Industry executives and experts share their predictions for 2022.  Read them in this 14th annual VMblog.com series exclusive.

Six Quick Takes - IoT Security Trends to Keep on your Watch List

By Bud Broomhead, CEO, Viakoo

With the almost weekly news about cyber criminals attacking sensitive infrastructure or exfiltrating sensitive business data, the growing threat and impacts of those vulnerabilities being exploited is too severe to ignore.The financial cost per each cyber incident has grown into the millions of dollars, and can even cost lives. We're taking a look at the top six cyber trends going into 2022, and how enterprises can better prepare their organizations to be forewarned and forearmed.

• Cyber attacks on IoT devices will turn deadly. The trend is clear: cyber attacks on IoT and critical infrastructure are on the rise, and are impacting systems key to life and human safety.  Oil pipeline disruptions, water plant chemical settings, food safety tampering, and other cyber incidents in the past 12 months are examples of this trend.  New cyber vulnerabilities are more aimed at IoT/OT systems than traditional IT systems, and the threat of death from failed IoT devices and systems is much higher than from failed email exchanges. 
  

The trend of IoT cyber vulnerabilities being more deadly (contaminated water supplies, industrial processes failing, deep fakes replacing real evidence) backs up Gartner's prediction that by 2024 75% of CEOs will be personally liable for cyber breaches.  Cyber vulnerabilities, especially IoT, are already in the minds of corporate leaders and there is every expectation budgets to prevent and remediate these vulnerabilities will continue to increase as a consequence. 

• Agentless cybersecurity solutions will displace agent-based ones. Agent-based solutions work for IT systems where they can be hosted within known platforms (e.g. Windows or Linux).  IoT/OT/ICS devices run a multitude of operating systems and have wide variation in their compute capabilities.  In the short term we are in a world of both agent and agentless solutions. Ultimately, this will collapse into just agentless solutions because of the organizational goal of tool consolidation.  The worldwide shortage of cybersecurity professionals makes it an imperative to streamline operations and make individuals more productive; consolidating into more efficient systems and processes rather than running multiple competing ones will address this imperative. 
  

• Ransomware as a service will expand into IoT/OT. With the growth of vulnerabilities targeting IoT/OT systems, ransomware threats will continue to worsen by means of ransomware as a Service (RaaS). This method helps bad actors execute even quicker by using proven techniques to stage an attack, while efficiently outsourcing the backend commodity infrastructure to save time. Organizations should pay more attention to not only critical services and systems supporting employees and customers, but also secondary systems that are less obvious prey. These systems may not contain sensitive data, but can inadvertently provide access to the more desirable targets.
  

• Industry associations will push more cybersecurity requirements onto their members. Cyber attacks on specific types of equipment (e.g. IP cameras or VOIP phones) have become so pervasive that it is no longer an issue for a manufacturer - it's an industry issue.  Pipelines and water treatment plants are viewed as cyber-vulnerable, more than the specific operators of these systems.  Industries that have or are gaining bad reputations for being cyber vulnerable will need to treat this as an existential threat. 
  

• Speed of incident response will be a key metric. Too often a vulnerability is discovered, a patch is made available to address it, and then months go by before the patch is installed (and sometimes it never is).  This situation will put more pressure on the time between when a patch is available to when the organization actually  implements it; legal consequences (such as negligence) will be a motivating factor.  This will likely become a major factor in the pricing and approval process for cyber insurance, as it directly ties to the effectiveness of a company's risk management procedures. 
  

• Security is finding a seat in the boardroom and commanding more wallet. Security leaders have been told to tie their efforts more closely to the company focus and bottom-line in order to get a seat at the boardroom table and budget.  It's happening.  With the attack surface rapidly expanding into IoT, OT, ICS, and other forms of business-critical non-IT devices and services, cyber attacks have become more of an existential threat to organizations.  We'll see trends in increased board-level visibility and a more direct connection between security spend and corporate goals.
  

Organizations can't feasibly stop every new threat and attacker, but security and IT teams can stay focused on new methods and technologies to secure the most vulnerable data and systems. Falling back on existing manual methods while the overall attack surface grows is the greatest barrier to achieving this goal, so automation will be key leading into next year's strategy.

##

ABOUT THE AUTHOR

Bud Broomhead is the CEO of Viakoo, a leader in IoT device remediation. He is a serial entrepreneur who has led successful software and storage companies for more than two decades. He has experience delivering computational and storage platforms to the physical security space for over seven years, with an emphasis on infrastructure solutions for video surveillance.