A recent Inmarsat survey of senior IT decision makers at 100 large energy companies worldwide found that 54 percent of respondents need additional security skills to deliver successful IoT projects, and 53 percent need to make significant investments to meet physical and digital IoT security requirements.
Only 2 percent of respondents said IoT creates no new security challenges for them.
Just 30 percent of respondents said they've given special consideration to network security as part of the development of their IoT solutions, and just 38 percent have taken additional steps to protect against cyber attacks.
Strikingly, 59 percent of respondents said their board has either a partial understanding of IoT or none at all.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"The core operations of energy companies have traditionally been insulated from the destructive cyber attacks that have destablized other industries, as they were not connected to the Internet," Inmarsat senior director for energy Chuck Moseley said in a statement. "But with the advent of IoT, more and more parts of their infrastructure are being connected, creating new vulnerabilities and risks."
"Worryingly, our research shows that many energy businesses lack the security processes and skills to address these new vulnerabilities," Moseley added. "This needs to be quickly addressed, and it must be driven by senior leadership within energy businesses, to ensure that they do not miss out on the huge potential value that IoT can bring to the energy sector."
A separate CyberX study of 375 industrial networks worldwide found that 31 percent are connected to the public Internet, and fully 76 percent are running outdated and unpatchable operating systems like Windows XP and Windows 2000 on their operational technology (OT) networks.
"Most of these ICS/SCADA sites were built years ago, long before the proliferation of Internet connectivity and the need for real-time intelligence," the report states. "The key priorities were performance and reliability rather than security."
Fifty percent of sites studied aren't using any anti-virus protection at all, and 59 percent have passwords traversing the network in plain text.
Ten percent of sites studied were already infected with known malware such as WannaCry, NotPetya or Conficker, and 82 percent were running remote management protocols like RDP, VNC and SSH, making it easier for attackers to manipulate a compromised network.
"We don't want to be cyber Cassandras -- and this isn't about creating FUD -- but we think business leaders should have a realistic, data-driven view of the current risk and what can be done about it," CyberX CEO and co-founder Omer Schneider said in a statement.