As the calendar turns to November, and National Cybersecurity Awareness Month (NCSAM) winds down, it’s time to shift from awareness to action. This October, the threats targeting your connected devices—your IoT, Operational Technology (OT), and Cyber-Physical Systems (CPS)—have never been more critical.
The truth is stark: IoT devices are now the fastest-growing attack surface globally (with over 27 billion in use). They are highly exploitable (more than 50% have critical vulnerabilities) and perform functions essential to your business. Older strategies (security through obscurity, defense-in-depth, zero trust, network segmentation, security awareness training) all need to be updated and improved to address the accelerated IoT/OT/CPS threat landscape.
For many organizations that struggle to protect cyber-physical systems (CPS) to the same level as their IT systems the good news is there are a lot of new capabilities they can deploy so that by the time we reach next October (NCSAM 2026) their organizations will be more safe and secure than currently – as long as they deploy them.
CISOs and IT leadership should have the following new technologies on their shopping list:
- Application-based asset discovery: using network-based discovery that looks at packets to infer the existence of an IoT device is great, but also lacks the context of how that device works with the overall system. That’s where application-based discovery comes in, where instead of inferring the device it is visible through the lens of the application thar manages it. This approach gives much more detailed operational data, and can set the stage for knowing how to perform firmware updates or password changes, both of which require knowledge of the application to be done properly for IoT systems.
- Autonomous methods of remediation: threats are now coming at AI speed, and the day is quickly passing where organizations can delay knowing about vulnerabilities present in their systems or whether there is a patch to remediate it. Organizations should be looking at autonomous methods to stay on top of that; having your systems constantly reviewed against a CVE database is now possible and gives you time-critical knowledge. Similarly, having automation monitor if the manufacturer has a patch ready for thost vulnerabilities saves critical time. And because IoT devices exist at large scale and often geographic distances, having automation behind actually performing the firmware update is required to shrink the window of vulnerability.
- Firmware updating that prevents bricking devices: Unlike Windows or Linux-based traditional computer systems, IoT/OT/CPS almost always has application and network dependencies when it comes to updating firmware. Checking to see if the application accepts the latest version of device firmware is needed to prevent bricking or disabling the IoT workflows your company relies on.
- Password management that reflects corporate infosec policies: Arguably every company has (or should have) corporate information security guidelines. Unless an explicit exemption was made for them, all IoT/OT/CPS systems are also subject to it. That’s why using a password management solution designed for IoT makes sense – it can handle the number and scale of IoT devices while also handling the complexity required of all passwords within your organization.
- Using certificates to prevent rogue devices or man-in-the-middle attacks: Almost all IoT devices support using certificates to prove their authenticity and enable encrypted communications, but are you using them? Deploying and maintaining certificates with a certificate manager designed for IoT systems can add a layer of protection from attack vectors like rogue devices or man-in-the-middle attacks that traditional IT systems have been protected from for many years. Now that automated solutions for certificate management exist for IoT/OT/CPS there is no reason not to use them.
Compared to previous Octobers and NCSAMs there has never been a better time to shrink your IoT attack surface and dramatically reduce corporate risk. This past year there were several significant attacks on IoT systems and critical infrastructure that cost organizations billions of dollars (attacks against MGM’s IoT systems cost them over $150M as just one example). Want to take the next step? Signup here for a call with one of Viakoo’s IoT security experts – we’re ready to discuss your unique situation and provide some insights on what other leading organizations are doing to take control of IoT security.
