Management, compliance & auditing

Commercial off-the-shelf IoT system solutions: A risk assessment

Howard Poston
March 11, 2021 by
Howard Poston

The rise of the Internet of Things (IoT)

The Internet of Things (IoT) is growing rapidly. IoT devices provide convenience and can be a more efficient and cost-effective solution to a variety of different challenges.

IoT solutions are commonly deployed for business purposes, including ones both designed specifically for the business and standard consumer devices. This means that internet-connected coffee makers and voice assistants may be connected to company networks and corporate security cameras may have their security feeds accessible directly via the internet.

This growth in the use of IoT devices also introduces security risks to an organization. IoT devices have notoriously poor security and are commonly used as an entry point into an organization’s network or as a tool for performing automated attacks.

What are COTS IIoT solutions?

The use of IoT devices for business is not limited to office environments. IoT devices have a variety of industrial applications as well. These Industrial IoT (IIoT) solutions can be used to remotely monitor and manage the operation of systems on factory floors, railways and other industrial applications.

The potential of IIoT solutions has led to the growing use of commercial off-the-shelf (COTS) IIoT solutions in certain industries. These solutions are available in the public marketplace and are designed to fulfill a certain purpose. In some cases, these purposes align with the needs of industrial companies, enabling them to replace specialized components and systems with these more general use — and likely less expensive — alternatives.

The security risks of COTS IIoT

The shift from specialized solutions to COTS IIoT provides certain benefits to an organization. However, these solutions also have their downsides as well.

The Cyber Division of the Federal Bureau of Investigation (FBI) issued a notice in November 2020, outlining some of the cybersecurity risks of COTS IIoT solutions for the rail industry. The risks highlighted in the notice included:

  • Solution integration: COTS IIoT systems are commonly integrated with many other components of a system. This means that vulnerabilities and risks associated with the COTS solution can impact the security of other components as well.
  • Remote accessibility: COTS IIoT systems commonly include remote access functionality to support management, updates, etc. These remote access systems — if compromised by an attacker — can be leveraged to breach sensitive data or impact the operations of the system.
  • Widespread deployment and usage: Unlike specialized components, COTS IIoT solutions are often applicable to and adopted by a number of different companies and industries. This means that an attack developed to target a particular industry may be widely applicable, allowing multiple victims to be targeted in a single attack campaign.
  • Exposure of critical systems: Internet-connected IIoT systems may be on the same network as or connected to critical systems. This means that vulnerabilities within the COTS IIoT systems could be an attack vector for attackers to target critical systems.

While this risk analysis was focused on the rail industry, the FBI’s warnings are generally applicable to any organization using COTS IIoT solutions (or IoT solutions in general). The often poor security of these devices is especially concerning considering the high levels of trust and permissions that they are commonly granted.

The FBI’s notice referenced a report exploring the potential repercussions of exploitation of IIoT systems in railway systems: “The most common scenarios identified included loss of train operation monitoring, malfunction or takeover of the signaling systems, and malfunction of wayside devices (such as switch controllers) due to cyber attacks. These scenarios could lead to unexpected train stops, delays, or disruption of service. In addition, if the rail fail-safe mechanisms were tampered with, these attacks could lead to train derailment, collision, or loss of life.”

Addressing the security risks of COTS IIoT

In addition to outlining some of the leading cybersecurity risks of COTS IIoT solutions, the FBI provided a number of suggested mitigation steps. These included:

  • Ensure that all IIoT solutions have integrated security functionality
  • Assess COTS systems for security issues before installation and at regular intervals afterwards
  • Apply patches and other updates to IIoT systems when available
  • Improve authentication security through the use of strong passwords and multi-factor authentication (MFA)
  • Monitor employees and users for unusual activity and terminate accounts linked with suspicious behavior
  • Use segmentation to isolate critical systems from potentially vulnerable ones
  • Implement policies and procedures for acquisitions to ensure vendor cybersecurity and data security

Managing the risk of COTS IoT systems

IoT devices are an often-overlooked source of cybersecurity risks to organizations. This is especially true as the growth of telework means that corporate systems may be connected to the same networks as personally-owned IoT devices and sensitive company data may be visible or audible to employees’ internet-connected cameras and voice assistants.

IoT devices provide a number of different benefits in both personal and professional contexts. However, the cybersecurity risks that they pose must also be considered as part of corporate risk assessments and appropriately managed via policies and security controls.



Addressing Risks Associated with Rail Industrial Internet of Things and Commercial Off-the-Shelf System Solutions,

Securing the Railroads from Cyberattacks, Mass Transit

With everyone working from home, who’s minding the security?, IoT Agenda

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at