Comprehending Risks in IoT and Industrial Control Systems

Understanding Cyber Risk Intelligence in the Age of IoT and ICS/OT Devices

In today’s interconnected landscape, security cannot remain confined to the digital realm. Cyber risk intelligence now extends into the physical world, particularly with the proliferation of Internet of Things (IoT) devices and industrial control systems (ICS) and operational technology (OT). These technologies have become integral to modern infrastructure, influencing everything from energy management to home security. However, they also present a significant increase in cyber vulnerabilities that organizations must navigate.

The Rising Tide of IoT and ICS/OT Devices

Research for the 2025 State of Cyber Risk and Exposure report revealed that IoT and ICS/OT devices are not just prevalent; they are ubiquitous. The findings from a survey of 1,000 cybersecurity and risk leaders highlight:

• 85% of firms employ IoT devices in their operations.
• 79% of IoT devices are at least partially exposed to the internet.
• 78% of ICS/OT devices are similarly exposed.
• 69% of organizations utilize ICS/OT technologies.

These figures underscore a crucial trend: the digital and physical realms are increasingly interconnected, broadening the enterprise attack surface.

Disparities Between Perception and Reality

Despite the alarming statistics surrounding device usage, they don’t always reflect the actual security landscape. Many organizations exhibit a growing awareness of the risks posed by IoT and ICS/OT devices. However, the discrepancy between perceived risk and reality suggests that executive teams may still lack a comprehensive understanding of potential vulnerabilities within their environments.

A significant observation from the data is that some respondents’ estimates of ICS/OT exposure exceed what has been documented in the field. Initially, this may appear to reflect responsible risk management, but it may indicate a lack of visibility into real-time threats. Furthermore, confusion about what constitutes “internet exposure” could contribute to this phenomenon.

Peeling Back the Layers of IoT Risk

While many executives comprehend the fundamental advantages of IoT—such as operational efficiency and data gathering—it’s vital to acknowledge the associated risks. Each connected device serves not only as a gateway to valuable data but also as a potential entry point for cyber intrusions.

Take, for example, seemingly innocuous devices like smart fridges. If these devices run outdated software or lack proper network segmentation, they can create vulnerabilities that attackers can exploit, possibly gaining access to critical systems. The typical IP camera exemplifies how widespread these behaviors are. Recent studies indicate there are over 40,000 exposed cameras accessible online, with zero protections in place to prevent unauthorized access.

The Issue of Exposed Devices

The vulnerability of these devices cannot be overstated. João Cruz, a principal security research scientist at Bitsight TRACE, pointed out that accessing these cameras typically requires no specialized skills—often just a web browser suffices. The fact that so many cameras are exposed creates an alarming reality; if access isn’t tightly controlled, sensitive data and critical infrastructure can become major targets for cybercriminals.

Moreover, it has come to light that such devices are being commodified on illicit markets. Cybercriminals know where to find these exposed cameras, and they exploit them to gather intelligence or exfiltrate sensitive information from locations such as ATMs or data centers.

The Intersection of Cyber Threat Intelligence and Vulnerabilities

The research conducted by Bitsight TRACE not only shines a spotlight on the alarming number of vulnerable IoT devices but also integrates seamlessly with broader cyber threat intelligence efforts. For instance, the findings suggest that threat actors actively monitor and exploit these weak points, utilizing networks of compromised devices to execute more sophisticated attacks.

Consolidating data from various sources—including industry insights and vulnerability analysis—supports the notion that awareness of these risks is crucial. While the figures around device exposure may be unsettling, it’s promising to see organizations starting to acknowledge these vulnerabilities, hopefully motivating them to implement stronger defenses.

Final Thoughts on Navigating Cyber-Physical Risks

The rapid proliferation of IoT and ICS/OT devices invites both innovation and security challenges. As organizations continue to adopt these technologies to improve efficiency and data utilization, they must also enhance their cybersecurity postures. Understanding the dual nature of these devices—bringing both opportunity and risk—is essential for navigating the complex landscape of cyber-physical threats.

In summary, the insights gleaned from the 2025 State of Cyber Risk and Exposure report highlight a landscape where proactive awareness and strategic risk management are paramount. As the lines between digital and physical continue to blur, staying informed about emerging threats in this domain becomes increasingly critical.