The expanding attack surface of the Internet of Things opens up dangerous new vistas for adversaries ranging from script kiddies to elite nation-state actors. Complicating matters is a shortage of qualified cybersecurity talent and a confusing bubble of hype around several technologies intended to help organizations safeguard their networks.
To help you get a handle on the challenge IoT security can pose, we spoke with Sean Peasley, a Deloitte Risk and Financial Advisory partner and IoT security veteran, as well as Andrew Howard, the chief executive officer of Kudelski Security. They weigh in on everything from the cybersecurity skills gap, the challenge of minimizing supply chain risk and the hype surrounding everything from AI to 5G.
1. Have Realistic Expectations Regarding Cyber Talent
It’s common knowledge there is a shortage of experienced cybersecurity professionals. But assessments that there is or soon will be a shortfall of millions of cyber workers in a handful of years can engender a degree of hopelessness in organizations seeking to defend their networks, IoT devices and IT systems.
“This topic [around the cybersecurity skills gap] seems to always be the number one thing people want to talk about with cybersecurity,” Howard said. But discussions on the subject can at times veer off course. While the cyber talent scarcity is real, “frankly, there is a shortage in all markets,” Howard said. The unemployment rate in nations ranging from the U.S. to Germany to Japan to the United Kingdom is less than 4%. Rather than seek to find a cyber MacGuyver, organizations seeking cyber talent should ask which types of professionals can they likely attract in the short term to help them quantifiably reduce their cyber risk.
In the cybersecurity market, a large degree of the need is for analysts, Howard said. “I think at the top end of the cybersecurity org chart, there’s not a shortage of [experienced] employees,” Howard explained. “You might make an argument that there’s a shortage of qualified employees, but what I see is when companies are not having a hard time finding CISOs or lieutenants. They’re having a hard time finding CISOs or lieutenants they can afford — just because there’s so much demand.”
2. Make Sure the Candidates You Do Hire Are Well-Qualified and Compensated
It can be wise to embrace nontraditional strategies when buttressing your cyber workforce, but one pitfall is to skimp on qualifications when hiring workers for senior roles. “What I see that is concerning is that, on a consistent basis, I speak with potential clients, who have woefully underskilled cybersecurity leaders in their space,” Howard said.
Yes, the cybersecurity shortage is a contributing factor to this problem. But another element is the lack of understanding by boards and leaders such as chief executive officers and chief information officers in what skills are vital for cyber leaders. “There’s often an under-appreciation for what you have to pay for the type of expertise that is in demand,” Howard said.
3. Keeping Track of Third-Parties Isn’t Enough for Supply Chain Security
Last year, Bloomberg published an article titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” The story sparked controversy from Amazon, Apple and Supermicro, all of whom took issue over the reporting of the story. While the facts of the article remain disputed, the piece did draw attention to the threat of supply-chain attacks in general. In general, Deloitte recommends organizations carefully consider the potential security ramifications of third-party software, hardware and services.
For one thing, there are a growing number of stories indicating threat actors are looking at the supply chain to target their victims. For instance, the European aerospace firm Airbus has been targeted as part of a coordinated attack on its suppliers. Earlier this year, Wired reported on a supply chain attack targeting at least six organizations.
Large organizations can sometimes have thousands of third-party suppliers, and potentially thousands more fourth- and fifth-parties, Peasley said. While smaller firms tend to have a smaller supplier base, the focus on the supply chain is equally as important. “Whether it’s a supplier that puts a subcomponent into a product that you might build, or whether it’s a software product that you utilize, [organizations] need to think of all the different cyber aspects of the types of data that they use, and the types of things that might be embedded into your environment or your product.”
4. Aligning IT and OT Teams Is Vital for Cybersecurity, Too
The integration of information technology staff, IT, with operational technology workers, is a perennial theme in many industrial and enterprise IoT contexts. In terms of cybersecurity, the prospect of integrating IT and OT can be daunting because cybersecurity traditionally is the focus of the former camp. Traditionally, securing an OT environment such as a factory or a refinery meant keeping unauthorized personnel out of restricted areas. Now, it includes the prospect of preventing hackers from meddling with systems that could potentially cause a catastrophe. “OT security is in demand right now,” Howard said.
Similarly, IT security professionals who have landed careers in industrial contexts would be wise to study traditional safety programs inherent in operational technology contexts. Many industrial organizations have had safety programs for decades. Peasley said traditional IT security professionals whose duties extend to operational technology need to have a similar mentality around security,” while carefully considering potential safety ramifications of connected devices in, say, a refinery or factory.
5. Security Standards Can Help Codify a Secure by Design Mentality
The term “secure by design” gets tossed around frequently these days, but it isn’t always easy to quantify what it means. Peasley recommends looking to standards and regulations for best practices. “Look at the NIST standards, some of the IEEE standards, ISA/IEC 62443,” he said. Those documents include helpful information on designing security into industrial products as well as testing and certifying those products, and coming up with an effective post-market cybersecurity strategy. IoT security involves “a different mindset compared to the enterprise” and the prospect of securing “traditional network devices and infrastructure devices,” he said. For instance, a connected device in an industrial or medical environment will likely need to be up and running 24 hours a day, 365 days a year. “There are often different constraints than in an operational technology environment than you would have in an enterprise environment,” Peasley said. In such cases, standards can help formalize a comprehensive security strategy that stipulates how to train staff ranging from developers to engineers, while routinely assessing the organization’s cybersecurity posture.
6. Temper Hype around New Technologies with Pragmatism
It’s hard to avoid sweeping statements that technologies ranging from artificial intelligence to the introduction of 5G will have an enormous impact on cybersecurity.
Howard is dubious about the widespread use of the term artificial intelligence. “My perspective on AI is that there’s way too much hype,” he said. “I struggle with this personally — just being able to differentiate what I would consider artificial intelligence, which is machines making independent decisions based on mathematical models versus just smarter software.”
That said, there is still value in deploying machine learning to detect anomalies that could indicate a security breach. In the broader IT landscape, the term artificial intelligence for IT operations (AIOps) has become mainstream. Deloitte recommends embracing this strategy and unifying it with a secure by design approach, which spans development and operations (known as DevSecOps).
In terms of how the rise of 5G might affect IoT security and cybersecurity in general, Howard recommends studying the indication of prior generations of cellular technology to get an indication of the likely future. “It’s my guess that [the debut of 5G] will follow the typical kind of vulnerability curve that you saw with 3G, 4G/LTE, LTE-M, etc.,” he said. In other words, once the standard goes live in the real world, there will be an uptick in inbound attacks.
Once the high-bandwidth flavor of 5G becomes commonplace, it could lead to a rush to expand the wireless capabilities of many types of IoT devices. “You would be connected to a lot of devices that were never intended to be connected,” Howard said.
7. Edge Computing Isn’t a Security Cure-All
One of the central marketing pitches for edge computing is its purported benefits in terms of cybersecurity. The underlying logic in that premise is that in pushing computing out as close as possible to where data is generated, it makes it more difficult for an attacker target. While that may be true to a certain extent, there’s a double-edged sword element to that fact. “Often, on the edge, you just don’t have the security controls that you might have back in a more centralized architecture,” Howard said. “I get worried when I hear someone say: ‘I’m going to do everything at the edge.’”
Analysts such as Gartner don’t see edge computing as representing a pendulum swing away from centralized computing models. Instead, they view it as a complement. From a security perspective, the prospect of commonplace hybrid edge-cloud models heightens the importance of using secure anonymization controls in the metadata that is sent to a cloud or core data center. “When you say ‘edge computing,’ you are basically pulling features out of big data sets, and then sending the features back to the centralized data store,” Howard said.
In any event, Howard stresses he sees the cloud being a default model for many use cases. “Data storage in the cloud is so inexpensive that, unless you are doing heavy querying, storing in the cloud is probably a reasonable thing to do.”
8. Automation in Cybersecurity is Also a Threat
There may be significant hype around the subject of artificial intelligence, but, in truth, there is a growing amount of automation in cybersecurity — both in terms of offense and defense. While not exclusively IoT related, one example illustrating this principle is phishing. Prominent OT cybersecurity attacks such as the cyber-induced Ukranian power outage in 2015 had roots in a routine phishing attack. Given the availability of software tools on the dark web to help attackers streamline their campaigns and conduct research on their targets, Howard sees targeted phishing campaigns known as spearphishing getting worse over time. “We hear [about this fact] from clients,” Howard said. “Spearphishing is a lot more believable now.”