With the rapid expansion of Extended Internet of Things (xIoT) devices, securing these systems has become an increasingly complex challenge for organizations—particularly since traditional security agents aren’t compatible with these devices. In this episode, John Terrill, CISO of Phosphorus Cybersecurity, discusses the evolving xIoT threat landscape, the challenges organizations face in securing these devices, and how automation and AI-driven solutions can help mitigate risks.

Phosphorus Cybersecurity specializes in managing and securing xIoT, Operational Technology (OT), and industrial control systems. Terrill explains that Phosphorus Cybersecurity’s platform enables organizations to discover, monitor, and manage these devices, performing tasks such as rotating credentials and upgrading firmware. Unlike traditional IT security tools, Phosphorus Cybersecurity is designed to work with devices that lack standardized security frameworks.

Terrill describes xIoT as cyber-physical devices that interact with the real world, differentiating them from standard IoT systems. He highlights real-world cyber incidents like Stuxnet and FrostyGoop, where attackers compromised not just the computer systems but also the physical functions of the devices. The lack of a unified toolchain and inconsistent security protocols across vendors further complicates protection efforts.

The rapid expansion of xIoT is exacerbating these challenges. Terrill notes that the number of devices is expected to reach 70 billion by 2025. Unlike cloud servers, which remain relatively static in number, xIoT devices are multiplying at a rate that far exceeds the growth of traditional IT systems. Many organizations remain unaware of the sheer volume of these devices on their networks, further increasing security risks.

Many xIoT devices enter networks through non-IT departments, a trend Terrill sees as a major security blind spot. Facilities management and corporate security teams often introduce these devices without IT oversight, creating a disconnect in security responsibility. This issue is often ignored, either due to its complexity or a lack of awareness. Terrill notes, “A lot of places are ignoring this problem, and I say ignoring it because it’s partly a willful not wanting to have to deal with it because it’s a hard problem.” Nonetheless, Terrill cautions that every xIoT device functions as a small computer, making it a prime target for attacks across multiple industries.

To address these risks, Phosphorus Cybersecurity is leveraging AI and automation to manage devices at scale. Terrill describes a genus-species approach, categorizing devices by firmware similarities to streamline security management across diverse platforms. By interacting with devices in their native protocols, Phosphorus Cybersecurity is developing AI-driven methods to standardize security operations across different device ecosystems.

For organizations to improve xIoT security, Terrill emphasizes the need to return to fundamental security principles, such as device visibility, credential management, and segmentation. Traditional passive security methods are insufficient, as attackers now directly target xIoT systems. Organizations must recognize that xIoT security requires a proactive rather than reactive approach, necessitating a cultural shift.

As xIoT adoption accelerates, organizations must act swiftly, integrating AI-driven automation and reinforcing security fundamentals to prevent cyber-physical threats from escalating. Bridging the gap between IT and OT security strategies will be essential to preventing real-world disruptions caused by these increasingly complex attack surfaces.

Guest: John Terrill
Company: Phosphorus Cybersecurity
Show: CISO Insights

This summary was written by Emily Nicholls.