IoT security, beer, and cheese collided in recent months as cyberattacks stopped production at Molson Coors, North America’s largest beer maker, and caused the Netherlands’ largest retailer to run out of cheese.

“The interesting thing about those attacks, is they’re exactly what I was warning my board and executives of about three and a half years ago,” Armis CISO Curtis Simpson said. “What’s happening is this intention to impact the most critical elements of your environment that are really delivered or supported through non-traditional technology.”

In North America, one of these critical elements is beer. And in the Netherlands, it’s cheese.

Armis, founded by Israeli army veterans six years ago, launched its agentless IoT security platform in 2017. In January 2020, venture capital firm Insight Partners bought the unicorn startup for $1.1 billion, marking the first cybersecurity acquisition of the year and the largest-ever enterprise IoT software purchase at the time.

Earlier this year, Armis released a new IT asset visibility and management tool, marking its first standalone product since the platform launch. The vendor claims the product can see almost five times more assets — this includes laptops, servers, clouds, virtual machines, and IoT devices — compared to standalone endpoint detection and response (EDR) and configuration and vulnerability management tools from Qualys, Tenable, CrowdStrike, and Carbon Black.

Simpson joined Armis in 2019. This was right after it discovered 11 zero-day vulnerabilities, dubbed Urgent/11, in Wind River VxWorks, a real-time operating system used in more than 2 billion devices across industrial, medical, and enterprise environments.

Before coming to the IoT security firm, Simpson served as VP and Global CISO at global food and food services supplier Sysco, which is also an Armis customer. And back when he was the cybersecurity chief at Sysco, Simpson says he warned his board of directors about the types of attacks that played out at Molson Coors and the Netherlands’ Bakker Logistiek over the last two months.

IT and operational technology (OT) environments used to be completely separate. However, that has changed over the past several years. Emerging technologies have enabled industrial machines and sensors to learn on the fly using artificial intelligence (AI) and machine learning. And sharing this data across IT and OT teams means that both can improve processes and workflows and make better, real-time business decisions.

“So what I talked about with my board and my executives was that, first and foremost, visibility is so important,” Simpson said. “And what I laid out for the board through pictorials: Not only have these networks become interconnected, but every single device flowing into every network is now connected.”

This includes everything from internet-connected vending machines, cameras, temperature sensors, and forklifts, he said. “Those devices are now running alongside computers that everyone’s been attacking for years, and I have no visibility into operational technology.”

If an attacker breaches the IT environment, “I can recover our business,” Simpson told the Sysco board. “I can identify an attack, contain the attack, and recover the business in moments to hours. But with my limited visibility in the operational technology side of the house, where we deliver our most critical business services, I have no visibility. I can no longer provide you with those assurances. If the impact happens, we will be down for days. Period.”

For example, an attacker could disrupt the refrigeration systems’ temperatures while making the sensors display the expected temps, Simpson said. “And we need to remember, if I can compromise one facility, I can compromise at least 50 in the same geography,” he added. “If I do that intentionally, I can force Sysco to deliver tainted food to military bases, hospitals, schools, restaurants, and any type of facility or operation that serves food. That will decimate our reputation.”

In addition to reputational damage, there are other expenses including food loss and hiring consultants and an incident response team to determine what happened and how to avoid similar disruptions in the future. “Assume loss of business, due to the highly competitive market, etc. It’s a very slippery slope very quickly,” Simpson said. “We warned of it three years ago, and it’s happening at scale today.”

There are 8.6 billion IoT connections today, and that number will nearly triple, to 23.6 billion, by 2026, according to ABI Research. While this will usher in new opportunities in connectivity and productivity, it also brings a slew of new security threats. Because of this, ABI Research forecasts that total IoT security revenue will reach $16.8 billion by 2026.

There are a number of reasons for these security concerns. Some OT and IoT devices can’t be secured because of their age or limited processing power. With others, it costs too much to secure the device, compared to the cost of making the device, so manufacturers simply choose not to pay for security. Additionally, the IoT market itself remains fragmented, and this makes it difficult to set and enforce security standards.

While there is a regulatory push for IoT security, most of the mandates focus on devices used by federal agencies. This will affect enterprise IoT security, because the same manufacturers making devices for the government also make those used in the commercial and industrial sectors. “But it’s not gonna happen overnight,” Simpson said. “The challenge that we’re going to have, even as these regulations push forward, is just to make sure that we remain pragmatic. We’re not going to replace these devices overnight. OT devices, for example, were built to last for decades, and at their costs, we're not going to see companies swap out devices.”

Instead, risk will gradually decline as these devices reach end of life and companies replace them with newer connected devices that meet new security standards, he explained.

“But in terms of how to actually think about this from a security program perspective, it really starts with visibility,” Simpson said. “And then the magic truly happens through continuous monitoring.”

Visibility isn’t just about what devices connect to the network, he added. “It’s what normal behavior looks like. We have to establish a foundational understanding of how those devices are being used, and how they support the business.”

In addition to continuously monitoring devices and managing risk from a behavioral standpoint, organizations must adopt a zero-trust network access strategy and “assume that these things will eventually do something I don’t want them to do,” Simpson said. “The unfortunate reality is that most OT devices are vulnerable because they’re old. Most IoT devices are vulnerable because they’re ineffectively patched, it’s too hard to patch them, or they can’t be patched.”

Plus, it’s difficult to find vulnerabilities in these devices until they are actively exploited by an attacker. “So I need to understand what it is that I want them to do, and then monitor for deviations and be able to respond when those deviations do occur. That’s how to build a program to successfully allow the business to function while also managing risk.”