Home » IoT and OT: The Good, The Bad, and The Frameworks

Publication date: December 16, 2022

IoT and OT: The Good, The Bad, and The Frameworks


Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

With the flurry of excitement that comes with the introduction of Smart technology, it is easy to overlook all of the new cyber threat opportunities that they present. Gone are the days of easily predictable points of entry and simplified security measures. With the growing popularity of interconnected devices, it is imperative for companies to properly secure their IoT infrastructure to protect data once it is in the cloud and during transmission.

What is IoT?

The Internet of Things (IoT) is a network made up of objects and devices embedded with technology, like sensors and software, which collects and exchanges data over the internet. This can range anywhere from simple everyday household “things” like light bulbs, to more complex devices like smart cars. The data collected by these devices can be used both to monitor and control them, as well as track and manage the information collected. IoT devices use a variety of networks to connect to the internet such as Wi-Fi, cellular, Bluetooth, and Zigbee (a high-level smart home protocol). This has allowed for seamless and streamlined communication exchange between the digital and physical world.

What is OT?

Operational Technology (OT) is a subset of IoT and pertains to devices used in industrial environments. Unlike IT which is used to manage data, OT hardware and software is used to identify, monitor, and control physical devices, processes, and events within an organization. OT helps manage facilities, infrastructure, and assets, and improves the operations of industrial and manufacturing systems through automation and detailed monitoring.

Security Pitfalls

There are many oversights that can lead to a weak IoT/OT infrastructure both within, and outside of, our control. A few notable causes are:

Lack of Visibility
Not all companies are equipped for proper asset discovery and configuration. If IT is unable to put together a complete picture of the managed environment, they will not know where to look for gaps in security.

Too Much Data
These devices produce a significant amount of information, which can lead to difficulties with oversight and management.

Poor Testing
The lack of concern with security shown by IoT developers has led to ineffective testing to identify weaknesses and vulnerabilities.

Failures in Account Management
An issue many companies struggle with to this day is the under-valuing of password security, opting to keep the manufacturer default password or creating one of convenience that is easily cracked.

Lack of Collaboration
As OT and IT are often completely separate operational departments, security oversights are common. This can lead to an increase in operating costs, duplicated efforts, creating unnecessary difficulties, and exposing flaws that cyber attackers can exploit.

High Level Security frameworks

ETSI EN 303 645 – A Globally Acceptable Standard

The European Telecommunications Standards Institute (ETSI) specifies 65 security provisions for consumer IoT devices that are connected to a network. These provisions are directed toward organizations involved in the production of IoT devices created for consumers, with the goal of providing an all-encompassing set of requirements. While this framework is less effective on a finished product versus while in the manufacturing or development processes, it contains a complete and usable set of provisions and supports most others.

IoT Security Compliance Framework

The IoT Security Foundation released the IoT Security Compliance Framework, which comprises a set of 233 requirements.

Depending on the potential impact of a compromised device, these mandatory or advisory requirements are applicable to certain device classes. A breach causing a minor inconvenience would be considered a Class 0 and would require less security provisions. Alternatively, a device that handles sensitive information and data would be a Class 3 and would be subject to most if not all requirements. As many devices handle sensitive data in some form, the security requirements this framework imposes are considered to be quite strict.


The OWASP Internet of Things Security Verification Standard (ISVS) provides security requirements for Internet of Things (IoT) applications. This standard is growing in popularity for the verification of security controls for web-applications and web services. You can learn more about OWASP at https://owasp.org/www-project-iot-security-verification-standard/.

Related posts

Contact Elevate today to learn more about Elevate Insights | Uncategorized

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm