-focused security capabilities from vendors like BlackBerry—which in July 2021 launched the upgraded Jarvis 2.0 platform to find and fix vulnerabilities in embedded systems—and Malcolm Turnbull-backed industrial cybersecurity consultancy Dragos, which this year expanded into the ANZ market and recently added vulnerability management to its asset visibility and security platform.

Sector-specific offerings are likely to continue bulking out their features as they seek to close functional gaps and maintain suitable control over the IoT explosion.

An appropriate OT security framework must ultimately address 10 elements, Gartner said, including roles and responsibilities, training, incident response, asset inventory, log collection and detection, and secure configuration.

Industry groups like the IoT Alliance Australia are also engaged, continuing to work with peers such as the Industrial Internet Consortium to shepherd industry towards better security with a high-level approach that also ties into overall organisational objectives like the UN Sustainable Development Goals effort.

Maintaining effective security, and tying it in with overall corporate transformation objectives, will remain crucial as ANZ companies continue to tap IoT in the quest to reinvent themselves for the new normal.