In our increasingly connected world, the proliferation of internet of things (IoT) devices, which include everything from fitness trackers and pacemakers to the control systems that deliver water and power, is reaching unprecedented levels. As of 2025, the global number of IoT-connected devices surpassed 20 billion, an increase of over 13% since 2024. That number is expected to rise beyond 22 billion by 2026, and a staggering 40 billion by 2030. More than the sheer number of connected devices themselves, though, this surge points to a larger trend about how the IoT is shaping our world while creating an increasingly complex cyber-physical landscape.
For CISOs and CPS decision-makers, this rapid expansion is a double-edged sword. While it creates limitless opportunities for increased connectivity and visibility into day-to-day operations, it also expands the organization’s attack surface. Not only is the convergence of operational technology (OT) and IT driving this shift, but what’s often referred to as the extended internet of things (XIoT) is dissolving traditional network perimeters. Consisting of OT, traditional IoT, industrial internet of things (IIoT), internet of medical things (IoMT), and building management systems (BMS), this XIoT emergence is creating new vulnerabilities that adversaries can exploit, leading to potential service disruptions, safety hazards, and significant financial losses.
What is IoT Security?
IoT security can be defined as a cybersecurity strategy that protects IoT devices and networks they connect to against cyber threats. Since many IoT devices have no built-in security measures, they’re naturally a favorite attack vector for threat actors, which makes the ongoing proliferation of such devices a growing challenge for enterprises to confront.
As the IoT continues to expand, IoT security measures are struggling to keep up. In February 2024, UnitedHealth Group suffered a massive cyberattack that led to the company paying a $22 million ransom to the group responsible. The fallout from this IoMT attack was arguably worse than that, however—it left doctors scrambling to fill prescriptions or get paid for services, and exposed healthcare data for millions of customers. The cause? A compromised HVAC vendor’s IoT device.
Challenges of IoT Security and CPS
For cyber-physical systems (CPS), IoT security comes with its own unique challenges. Here’s a quick breakdown of them.
Legacy OT vulnerabilities
Oftentimes, OT systems rely on outdated legacy technologies that are not only incompatible with IoT devices, but they can be easily exploited by attackers. Once an attacker gains access from such a vector, it’s frequently easy for them to move laterally across the network and cause more severe damage to critical systems.
Additionally, cloud connectivity for IIoT devices has expanded the attack surface and introduced new risks for the first time. Each one of these devices has firmware and software that must be updated and patched regularly to avoid vulnerabilities being exploited.
Poor authentication and password protection
Companies can’t protect their data without securing every endpoint and IoT device. In the UnitedHealthcare example above, the company’s CEO admitted that attackers could access a company server that was not protected by multi-factor authentication (MFA). Organizations that lack such basic protections are leaving themselves significantly more vulnerable to attacks like this.
Insecure communication protocols
Many IoT devices don’t encrypt their communications, which makes it easy for attackers to intercept sensitive data. What’s more, some communication protocols are shipped with known vulnerabilities, often unbeknownst to the consumer. This makes the device a prime target for attacks.
How Enterprise CPS Solutions Mitigate Threats to IoT Security
Given these vulnerabilities, it’s imperative that enterprises have robust security measures in place for CPS and critical infrastructure. Doing this requires a strategic and proactive approach. Here are some key factors to take into consideration:
Establish a comprehensive asset inventory
If you can’t see it, you can’t protect it. Having a thorough understanding of all connected devices across IT, OT, IoMT, and BMS networks is crucial to keeping them safe from attackers. In addition to a simple asset inventory, context is key. It’s important to gain an understanding of these devices’ functionality and communication protocols as well as their vulnerabilities.
Implement robust network segmentation
Segment devices in IoT, OT, and IoMT into separate network zones to isolate them from the broader IT network. If one segment is compromised, this can prevent the attacker from moving laterally across the network and causing more severe damage.
Strengthen authentication measures
As mentioned in the UnitedHealth example, it’s imperative that your organization implements strong access controls—starting with MFA. Beyond that, ensure that only authorized users can access only the systems required to do their jobs with least-privilege access controls, and enforce policies that require users to update their default passwords on all IoT devices upon deployment.
Prioritize exposure management
Many IoT and OT devices have long lifespans, but often lack an easy way to implement patches or other security updates. For this reason, it’s important to leverage tools that automatically discover and prioritize exposures in these devices, taking into account the unique operational context of each.
Protecting IoT Devices with Claroty
As organizations increasingly add new IoT devices to their asset inventory, they’re also adding new risks to the business. This trend has gotten the attention of attackers who are looking for new vectors in which to gain access, intensifying an already-dangerous threat landscape.
While implementing a robust IoT security plan is the best strategy to proactively defend against these threats, it’s even more important to have the right partner in your corner to help. Claroty has won Best in KLAS for the fifth year in a row for healthcare IoT security, and the Claroty Platform is purpose-built to handle the nuances of an IoT-heavy environment where others fall short.
Schedule your demo with one of our experts today, or explore the platform to learn more.
