IT experts call for a bill of materials (SBOM) for device software in IoT Security Report 2022

Industrial controls, production and the smart home are often „insufficiently“ protected against hackers

Düsseldorf/Germany, May 12, 2022 – Shampoo, cookies, canned soup and medicines all have one thing in common: the listing of all ingredients on the package and their traceability back through the manufacturer to the producer of the individual ingredient. Important smart industrial controls, intelligent production plants and devices such as routers, network cameras, printers and many others bring their firmware with operating systems and applications directly along – without a precise proof of the software components contained. Often this means immense risks of infestation by hackers and data thieves in companies using these controls and devices.

As part of the „IoT Security Report 2022“ study, 75 percent of the 318 IT industry professionals and executives surveyed in consequence advocate a precise proof of all software components, the so-called „Software Bill of Materials“ (SBOM) for all components, including all software contained in an endpoint. „Within the scope of our research over the past few years, virtually all devices connected to a network have contained sometimes more, sometimes less hidden flaws in the firmware and applications, an accurate content statement of software components is therefore extremely important for an organization’s IT to verify and maintain security levels,“ says Jan Wendenburg, CEO of ONEKEY (formerly IoT Inspector). The company has developed a fully automated security and compliance analysis for the software of control systems, production equipment and smart devices and makes it available as an easy-to-integrate platform for companies and hardware manufacturers.

Manufacturers neglect security  
As a result, there is not much confidence in the manufacturer-side security of IoT devices: 24 percent of the 318 respondents consider this to be „not sufficient,“ with a further 54 percent considering it to be „partially sufficient“ at most. Hackers keep an eye on vulnerable devices for some time now – and the trend is rising. 63 percent of IT experts confirm that hackers are already misusing IoT devices as a gateway into networks. In companies in particular, confidence in the security measures around IoT is low: only a quarter of the 318 respondents see complete security guaranteed by their own IT department, while 49 percent see it as only „partially sufficient.“ And 37 percent of IT professionals surveyed for the IoT Security Report 2022 have already experienced security-related incidents with endpoints that are no normal PC clients. „The risk is constantly increasing as connected manufacturing continues to expand. In general, the number of networked devices is expected to double in a few years,“ says Jan Wendenburg of ONEKEY. In addition to the automatic analysis platform for checking device firmware, the company also operates its own test lab, where the hardware of major manufacturers is tested and vulnerability reports, so-called advisories, are published on a regular basis.

Unclear responsibilities in companies  
Another risk: industrial control systems, production facilities and other smart infrastructure endpoints are often in company use for more than ten years. Without compliance strategies, however, there are usually no update policies in most companies either. In addition, often there is a very unclear situation around responsibilities: among the 318 company representatives surveyed, a wide variety of people and departments are responsible for IoT security. These range from CTO (16 percent) to CIO (21 percent) to Risk & Compliance Manager (22 percent) to IT Purchasing Manager (26 percent). In 21 percent of the companies, external consultants even handle the purchasing of IoT devices and systems. By contrast, only 23 percent perform the simplest security check – an analysis and testing of the included firmware for security vulnerabilities. „This is negligent. An examination of the device software takes a few minutes only, and the result clearly indicates the risks and their classification into risk levels. This process should be part of the mandatory program before and during the use of endpoints – from routers to production machines,“ Jan Wendenburg of ONEKEY sums up.

About ONEKEY:  
ONEKEY (formerly IoT Inspector) is the leading European platform for automated security & compliance analysis for devices in industry (IIoT), production (OT) and the Internet of Things (IoT). Using automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of the devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, completely without source code, device or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically remedied. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors and users of IoT technology to quickly and automatically check security and compliance before use and 24/7 throughout the product lifecycle. Leading companies, such as SWISSCOM, VERBUND AG and ZYXEL are using this platform today – universities and research institutions can use the ONEKEY platform for study purposes free of charge.