Examining the Survivorship Bias in IoT Attacks

As IoT devices find their way into the lives and homes of consumers, sensational IoT attacks are finding their way into the headlines. 

The Verkada video camera hack gave attackers live views into factories (including Tesla’s), hospitals, jails, and more. A casino got hacked through a connected fish tank thermometer. Researchers remotely took control of a Jeep through a firmware vulnerability.

While the benefits of IoT and connected devices are hard to overstate, the security risks of IoT devices have become a top priority for stakeholders of digital trust — that is to say, everyone. 

But not everyone is on the same page about the risks, as revealed by Keyfactor’s 2023 report, Navigating the State of IoT Security.

• 89% of orgs operating/using IoT have faced cyber attacks in the past year. 
• 22% of those who haven’t experienced attacks say they don’t face any challenges in securing their IoT products. 
• Yet of the orgs who have experienced attacks, only 2% say they don’t face any challenges.

One reading of these stats could assume these organizations have been proactive and effective in securing their IoT devices. However, another reading may suggest survivorship bias — an assumption that an attack could never happen to them. 

Whether they’ve suffered an attack or not, organizations shouldn’t rest on their laurels in securing IoT devices. 

According to the report, half of respondents agree that their organization lacks the awareness and expertise to defend against IoT attacks, while 43% believe they are “as protected as they can be.” Meanwhile, 88% of respondents agreed that their organizations need to improve IoT security.

This shows that most organizations don’t have a vision for total security or how to achieve it. In other words, they know that “as protected as we can be” isn’t “protected enough.” Organizations that haven’t fallen victim to an attack may still have blind spots in their IoT security strategies. 

Over the past three years, 69% of organizations leveraging IoT devices reported increased IoT attacks. In the same time span, organizations noted a 20% increase in the number of connected products they use.

The question of responsibility is endemic to the conversation. Who’s to blame for IoT attacks? Who does the burden fall on to prevent them? While 38% of respondents said the manufacturer of the IoT device and the user should be held equally responsible, 47% of respondents said the manufacturer should be mostly or completely responsible. 

Even if the device manufacturer is responsible, user organizations suffer. The attack surface is growing, and attackers are taking more shots on goal through IoT. 

Costs are growing, too.

For manufacturers, the average certificate outage on the manufacturing lines costs $2.25M. A whopping 98% of device manufacturers reported experiencing such an outage in the past 12 months. 

What works today might not work tomorrow or work at scale. The report shows that organizations seek vendor support as device numbers increase, demonstrating that organizations struggle to manage growth and stay current on the latest security technologies. 

If attacks don’t incentivize organizations to pursue IoT security, compliance will. 

In the IoT report, 98% of organizations said that regulations impact the development of IoT and connected products. For example: 

• The Matter Standard is an open smart home protocol that encourages interoperability, reliability, and security among smart home devices, mobile apps, and cloud services. 
• UNECE 155/156, ISO 15118, and ISO 21434 provide frameworks for security in the automotive industry.
• IEC 62443 lays out a framework for industrial automation control systems that gives operational technology direction on segmenting networks, implementing the principle of least privilege, and encrypting data.
• IEEE 802.1AR sets the foundation for device security, including device provisioning, boot, software updates, and communication.

Whether or not these standards and frameworks make their way into regulations — and which ones, and when — remains to be seen. More likely, consumers and organizations will apply more scrutiny to the connected devices they use. Studies show that security has made its way into the public consciousness.

Organizations have an opportunity to make security a differentiator in the market. Organizations would do well to use these standards as a starting point, compass, and bare minimum for creating digital trust.