It is true that devices like a programmable logic controller don’t have a lot of memory, or an operating system, but the IoT is massive in scope and scale, and devices vary widely. That “simple” device might only look simple on the outside; on the inside it may very well be running Windows XP (or CE), and as a consequence just as vulnerable to exploits as any outdated PC would be.
So, not only can policy prevent patching of IoT and fixed function devices, but so can manufacturer requirements!
Finally, let’s keep in mind that the only significant difference between ransomware and other forms of malware is that the former has to be public in order for the perpetrators to collect their money; the latter can operate silently and unnoticed in an IoT device until the perpetrators decide they want to active its payload.
For all the above reasons, we designed SenrioInsight to help enterprises monitor the behavior of these “Fixed Function” and “IoT” devices that otherwise can’t accept security software or updates “from the inside out”. And for manufacturers, we developed SenrioTrace to monitor changes to the way firmware or “fixed function” applications execute in devices.
* /* Since the release of malware labeled “Petya” (not the first malware to have this name) a number of security experts have taken to calling it “NotPetya” because not only is this most recent code operate differently from the original Petya, it's not really a very good piece of ransomware. In fact, the code actually contains a wiper function, which makes it more like Shamoon, than the original Petya. Regardless of what you want to call it, the points raised herein remain the same: everything that is a threat to PCs is a threat to a wide range of IoT devices, and if realized, those threats can have a much greater negative impact on our lives. */