What’s the biggest threat to the industrial internet of things (IIoT) space?

Security Strategy & RoadmapRisk ManagementIoT
294 views5 Comments
SVP, Chief Information Security Officer in Education, 5,001 - 10,000 employees
A native industrial cyber attack has truly yet to happen. Most of the cyber attacks that have touched industrial environments have been IT-level attacks, like ransomware, or breaking in through enterprise remote access protocols. But for example, the world has yet to see a legitimate massive DNP3 attack, which is an industrial protocol, or a Modbus/TCP denial-of-service attack. When that starts to happen, it will be a game changer, because most security initiatives and products focus on protecting the IT side. The thinking is that those attack vectors are the only ones that will be relevant to the industrial side, but that is an incorrect way of looking at this space. That's an outside-in approach. If you look at it from the inside out, you’ll see that there are so many different attack surfaces on the inside of these networks, which is why native-level protection is important. 

The challenge is that native-level protection is difficult. It requires an in-depth understanding of the network, protocols, devices and the settings of those devices. If you consider Stuxnet, the fanciest part of that attack, from the ICS perspective, was a settings change on the centrifuge controllers. That change took the target out of its normal range of operation in terms of a numerical value. There was nothing on the network that could prevent that numerical value from surpassing an acceptable threshold. And that led to physical damage.
Director of Information Security Operations in Consumer Goods, 1,001 - 5,000 employees
Inherently insecure OT networks: Complex and widely distributed architecture, limited OT visibility, and inadequate security controls gave attackers hundreds of possible entry points into companies OT networks. As a result, small-scale attacks usually can go unnoticed despite aggregating substantial damage—and posing substantial risks to OT availability, safety, and reliability—over time. 
Head of IT and Security in Finance (non-banking), 51 - 200 employees
Basically the impact mostly depends on the type of industry but I would assume device hijacking would definetly be a serious threat.
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
Lack of security control standards around IoT. Multiple operating systems and firmware types make it difficult to prescribe one single standard coverage strategy for most of these devices.
Director, Information Security Engineering and Operations in Manufacturing, 5,001 - 10,000 employees
Probably the mindset that they are not as exposed as they really are.

Content you might like

How has the risk tolerance of executive management changed in the past year?

People & LeadershipGovernance, Risk & ComplianceRisk Management+1 more

Increased55%

Decreased25%

No change20%


249 PARTICIPANTS
1.9k views1 Comment

There are so many types of social engineering attacks – how should we determine which ones to focus on for employee security awareness training?

Awareness & TrainingThreat & Vulnerability ManagementSecurity Strategy & Roadmap
622 views2 Comments

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
44.9k views132 Upvotes322 Comments

Does it actually make sense to have multiple cybersecurity point solutions that serve the same purpose? Or does that added complexity just weaken your overall security posture?

Security Strategy & RoadmapThreat & Vulnerability ManagementThreat Intelligence & Incident Response
343 views1 Comment

In terms of your incident response strategy, are employees required to have the org’s instant messaging platform (Teams, Slack, etc.) installed on their personal mobile device in case their computers become nonfunctional during an incident?

Threat Intelligence & Incident ResponseResilienceSecurity Strategy & Roadmap

Yes, all employees31%

Yes, but only for some employees53%

No15%

I’m not sure…1%


85 PARTICIPANTS
538 views1 Comment