Why Unmanaged IoT Devices Create Hidden Security Gaps

Why did the seven-month dwell time inside that hospital surprise nobody on my team?

A smart HVAC controller in a third-floor conference room sat on a US healthcare network for seven months. IT security had never inventoried it. The SOC had never seen its traffic. Within 72 hours of initial compromise, the attacker had pivoted to corporate systems and reached patient records. The final bill, as compiled in public breach reporting, lands at $12.4 million.

I read incidents like this several times a month now, and the device on the loading dock keeps changing – HVAC, IP camera, conference-room TV, infusion pump, building automation gateway. The pattern does not. My team stopped being surprised by the dwell time a long time ago. We are surprised that anyone else still is.

The Hidden Half of Your Network

The most useful number I have seen in 2026 comes from Palo Alto Networks' Device Security Threat Report, which examined over 27 million connected devices across 1,803 enterprise customers (a sample size that is hard to argue with). 32.5% of enterprise network devices operate outside IT control.Roughly one in three.

The same dataset shows the average enterprise hosting around 35,000 devices spanning 80 different types (cameras, controllers, sensors, printers, badge readers, smart appliances, the long tail of building automation). And 77.74% of those networks exhibit poor segmentation, defined as subnets where neither IT equipment nor IoT comprises more than 55% of the connected assets. Vulnerable devices and high-value targets share the same broadcast domain.

Rule of thumb: if you have not run a passive discovery sweep in the last twelve months, your inventory is wrong, and the direction of the error is always the same.

Shadow IoT Is an Architecture Problem, Not a Discipline Problem

So why does this keep happening, year after year, with the same kinds of devices?

The temptation in any security article is to blame employees for plugging things in. In my humble opinion, that frame is comfortable and wrong.

Unmanaged devices accumulate for structural reasons:

• No installable agent. IoT and OT devices ship with closed firmware. The conventional EDR/XDR stack assumes you can install an agent. IoT breaks that assumption on contact.
• Procurement bypass. HVAC controllers, cameras, badge readers, line-of-business sensors get bought by facilities, operations, or plant engineering. The device is on the network before IT learns the model number.
• Speed. A boardroom needs a smart TV by Friday. The IT approval process takes three weeks. The smart TV wins.
• M&A leftovers. Acquired subsidiaries arrive with inventories that nobody reconciles.
• Lifecycle drift. Devices outlive the people who installed them, the projects that justified them, and the documentation that named them.

Shadow IoT is not a discipline problem. It is an architecture problem.

What Attackers Do With the Devices You Cannot See

What does the chain look like when an adversary discovers your invisible HVAC controller?

The threat is not abstract. Nozomi Networks' July 2025 telemetry from operational technology environments shows 7.36% of detected attacks use brute force and 5.27% directly exploit default credentials for lateral movement. Reported daily IoT attack volume reached around 820,000 events in 2025 across Nozomi-monitored sensors, a 46% year-over-year jump.

The chain is depressingly consistent:

1. Attacker scans for exposed devices – the IP camera with default creds, the router with an unpatched CVE.
2. Initial foothold. Device behaves normally at the network level.
3. Reconnaissance from the device's network position, which usually sits on a flat or weakly segmented subnet.
4. Lateral movement. 48.2% of IoT-to-IT system connections originate from high-risk IoT devices, according to Palo Alto. Half the traffic crossing the boundary is already coming from the part of your network you trust least.
5. Pivot to a target of value – data exfiltration, ransomware staging, OT disruption.

Recap: the device is the door, the flat subnet is the hallway, the missing EDR coverage on managed assets is the unlocked office.

Industry breach-data summaries for 2024–2025 show edge and VPN device exploitation rising from 3% to 22% of vulnerability-driven breaches year over year, an eightfold increase. Edge and IoT have quietly overtaken phishing as the fastest-growing initial-access category.

Three Cases That Tell the Whole Story

The healthcare HVAC compromise from December 2024 is one. Two more worth carrying around in your head:

Raptor Train (disclosed September 2024). A suspected state actor known as Flax Typhoon operated a 200,000-device botnet of consumer-grade routers, IP cameras, and NAS appliances for roughly four years undetected. The malware was a custom Mirai variant. The persistence mechanism was depressingly simple – default credentials and unpatched CVEs that nobody patches on a consumer router. Mandiant's M-Trends 2025 puts the global median dwell time at 11 days. Raptor Train ran for 1,460.

BadBox 2.0 (initial disclosure March 2025, Google lawsuit July 2025). Human Security's Satori team, in collaboration with Google, Trend Micro, and the Shadowserver Foundation, disclosed that more than 10 million consumer and SMB IoT devices – smart TVs, digital projectors, picture frames, in-car infotainment, mostly off-brand Android Open Source Project hardware – arrived from suppliers with malware already installed. The devices retrieved command-and-control instructions on first boot. Post-deployment visibility cannot save you when the device shipped pre-compromised.

These are joint disclosures with technical write-ups and named responsible disclosers, not vendor anecdotes. The unmanaged-IoT incident on a sizable enterprise network is a question of when, with the device unknown until the moment it surfaces in an IR report.

Full disclosure: this is what my team and I have been building at Iotellect for years. Iotellect's platform for secure IoT deployments is the device-management and connectivity layer that turns asset inventory into operational policy – not a spreadsheet that ages on a shared drive.

The Honest Trap: Visibility Alone Buys You Almost Nothing

I want to be direct here because the asset-discovery vendor pitch has gotten loud, and a guest article from someone in this market needs to earn the reader's trust before it asks for action.

Visibility on its own is necessary. It is also overrated.

Two pieces of evidence sit on my desk every time I write about this:

First, Palo Alto's 2025 report found that nearly 39% of company-owned IT devices registered in Active Directory lack active EDR or XDR protection. These are devices you already know about, that you already own, that you already manage – and four in ten are unprotected. The shadow IoT problem is real. The lit-half-of-your-inventory problem is also real, and arguably larger.

Second, practitioners who run OT security programs report the same failure mode after year one of any discovery rollout: alert fatigue. Signature-based detections without industrial context – asset role, allowed peers, change windows, conduit policy – fire constantly. The SOC drowns. The meaningful alerts get buried in the noise. (I have spoken with several CISOs running these programs, and the year-two budget cut is so predictable you can almost forecast the quarter.)

Visibility is the most important thing you can do for IoT security. It is also the most overrated thing you can buy for it.

The Value Chain Has a Fixed Order

If discovery alone is overrated, what is the actual ROI sequence?

The reason discovery programs stall is not that discovery is wrong. It is that discovery sits at position one in a five-step chain, and skipping any of the next four destroys the ROI of the first.

The order is:

1. Discover – agentless, passive plus active. SNMP, WMI, protocol fingerprinting, NetFlow, SPAN port listening. You cannot defend what you cannot see.
2. Classify by identity – function, owner, criticality, allowed peers. A camera is not a PLC. A medical infusion pump is not a printer. Treat them differently.
3. Segment at the network edge – switches, access points, no endpoint agent required. The device does not need to know policy is being enforced. The network handles it.
4. Context-aware detection – signatures tuned to asset role, conduit, change window. Quiet detections, not noisy ones.
5. Rehearsed response – runbooks, IR drills, AI-assisted triage. A good alert nobody actions is no better than no alert at all.

If you skip step 3 before deploying step 4, you bought alert fatigue. If you skip step 2, your policy is unmaintainable. If you skip step 5, even good detection sits unactioned.

The architectural analogy I keep coming back to: visibility is the door, segmentation is the hallway lock, identity is the keycard, detection is the camera, response is the guard. Buy them out of order and you have hardware, not security.

What to Do This Quarter

Field notes from the CISOs and architects I have walked through this transition. If you are picking a starting point for the next ninety days, here is the list I keep coming back to:

• Run a passive discovery sweep on one production VLAN. Compare the result to whatever inventory IT and AD already hold. The delta is your starting number. Measure it. Report it.
• Pick the top three highest-risk device classes by exposure. For most enterprises this is some combination of cameras, building automation, and medical or OT devices. Define an identity profile for each – function, allowed peers, change window.
• Microsegment those three classes at the switch layer before adding any new detection content.Switch-VLAN plus ACLs gets you started on infrastructure you already own. Identity-based microsegmentation at the edge is the maturity step.
• Bring procurement, facilities, OT engineering, and InfoSec to a shared inventory standard. A spreadsheet works. The point is that one organization owns each device class with a documented policy, not that you have a perfect tool.

The edge AI platform for industrial IoT approach – agentless discovery, identity-aware connectivity, and policy enforcement at the network edge – is one of the operational shapes this five-step chain can take, particularly when the devices are heterogeneous and the team is small.

Of course, the tool matters less than the sequence.

The Wildcard Your Visibility Stack Cannot Touch

Worth saying out loud, because the past 18 months have made it real: the scenario that breaks the chain is supply-chain pre-compromise.BadBox 2.0 and Raptor Train share a property: the compromise was upstream of the customer's network – pre-installed at manufacture or persistently embedded on consumer-grade hardware – which means by the time the device plugs into a deployed VLAN, the attacker is already inside. Mars Hydro's 2.7-billion-record breach in February 2025 is a different shape of the same problem: the vendor's own cloud backend was exposed, leaking customer WiFi credentials and device data that travel with the hardware. The deployed network cannot reach any of these.

Probability is low in any given year. Impact is catastrophic when it lands.

Reasonable hedges that do not require buying anything exotic:

• Cryptographic device attestation at provisioning. Verify identity before the first packet of legitimate traffic. Devices that cannot attest do not join.
• Isolated provisioning network. First boot happens off the production VLAN. No exceptions.
• SBOM and vendor security questionnaire at procurement. Particularly for device classes above an exposure threshold you define.
• Tabletop drill the scenario where your visibility stack tells you everything is fine and the vendor is breached. The blast-radius decisions matter more than the detection ones in this case.

Bottom line: visibility cannot reach upstream of the loading dock. Procurement and attestation can.

Regulators Arrived in 2026, on Their Own Schedule

The compliance lever has moved from theoretical to operational this year.

In the European Union, NIS2 had its transposition deadline of October 17, 2024. As of May 2026, 21 of 27 member states have transposed it into national law. Regulators across several member states are now in active supervisory and enforcement phases. Fines for essential entities reach €10 million or 2% of global annual turnover, whichever is higher. Important entities face €7 million or 1.4%. Management bodies can be held personally accountable – a meaningful change from NIS1 that most boards have not fully internalized.

NIS2 names accurate IT asset inventory as an explicit obligation.

The Cyber Resilience Act entered into force on December 10, 2024. Reporting obligations apply from September 11, 2026. Full obligations apply December 11, 2027. Where NIS2 governs how entities operate, CRA governs how the products on their networks were built. Fines reach €15 million or 2.5% of global annual turnover. Together the two regimes ask for visibility plus product integrity, end to end.

In the United States, more than half of the 2024 cyber-incident filings disclosed to the SEC involved OT attacks. Cyber insurance underwriters (the ones renewing your policy next quarter) now ask for IoT inventory and segmentation evidence at renewal. The conversation has moved from voluntary best practice to underwriting requirement.

Compliance arrives on its own schedule. The schedule started in 2026.

Where This Leaves the Reader

So what should a CISO take away from all of this?

The temptation when reading something like this is to walk away with "buy a discovery tool" as the action item. That would be the wrong takeaway.

The action item is: figure out which of the five steps in the chain your organization is missing today, and close that gap before adding to the one above it. For most enterprises the missing step is segmentation, not discovery. For some it is identity. For a few it is response. Discovery is necessary, but it is rarely the binding constraint.

When I sit with these teams, the question is almost never "what do we have on the network?" – it is "what are we going to do about what we have?" That gap, between the inventory and the policy, is where every dollar of IoT security ROI is decided.

The industrial IoT connectivity platform layer is where these chains stop being slideware and start being a deployed configuration with measurable blast-radius limits. The tool is not the program. It is the surface the program is enforced on.

Visibility opens the door. The chain walks through it.