Rising numbers of documented security issues in Internet of Things (IoT) devices mean that businesses have a new patch management issue brewing, cybersecurity, experts say.

A combination of more connected products, greater scrutiny by researchers, and regulations requiring disclosure of vulnerabilities has resulted in a rising tide of disclosed bugs. Those found in products considered to be part of the Extended Internet of Things (XIoT), for example, jumped 57% in the first half of the year, compared with the prior six months, Claroty stated in a recent report.

Embedded IoT devices have meanwhile jumped to account for 15% of the XIoT vulnerabilities, up from 9% in the second half of 2021.

This rapidly expanding landscape of IoT devices and infrastructure means that companies need to ensure visibility, not only into their IoT devices, but all the systems that manage those devices, and be ready to quickly patch those devices, says Sharon Brizinov, director of research for Claroty.

"The networks [have become] much more diverse than ever before, and that goes hand-and-hand with the fact that more security researchers are looking for vulnerabilities than ever before," he says. "So, more devices and more awareness and more security researchers investigating those devices means more vulnerabilities being disclosed."

XIoT vulnerability classified by embedded IoT, medical IoT, IT, and OT categories. Source: Claroty

This trend is only set to continue, according to experts. Companies will need to keep track of their IoT assets and, because vulnerability remediation typically requires a software update, evaluate whether deployed devices can easily be updated.

Fewer vendors are trying to hide their security issues and are moving away from silent patching — a good development for security but one that contributes to the "noticeable increase" in the number of IoT vulnerabilities being publicly disclosed, says Deral Heiland, principal security researcher for IoT at Rapid7.

"If no data is made available to the public, then end users can't be aware of a potentially serious risk caused by a vulnerability and may delay patching," he notes. "So, vendors publishing in this way is a positive move."

Growing Number of XIoT issues

Overall, 747 vulnerabilities were disclosed in XIoT devices between the start of January and the end of June, a 57% jump from the prior six months, according to Claroty's "State of XIoT Security: 1H 2022" report. The affected products came from 86 different vendors, and for the first time, proactive disclosure by vendors became the second most common way that information on vulnerabilities was published, after disclosure by third-party firms. Independent researchers and the Zero Day Initiative were the third and fourth most common sources of vulnerability information.

Vendors as a group are not necessarily better at security — the numbers are driven by a few major firms, such as Siemens, that have implemented strong security programs, says Claroty's Brizinov. Siemens represented the top disclosure of XIoT vulnerabilities, at 214, with the second being Reolink at 87, followed by Schneider at 52, according to Claroty's report.

"There were some business decisions that led to this result — some decisions makers that decide to come clean," he says. "They understand that it is an important piece of information."

Different initiatives have also fueled the rising rate of disclosures. The Internet of Things Cybersecurity Improvement Act of 2020 has put pressure on companies that provide IoT products to the government, while a consumer-focused program for creating security "nutrition labels" for IoT devices will likely drive consumers toward more security-conscious products.

A Moving Definition of the Internet of Things

Vulnerability-intelligence firm Risk Based Security, now part of Flashpoint, has also noted an increase in the number of security issues in products that could be considered part of the IoT ecosystem. The company, however, has stressed that the lack of a good definition for IoT devices makes it difficult to track the category.

Industrial monitoring devices, medical imaging equipment, IP video cameras, and electronic door locks are all connected to the Internet and allow digital communications to have impacts on the physical world. In its 2020 publication, "Foundational Cybersecurity Activities for IoT Device Manufacturers," the US National Institute of Standards and Technology (NIST) defined IoT devices as those that "have at least one transducer (sensor or actuator) for interfacing directly with the physical world and at least one network interface ... for interfacing with the digital world."

Claroty calls the category the Extended Internet of Things, and puts devices from medical, industrial, and commercial applications under one umbrella. The company has acknowledged that the products included in the XIoT category may not have been there last year because new devices have been released, connectivity added to previous products, and as new products push the definition of IoT.

For instance, as manufacturing, critical infrastructure, and city management have adopted connected devices, Siemens and other operations technology (OT) companies have transformed their products from industrial control systems to industrial IoT, cybersecurity has become a critical part of that transformation, Claroty's Brizinov says.

"In the past, there was a distinct separation between IT and OT — we could circle those domains and they would be separate," he says. "And then came IoT, and those circles intersected so there were some devices in both IT and OT."

Another growing aspect of IoT is mobile devices, such as smartphones and tablets. Many companies use mobile devices as a way to monitor and control their network of IoT devices, which means that the device is not the only component of the IoT ecosystem, but mobile devices and back-end servers must also be included.

For that reason, Rapid7 considers cloud components and management software to be part of the ecosystem.

"Typically, a mobile device as a standalone device would not be considered IoT," says Rapid7's Heiland. "When running software designed to interact, control, and/or manage an IoT solution, it does become part of the IoT products ecosystem and should be considered when evaluating the security of the IoT product."