Spotlight: Your IoT Risk Is Bigger Than You Think. (And What To Do About It.)

In this Spotlight edition of the podcast, we’re joined by Curtis Simpson, the Chief Information Security Officer at Armis. Curtis and I discuss the growing cyber risks posed by Internet of Things devices within enterprise networks. IoT and OT (operation technology) deployments are growing and pose challenges to organizations that are still focused on conventional IT systems and threats, and that struggle to detect such devices in their environments.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to to get notified whenever a new podcast is posted. 

In the past decade, security threats posed by the “Internet of Things” have gone from a curious “what if” to an urgent problem affecting national security. Earlier this month, for example, CISA warned of ongoing cyber attacks targeting water and wastewater facilities. Those attacks are targeting both IT and OT – or operational technology – networks and systems including industrial control system (ICS) and SCADA systems, CISA said. (PDF)

But, in truth, IoT risk is something that affects organizations of all types – from critical infrastructure owners and operators down to small businesses. Network connected printers, door/badge and HVAC systems, CCTV installations – all are common fixtures of modern workplaces – from defense contractors to doctors’ offices.

Curtis Simpson is the Chief Information Security Officer at Armis.
Curtis Simpson is the Chief Information Security Officer at Armis.

Still, the vast majority of security technology available to these organizations to manage their cybersecurity was designed to fight the “last war”: securing mostly Windows laptops, desktops and servers, even as non-traditional endpoints proliferate – most running operating systems other than Windows has cropped up on corporate networks. Consider, for example, the so-called “Urgent11” software vulnerabilities that were discovered to impact real time operating systems including VxWorks, OSE, Integrity and ThreadX RTOSs that, collectively, run billions of connected devices.

Identifying these devices is critical if they are to be managed and secured. But what does that take? In this episode of the podcast we are joined by Curtis Simpson, the CISO at Armis, a cybersecurity firm that offers a knowledge base and tools for fingerprinting IoT devices and then monitoring and securing IT, IoT and OT systems. 

In this conversation, Curtis and I talk about the size and shape of the IoT device population in enterprises, how they pose a cyber risk and what is keeping organizations from securing them.  

As Curtis notes, “IoT” is a term that applies to cameras and network printers, but also to the software and hardware that support them. That includes the Cisco switches and routers that were affected by Urgent11 or “CDPwn,” a flaw in the proprietary CDP protocol that Armis researchers disclosed in 2019. But without the ability to “see” and manage those non-traditional devices, organizations have their hands tied.

“If you start to realize that these physical security cameras, these backplane Internet or LAN devices, these printers running alongside critical assets are ultimately part of the attack path to compromise this device? That’s when you can start intentionally and intelligently applying controls,” Simpson said.

Check out our full conversation above, or click on the button below to download the MP3.

(*) Disclosure: This post was sponsored by Armis. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.