In the IoT Security Report 2022, IT experts call for a Bill of Materials (SBOM) for device software: Industrial controls, production and the smart home are often “insufficiently” protected against hackers. Experts demand proof of all software components used.
Shampoo, biscuits, canned soup and medicines have one thing in common: the list of all ingredients on the package and their traceability from the manufacturer to the producer of the individual ingredient. Important smart industrial controls, intelligent production systems and devices such as routers, network cameras, printers and many others bring their firmware with the operating system and applications directly - without precise proof of the software components contained. This often means immense risks of attack by hackers and data thieves in companies that use these controls and devices.
What's inside routers, networks & Co?
As part of the "IoT Security Report 2022" study, 75 percent of the 318 specialists and managers from the IT industry surveyed are in favor of precise verification of all software components, the so-called "Software Bill of Materials" (SBOM) for all components out, including all included software of an endpoint. "In the course of our investigations over the last few years, practically all devices connected to a network have hidden defects in the firmware and applications, to a greater or lesser extent, which is why a precise description of the content of the software components is extremely important for a company's IT in order to to check and maintain the security level,” says Jan Wendenburg, CEO of ONEKEY (formerly IoT Inspector). The company has developed a fully automatic security and compliance analysis for the software of controls, production systems and smart devices and makes it available as an easy-to-integrate platform for companies and hardware manufacturers.
Manufacturers neglect security
Therefore, there is not much trust in the protection of IoT devices by the manufacturer: 24 percent of the 318 people surveyed consider this to be "insufficient", another 54 percent at most "partially sufficient". Hackers have therefore been keeping an eye on the vulnerable devices for a long time - and the trend is rising. 63 percent of IT experts confirm that hackers are already using IoT devices as a gateway to networks. In companies in particular, confidence in the security measures relating to IoT is low: only a quarter of the 318 respondents see complete security guaranteed by their own IT department, while 49 percent see it as only “partially sufficient”. And 37 percent of the IT professionals surveyed for the 2022 IoT Security Report have already had security-related incidents with endpoints that are not normal PC clients.
Connected manufacturing increases the risks
“The risk increases even further as networked production continues to expand. In general, it can be expected that the number of networked devices will double in a few years,” says Jan Wendenburg from ONEKEY. In addition to the automatic analysis platform for checking the device firmware, the company also operates its own test laboratory, in which the hardware of major manufacturers is tested and vulnerability reports, so-called advisories, are published regularly.
Unclear responsibilities in companies
Another risk: Industrial control, production systems and other smart infrastructure endpoints are often in use for more than ten years. Without compliance strategies, however, there are usually no update guidelines in the company. In addition, there is often a very unclear situation regarding responsibility: the 318 company representatives surveyed have a wide variety of people and departments responsible for IoT security. The spectrum ranges from CTO (16 percent) to CIO (21 percent) to Risk & Compliance Manager (22 percent) to IT Purchasing Manager (26 percent). At 21 percent of the companies, external consultants even take on the purchasing of IoT devices and systems.
On the other hand, only 23 percent carry out the simplest security check – an analysis and testing of the included firmware for security gaps. "That is negligent. An examination of the device software takes a few minutes, the result provides clear information about the risks and their classification into risk levels. This process should be part of the mandatory program before and during the use of endpoints - from the router to the production machine", sums up Jan Wendenburg from ONEKEY.
More at Onekey.com[ONE KEY]