Frustrations Shared By The Cyber Security Community
The FIVE Major Concerns Are:
1. IoT Assets Are Incomplete or Invisible
2. Devices Are Insecure and Hard to Patch
3. IoT Network Segmentation Is Inconsistent
4. IT and OT Ownership Is Unclear
5. Legacy IoT Devices Lack Lifecycle Control
1. IoT Assets Are Incomplete or Invisible
If you ask most security teams how many IoT or OT devices they have, the honest answer is usually “we’re not entirely sure.”
Devices appear through facilities upgrades, manufacturing expansions, smart building projects, and vendor installations—often without security being notified.
Many don’t support traditional agents or management tools, making discovery difficult.
These blind spots are dangerous. You can’t assess risk, apply controls, or monitor behavior if devices aren’t even visible. For attackers, invisible assets are low-hanging fruit; for defenders, they’re a constant source of unease.
2. Devices Are Insecure and Hard to Patch
A painful reality of IoT security is that many devices were never designed with long-term security in mind. Hardcoded credentials, outdated libraries, and minimal authentication are common.
When vulnerabilities are discovered, patching is often impractical or outright impossible.
Firmware updates may require downtime, physical access, or vendor involvement.
In some cases, patches simply don’t exist. Security teams are left compensating with network controls and monitoring, knowing the underlying weaknesses remain. It’s a frustrating position—responsible for risk you didn’t create and can’t fully fix.
3. IoT Network Segmentation Is Inconsistent
Segmentation is the go-to recommendation for IoT risk, but implementing it well is far from simple. IoT environments often span flat networks, legacy protocols, and operational constraints that don’t tolerate change.
Segmentation rules vary by site, vendor, and device type, leading to inconsistent enforcement. Over time, exceptions pile up and documentation drifts.
What started as a clean design becomes a tangled web of special cases.
When incidents occur, teams struggle to understand what should have been isolated—and what actually was.
4. IT and OT Ownership Is Unclear
IoT security lives in the cracks between teams. IT manages networks, OT manages operations, and facilities manage the physical environment—but no one clearly owns end-to-end security.
When an issue arises, responsibility is unclear.
Decisions stall as teams debate scope and authority. During incidents, this confusion costs precious time. Without defined ownership and escalation paths, even well-understood risks linger unresolved.
Clarity of responsibility is often the missing control in otherwise capable organizations.
5. Legacy IoT Devices Lack Lifecycle Control
Unlike laptops or servers, IoT devices are rarely refreshed on predictable cycles. They’re installed to last for years—sometimes decades.
As a result, outdated, unsupported devices remain in production long after vendors stop maintaining them. Security teams inherit growing risk with no realistic replacement plan. Lifecycle management becomes theoretical rather than actionable. Each year adds more technical and security debt, quietly increasing exposure until an incident forces attention.
A Question Back to the Community
These frustrations signal a pivotal expansion of the IoT attack surface. While traditional IoT security principles around device hardening and network segmentation remain crucial, they are fundamentally challenged by the integration of AI—both in defending these systems and in the novel threats that target AI-driven IoT functionalities.
The gap between the rapid proliferation of smart, AI-enabled devices and the maturity of security frameworks capable of protecting them is widening.
Practitioners confront this daily through vulnerable edge AI models, manipulated sensor data, and AI-powered botnets targeting IoT infrastructure.
So the critical question is this: do these AI-specific IoT security challenges reflect your operational reality?
Are these the key vulnerabilities—or should the community prioritize other emerging threats, such as adversarial attacks on perception systems (e.g., autonomous vehicles, cameras), securing AI model updates over-the-air (OTA), or defending against AI-coordinated swarms of compromised devices?
As AI becomes the "brain" within IoT ecosystems, securing these systems is no longer just about device management. These conversations will determine whether our smart environments remain safe and resilient or become the physical frontier for sophisticated, AI-driven cyber-physical attacks.
In Summary
IoT security frustrations stem from visibility gaps, insecure designs, operational complexity, and unclear ownership. Invisible assets, unpatchable devices, inconsistent segmentation, and long-lived legacy systems all compound risk.
When responsibility is fragmented across teams, progress slows further. Addressing these challenges requires better discovery, clearer accountability, and security strategies designed for environments that change slowly—but remain exposed every day.