Cybersecurity can seem at once like a pervasive and nebulous concern. Every day, there are a variety of headlines describing banks, cities, hospitals, individuals and virtually every other possibly entity that has become a victim of a cyberattack. At the same time, it can be difficult to quantify cyber-risk. Rising numbers of IoT devices compound the risk by creating a larger and more abstract attack surface, making risk-management still more difficult.
Here, we include security advice from Sean Peasley, a Deloitte Risk and Financial Advisory partner and IoT security pioneer as well as recent research from Deloitte and Dragos, weaving in perspectives from Sara Boddy, director of F5 Labs.
[IoT Security Summit is the conference where you learn to secure the full IoT stack, from cloud to the edge. Visit the website for more information.]
1. Follow a Secure-by-Design Approach
Manufacturers developing connected products need to integrate security into product development as early as possible. “It’s very difficult, if not impossible, to get to the same level of security if you’re trying to retrofit that later in the process in the product development process,” Sean Peasley said. “As organizations develop connected products, they need to understand the [cybersecurity] risks and evaluate those, and then, hopefully, have the appropriate kind of response.”
“Organizations should be thinking of cyber everywhere in the environment,” Peasley said. That includes technologies deployed on-premise in production environments, mobile applications, in the cloud and beyond.
2. IoT Security Requires Factoring in Third-Party Risk
One of the impacts of the Internet of Things is its tendency to expand organizations’ attack surfaces. “The attack surface has increased almost exponentially from the traditional IT attack surface we had five to 10 years ago,” Peasley said. That is true from a networking perspective, of course, but it also applies equally from a software perspective. Decades ago, cars made little use of software. Now, many cars require more than 100 million lines of code to operate. A carmaker doesn’t write all of this code in house, of course. It stitches it together from myriad suppliers. In addition, as cars become more software-defined, they are becoming more reliant on cloud services. And from a cybersecurity standpoint, carmakers — along with other types of manufacturers — become more reliant on their partners.
3. Research the Threat Landscape
It’s challenging to get a cohesive picture of the threat landscape by scouring headlines and focusing on your own organization’s recent cybersecurity track record. Two meaningful megatrends from a threat actor standpoint are the recent rise in attacks both from nation-state actors as well as proverbial “script kiddies,” or inexperienced hacker wannabes, as well as young tech-savvy gamers who create malware in their spare time. All of these actors are targeting IoT devices, given their tendency to offer sub-optimal cybersecurity protections. Nation-state-back actors often pave the way with attacks that scrappier hackers can imitate, said Sara Boddy, director of F5 Labs.
4. Have a Security Strategy That Addresses Postmarket and Privacy Risks
For manufacturers, that includes focusing on postmarket cybersecurity of their products. Organizations “can’t just focus on one area because there’s risk in pretty much all of the areas as the company is trying to develop and market their goods, and acquire and manage customers,” Peasley said.
The same general principle applies to organizations with IoT deployments. The goal of making cybersecurity a fundamental priority is especially vital in operational technology environments. Organizations with OT environments should make sure they can mitigate cybersecurity risks at the earliest stage when deploying connected technology.
5. Have a Clear Cybersecurity Governance Strategy
Organizations of all stripes should strive to ensure cybersecurity awareness extends across the organization while also selecting a governance model to ensure potential problems are elevated to the appropriate stakeholder.
For IoT device manufacturers, the responsibility for cybersecurity shouldn’t be solely the focus of an information security department. Given the criticality of such products, manufacturers should ensure that cybersecurity awareness extends across the organization. “Putting the burden on the chief information security officer makes it challenging for the organization to achieve their objectives,” Peasley said.
6. Cybersecurity Awareness Should Pervade an Organization
Cybersecurity is a team sport. While the CISO can provide cybersecurity leadership to help educate and support other parts of the organization, cyber accountability should extend across the organization — from product designers and engineers to application developers to chief information officers. “We probably see upwards of 80% of CISOs are reporting to CIOs,” Peasley said. And in many cases, CIOs report to the chief executive officer or chief operating officer. Such arrangements can potentially be problematic in organizations where cybersecurity is not a top priority of the top brass. “Knowing that cyber is typically going to be one of the top risks for an organization, especially for those organizations that are developing connected products or that are using connected products in a manufacturing process,” Peasley said, CISOs should help educate the board members, helping them understand the types of risk that need to be addressed. Boards are making progress on this front, Peasley said. “I think boards are starting to get more educated on this. I think it’s taken some time, but they’re, they definitely see [cybersecurity] as a key business risk.”
7. Ensure the Organization Has Appropriate Cybersecurity Resources
Digging into technical specifics of cybersecurity can have a certain appeal, but security professionals should be able to converse with company executives and other employees in simple terms. They should be able to describe the broad risks the company is facing and the programs it has in place to address those.
“Boards are definitely seeing cybersecurity as a key business risk,” Peasley said. Senior security professionals should be able to help quantify that risk, which in turn can help shore up support for cyber initiatives, while also determining how to delegate leadership of those initiatives.
8. Keep a Close Eye on IoT Devices
It may sound like obvious advice, but many organizations aren’t fully aware of all of the IoT devices on their network, which makes it difficult to ascertain if those devices have been breached. The challenge is especially acute in operational technology environments because of the potential of active network scanning to cause problems. “There are some IoT monitoring platforms that can connect to operational environments, and do passive scanning,” Peasley said.
If having an IoT inventory is the first step, gauging the risk individual IoT devices pose and taking steps to minimize that risk is next in line. “How do we monitor for events? How do we remediate technical or security deficiencies in those environments to help ensure that you’re going to meet your risk management goals?” Peasley asked. “There are a handful of things that we suggest they do, like network segmentation, privileged access management, secure remote access and OT monitoring.”
9. Don’t Forget About Legacy Devices
Some networked devices tend to fade into the background of people’s minds. The humble printer may not register in most people’s minds as a connected device. In many industrial and health care environments, it is not uncommon to see older computers linked to equipment running operating systems like Windows XP or Windows NT.