You will soon receive an email with a link to confirm your access, or follow the link below.
You may now close this message and continue to your article.
IoT devices often have weak security and network connectivity. This makes their existence an expansion of the attack surface. This exposure is particularly concerning for critical infrastructure organizations, which are already attractive targets for some of the most sophisticated and best-resourced threat actors in the world.
IoT devices are still not subject to asset management or security monitoring in all organizations. And IoT devices tend to monitor legacy equipment in operational technology (OT) environments that may lack modern security features—a common reality in critical infrastructure industries.
Many IoT security vulnerabilities exist from the time of the device’s manufacture. Many come with weak default passwords, and changing them often isn’t intuitive. Some devices have credentials embedded in firmware, making them impossible to change. Others may not use authentication at all. And because IoT devices are designed to use little power to reduce costs and extend battery life, their processing capabilities are extremely limited. This limitation means they can’t run anti-malware programs or encrypt data shared across enterprise networks.
Network connectivity dominates IoT security challenges. Many devices are designed to connect automatically to the nearest Wi-Fi or local area network (LAN), potentially turning each device into an easy and attractive entry point for attackers looking for a stepping stone to wider networks.
At the same time, it can be difficult to secure communications between IoT devices and cloud apps. And it’s also often hard to deliver and install security updates to devices in the field. A lack of industrywide security standards for IoT devices and their communication protocols increases security risks, as does having many devices installed in remote locations where they may be vulnerable to physical tampering.
IoT adoption is widespread in critical infrastructure sectors, where nearly all respondents report that they have at least some IoT devices in use.
More than half of respondents in critical infrastructure sectors report that they had experienced significant security incidents involving mobile or IoT devices. By “significant security incidents,” we mean incidents resulting in data loss or system downtime.
of critical infrastructure organizations use IoT devices.
of critical infrastructure respondents have experienced significant mobile or IoT device-related security incidents leading to data loss or system downtime.
of critical infrastructure respondents have experienced a major impact due to a security compromise of an IoT device.
Respondents in critical infrastructure organizations are aware of the severity of the risks they face. Most understand the consequences of a security breach, and they see the proliferation of mobile and IoT devices as a formidable security challenge. Nonetheless, rapid adoption continues.
of critical infrastructure respondents believe a security breach involving mobile and IoT devices would have a substantial impact on their business.
of critical infrastructure respondents agree that security risks associated with mobile and IoT devices have escalated over the past year.
of critical infrastructure respondents identify “integration of mobile and IoT services” as a daunting security challenge.
Critical infrastructure organizations see great benefit from the efficiencies and visibility that IoT brings. In the energy sector, sensors help workers detect transmission line and power station outages. Using data analytics, energy providers can better direct power across the grid to balance supply and demand, while helping to maximize the integration of renewable energy sources. Smart meters and thermostats are increasingly coming online in homes and businesses, providing data that utility companies now use to improve services.
It’s no surprise IoT adoption is close to universal in the energy and utility sectors. But it’s critical for these organizations to develop smart risk management strategies, since threat actors have increasingly demonstrated eagerness to target them. Look no further than the Colonial Pipeline ransomware attack, the Saudi Aramco drone strike, or the sabotage of the Nord Stream pipelines to appreciate the vast geopolitical consequences of such activities.
of energy and utilities respondents agree that managing the nation’s critical infrastructure makes them a prime target for cybercriminals.
The Public Sector also faces significant mobile and IoT-related security risks. According to the 2024 Data Breach Investigations Report, Public Administration is a top target for organized crime, along with state-affiliated threat actors (together responsible for 96% of breaches caused by external actors in which the actor type was known, n=305).7 Thirty percent of breaches in this sector (when known) were espionage motivated.8
of Public Sector respondents report that their organizations experienced a security incident involving a mobile or IoT device.
7 Verizon, Data Breach Investigations Report, 2024.
8 Ibid.