CISA’s IoT Crackdown: What 21 Billion Devices Mean Now
A federal directive, a record-breaking botnet, and a 32-day remediation gap just rewrote the rules for enterprise IoT security. Here’s what CISOs need to act on, and why zero trust alone won’t save them.
On January 7, 2026, a botnet called RondoDox fired more than 40,000 automated attack attempts at HPE OneView servers in a single four hour window. Not routers. Not smart cameras. A data center management platform running inside government agencies, banks, and industrial manufacturers. Check Point Research caught it live, and CISA added the underlying flaw to its Known Exploited Vulnerabilities catalog the same day.
That attack is the clearest signal yet that enterprise IoT security has moved past the consumer-gadget stage. The threat now targets the infrastructure running your business, and federal regulators noticed before most private companies did. One month later, CISA issued a binding directive that private-sector security leaders are already treating as the new baseline, whether or not it legally applies to them.
The scale problem: 21 billion devices and counting
Ask ten analyst firms how many IoT devices exist right now and you’ll get ten different numbers, because they’re all measuring slightly different things on different dates. The most current, most cited figure comes from IoT Analytics‘ State of IoT 2025 report: roughly 21.1 billion connected IoT devices worldwide by the end of 2025, up 14% year over year, with the installed base projected to hit 39 billion by 2030.
If you’ve seen the “17 billion devices” figure floating around, that’s not wrong, it’s just old. That number reflects an October 2024 snapshot. By mid-2026, the real count sits closer to the low twenties, and it keeps climbing at double-digit rates every year. Every one of those billions of devices is a potential entry point, and most of them were never designed with security as a priority.
Firmware maintenance is the harder half of that problem. Research from ORDR, citing Forescout telemetry, found that 32% of deployed routers run firmware that will never receive another patch, full stop. The vendor has moved on, the support window has closed, and the device stays plugged in anyway. Forescout’s broader 2026 research puts the average router or switch at 32 vulnerabilities per device, and routers and switches now account for 34% of the most critical vulnerabilities found across enterprise networks.
| Metric | Figure | Source |
|---|---|---|
| Global connected IoT devices (2025) | 21.1 billion, +14% YoY | IoT Analytics |
| Breaches traced to unpatched firmware | 60% | IoT Security Foundation |
| Routers running firmware that will never be patched | 32% | ORDR / Forescout |
| Average vulnerabilities per router/switch | 32 | Forescout |
| Edge vulnerabilities fully remediated | 54% (32-day median) | Verizon 2025 DBIR |
| Peak DDoS traffic from a hijacked-IoT botnet | 29.7 Tbps | Cloudflare, Q3 2025 |
Inside CISA’s BOD 26-02
On February 5, 2026, CISA issued Binding Operational Directive 26-02, “Mitigating Risk From End-of-Support Edge Devices.” It requires federal civilian agencies to find, patch, and eventually rip out any edge device, including IoT edge devices, routers, firewalls, switches, and wireless access points, that no longer receives vendor security updates.
The timeline is specific and unforgiving:
- Immediate: Patch where feasible.
- 3 months (by May 5, 2026): Complete inventory of end-of-support edge devices.
- 12 months (by February 5, 2027): Decommission those devices.
- 18 months (by August 5, 2027): Full removal from the network.
- 24 months (by February 5, 2028): Continuous discovery process in place permanently.
CISA Acting Director Madhu Gottumukkala didn’t soften the message when the directive dropped: “Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks.”
The directive is technically federal-only. In practice, it’s already becoming the industry’s reference clock. CISA, the FBI, and the UK’s National Cyber Security Centre have all publicly urged private companies to adopt the same timeline, and Help Net Security’s breakdown of the order notes the same pattern security teams have seen with prior directives: what starts as a federal mandate becomes an insurance underwriting question within a year.
If you’re running a regulated business, expect your cyber insurance renewal and your next audit to start asking about edge-device lifecycle management using this exact framework, whether you’re a federal contractor or not.
The EU has its own clock running in parallel. The Cyber Resilience Act’s 24-hour early warning obligation for actively exploited vulnerabilities kicks in on September 11, 2026, with full security-by-design and lifetime patching requirements following in December 2027. We’ve covered the CRA’s compliance mechanics and deadlines in detail in our EU Cyber Resilience Act deadline explainer, so we won’t repeat it here. What matters for this piece is that two major regulatory regimes are converging on the same conclusion at the same time: the era of shipping IoT hardware and walking away from it is over.
The breaches that forced the issue
Regulators don’t move this fast without a body count. 2025 and early 2026 gave them plenty of evidence.
BadBox 2.0
Google disclosed this one in July 2025. It’s the largest known botnet built from internet-connected TVs, streaming boxes, and digital photo frames, compromised through outdated firmware and infecting more than a million devices in the United States alone. Nobody bought a hacked photo frame on purpose. The firmware just never got a security update, and an entire product category quietly became attack infrastructure.
Aisuru and Kimwolf
This is the botnet pair that broke the DDoS record books. Cloudflare mitigated a 29.7 Tbps attack in Q3 2025, sourced from an estimated 300,000 to 700,000 hijacked routers, DVRs, and IP cameras. Microsoft Azure absorbed a separate 15.72 Tbps flood in October 2025 tied to the same infrastructure. By early 2026, authorities confirmed the combined Aisuru and Kimwolf networks had compromised more than 3 million devices globally, according to reporting from Swif.ai’s IoT security roundup.
For scale: Mirai, the botnet that defined this entire threat category back in 2016, recruited 600,000 devices using just 60 default credential combinations and still managed a 1.2 Tbps attack that knocked major sites offline. A decade of public warnings, published source code, and industry conferences later, the same playbook, default credentials plus unpatched firmware, just produced an attack 24 times larger.
RondoDox against enterprise infrastructure
The HPE OneView campaign matters because of what it targeted, not just how big it was. Consumer routers and cameras are the old story. A data center management platform is the new one. Our read: this is the clearest evidence yet that IoT-botnet tactics have graduated from consumer gadgets to core enterprise infrastructure, and security budgets built around “protect the smart thermostats” haven’t caught up.
The financial exposure backs that up. Aggregated breach-cost research from Vectra.ai and ORDR puts the average IoT security incident at roughly $330,000, climbing to an average of $10 million per incident in healthcare specifically, where connected medical devices and unpatched firmware collide with regulatory exposure and patient safety.
Why zero trust breaks down in IoT and OT
Ask any vendor and zero trust is the answer to everything, including this. Ask the people actually implementing it, and you get a more complicated picture.
“We all agree: zero trust is necessary. But it’s been hard to implement. It doesn’t matter what you read or which framework you follow. The core issue is that we have a concept with principles and tenets, but not enough guidance on how to implement it.” Morey Haber, Chief Security Advisor, BeyondTrust, via Network World
Haber’s framing is the industry-consensus version: zero trust works in theory, execution is the bottleneck. The sharper critique comes from people who’ve responded to what happens when it fails.
“The biggest security incidents in 2026 will stem from compromised identities within supposedly zero trust environments. The illusion of control will persist until identity management becomes contextual and adaptive, powered by AI that can interpret intent, not just credentials.” Ariel Parnes, COO, Mitiga (former IDF Unit 8200 colonel), via SecurityWeek
Parnes is describing a real gap: zero trust verifies credentials, not intent, and IoT devices generally don’t have the kind of identity infrastructure that makes that verification meaningful in the first place. Most IoT hardware simply can’t run the components a standard zero-trust architecture assumes. No multi-factor authentication. No client certificates. Not enough compute to support continuous verification. You can’t authenticate your way around hardware that was never built to authenticate.
CSO Online’s analysis of the IoT and OT gap makes the sharpest structural point in the whole debate: zero trust governs access, but it doesn’t model consequence. Two systems can be fully isolated at the network layer, properly segmented, verified access on paper, and still be functionally inseparable through a shared controller, a common protocol translator, or a vendor’s remote update service. You can pass every zero-trust audit and still have a single point of failure nobody mapped.
Timeline expectations get a reality check too.
“We will eventually get there, but timelines extend well beyond 2026 due to fundamental structural barriers. Private data exchanges must simultaneously secure data flows across partners’ legacy systems, cloud environments, and on-premise infrastructure, while maintaining operational compatibility with hundreds of exchange participants at varying security maturity levels.” Dario Perfettibile, VP and GM of European Operations, Kiteworks, via SecurityWeek
Put those three quotes together and you get the honest 2026 state of the industry: zero trust is the right direction, badly under-implemented, structurally mismatched to most IoT hardware, and years away from covering the gap even under optimistic timelines.
What enterprise security teams should do now
The Verizon 2025 Data Breach Investigations Report, drawn from more than 22,000 incidents and 12,195 confirmed breaches, found a 34% year-over-year rise in successful vulnerability exploits, with an eightfold jump in exploitation of edge devices and VPN concentrators. Among breaches that started with vulnerability exploitation, edge devices and VPNs accounted for 22%, up from just 3% the year before. Only 54% of edge vulnerabilities were fully remediated in the observation window, and the median time to fix one was 32 days.
That 32-day number is the one worth pinning to your dashboard. It’s a real industry benchmark you can measure your own remediation SLA against, not a vendor’s aspirational target.
Given all of that, the realistic model for 2026 isn’t “implement zero trust everywhere.” It’s a two-tier approach: identity-based zero trust for the IT systems that can actually support it, and network-based segmentation with behavioral monitoring for the IoT and OT fleet that can’t. Treating “we did zero trust” as a finished project, when your IoT devices sit entirely outside that perimeter by design, is the exact gap that shows up in next year’s breach report.
Practical steps that map directly to what’s driving this shift:
- Inventory first. CISA’s own timeline gives federal agencies three months just to find every end-of-support edge device. If a federal agency needs that long, assume your enterprise network has blind spots too.
- Benchmark against 32 days. Use the DBIR’s median remediation time as your internal SLA target, and track what percentage of your edge vulnerabilities actually get fully closed, not just acknowledged.
- Segment what you can’t authenticate. If a device can’t run MFA or a client certificate, it goes on an isolated network segment with active behavioral monitoring, not on the same trust tier as your laptops.
- Watch the procurement deadline. By January 4, 2027, vendors selling consumer IoT to the U.S. federal government must carry the FCC’s Cyber Trust Mark. That’s a voluntary label today. It becomes a de facto procurement filter in eighteen months, and enterprise buyers will likely start asking for it too.
For a deeper look at how these device counts are actually measured, our breakdown of Gartner’s edge computing numbers is worth a read. And if your IoT exposure runs through industrial or OT systems specifically, we’ve also mapped the ROI math behind GE and Shell’s industrial IoT deployments, which is a useful counterweight when your CFO asks why security spending on OT devices matters as much as the operational upside.
Frequently asked questions
How many IoT devices are there in 2026?
Estimates vary by firm and methodology, but IoT Analytics reports roughly 21.1 billion connected IoT devices as of the end of 2025, up 14% year over year, with the installed base forecast to reach 39 billion by 2030.
What percentage of IoT breaches are caused by unpatched firmware?
Research from the IoT Security Foundation attributes roughly 60% of IoT security breaches to unpatched firmware, making it the single largest documented cause of IoT compromise, ahead of weak credentials or supply-chain attacks.
What is CISA BOD 26-02?
CISA Binding Operational Directive 26-02, issued February 5, 2026, requires U.S. federal civilian agencies to inventory, decommission, and replace edge devices, including IoT edge devices, routers, and firewalls, that no longer receive vendor security updates, on a 3-to-24-month timeline.
Does zero trust work for IoT devices?
Only partially. Most IoT devices lack the compute power to run standard zero-trust components like multi-factor authentication or client certificates, so security teams typically apply a two-tier model: identity-based zero trust for IT systems, and network-based segmentation and behavioral monitoring for IoT and OT devices that can’t participate directly.
Where this goes next
Here’s what’s actually different now. Enterprise IoT security stopped being a device-hygiene checklist item somewhere between the RondoDox campaign and CISA’s February directive, and became a board-level compliance question with a hard clock attached. The 21 billion devices already deployed aren’t getting replaced overnight, the firmware problem isn’t getting solved by a single patch cycle, and zero trust isn’t the finished solution the marketing suggests.
Over the next 6 to 18 months, watch three things specifically: whether private-sector cyber insurers start writing CISA’s timeline into policy requirements, whether the EU CRA’s September 2026 incident-reporting deadline produces the first wave of public disclosure data on IoT breach frequency, and whether the two-tier zero-trust model becomes the named industry standard or stays an informal workaround.
The organizations that treat this quarter’s device inventory as a compliance chore will be the ones explaining a breach to their board next year. The ones that treat it as the actual security perimeter it is will just be doing their jobs.
Want this kind of analysis before it hits your feed? Subscribe to The Neural Loop at neuralwired.com/newsletter.
