The Internet of Things (IoT) is fast turning into an intrinsic part of the digital transformation for industries such as utilities, transportation or manufacturing. The market is expected to reach a value of $922.62 billion by 2025, becoming one of the biggest catalysts for new emerging technologies.
Although Industrial IoT (IIoT) adoption offers benefits ranging from automating and optimizing the business to eliminating manual processes and improving overall efficiencies, security continues to be an afterthought, one that creates risk that industrial organizations are ill-equipped to manage.
The Trickle-Down Effect
The lack of mature security frameworks and the breadth of security considerations are big barriers for the improvement of IoT security. Today, there is no common approach to cybersecurity in IoT, which leaves the door open for device manufacturers to take their own approach, resulting in undeveloped or underdeveloped standards to guide adoption of IoT security measures and best practices.
In many cases, manufacturers designing IIoT devices are challenged to integrate effective security controls into the product design, which results in devices having little to no encryption for securing data at rest or in transit. Because security is not built into the device at the onset, users struggle with securing them after they have been implemented, constantly leaving the door open to potential cyber-attacks, which could lead to operational downtime, loss of customer data and even end-user safety hazards.
This challenge becomes compounded as users come up against other complicating factors, such as:
- Complexity of the ecosystem – an IIoT ecosystem is an amalgamation of diverse, dynamic, independent, and legacy devices that intertwine communication protocols, interfaces, and people. Such complexity hampers the ability of IT security professionals to even start with the most basic cyber hygiene, such as changing default passwords, keeping an inventory of hardware and software components on the company network or patching applications regularly.
- Intricate monitoring and management – the more complex an environment, the more likely it is that IT administrators lack visibility, access, and control over one or more of its components. Moreover, the deployment of IoT devices on legacy infrastructures and non-IP based devices also exacerbates the IT administrators’ inability to monitor and control these devices.
- Lack of IoT security awareness and knowledge – the lack of understanding of connected devices and architecture security pose a significant challenge. Most organizations don’t have a full understanding of the risk and exposures they face to protect their devices or the real impact (both positive and negative) those devices have on their security posture.
Thinking of security as an afterthought is one of the most common mistakes when building or adding new connections. IIoT can be effectively disruptive if done properly when done poorly it creates unnecessary risks.
Industrial IoT Security – Partnering for IIoT Security Success
Many organizations don’t have the skills needed to maintain, let alone build their IIoT security architecture. For that same reason, they should consider partnering with specialists when moving into this space.
Managed security service providers (MSSPs) are adapting offerings to address the needs of complex IIoT environments. As IIoT devices have different application requirements, deployment conditions and networking needs than traditional enterprise environments, MSSPs are investing in specialized capabilities to understand how to configure devices for at-scale operations and to ensure that best practices are followed for both preventative and real-time maintenance.
Businesses considering partnering with an MSSP should take into account the expertise, resources, and services their potential partner will bring to the table. They need to look for a provider that will deliver leading-edge security features such as threat intelligence and monitoring, data correlation and device management and support, while also understanding the differences between monitoring traditional networks with these unique technologies. Leadership will also need to revisit policies and procedures on risk management through an IIoT lens and use audits and assessments as enablers for the application of relevant security controls.
The influx of IoT devices has opened up new entry points into enterprise networks that cybercriminals can exploit. Whether it is in a new connection or an extension of a legacy architecture, cybersecurity must be at the core of the IIoT implementation. Organizations will need to take a defense-in-depth approach to cybersecurity if they are to be better prepared to face the threats targeting IIoT. This starts by identifying the challenges their implementations present, from the increased complexity to awareness and management. The point behind IIoT is to create a seamless connection between people, devices, and networks and drive efficiencies on an industrial scale. If this is to be achieved, cybersecurity is the one guest that cannot be late to the party.
This article was originally featured in IoT For All.
The IoT market continues to grow, with investments expected to top $1 trillion by 2020, according to IDC. With the rollout of 5G, Ericsson forecasts that the number of cellular IoT connections is expected to reach 3.5 billion by 2023, and DBS Asian Insights predicts that IoT devices and services will reach an inflection point of 18-20% adoption in 2019 alone.
Security continues to be one of the greatest barriers to IoT adopters in 2019. Insecure components, prevalent malware and shortsighted attempts to apply traditional security measures to IoT networks act as formidable challenges to these adopters. Heeding to this new zephyr, threat actors are also adapting and innovating new attack services and hacking tools that will be more complicated and more difficult to detect and respond to. In accordance, we can anticipate a substantial increase in supply chain attacks, IoT botnets, and cryptominers alike.
We predict that device manufacturers will put an increased focus on security in 2019 versus previous years, but the number and scope of attacks will continue to rise. Microsoft reports that more than 90% of consumers want manufacturers to step up their security practices, and 74% would pay more for a product with additional security built in. This demand will drive innovation and increased adoption of trusted hardware and software systems. It will also force manufacturers to adopt and adhere to industry recommendations for data management and privacy, bring about increased awareness of supply chain security management and so forth. Manufacturers will also look to include bug bounty programs and responsible disclosure programs for manufactured and deployed devices to improve the security of their products.
Alternatively, consumers will also pay heed to IoT security governance and adopt processes and technologies that assist in the governance of the IoT landscape — an amalgam of several technologies comprised of the cloud, device, mobile, edge devices and so forth. For instance, they will look for IoT monitoring systems and platforms for better visibility and management, data protection technologies for better security and privacy, cloud protection technologies and active threat detection technologies.
Moreover, consumers and manufacturers alike will invest heavily in technologies that assist them in determining the maturity of their security programs. Companies will also look to cyber-risk insurance to safeguard their business from formidable cyberattacks nonetheless.
Furthermore, as IoT security products and services innovation and adoption gains momentum, assisting technologies, such as machine learning, artificial intelligence and blockchain, will make strong and forced inroads into IoT security products, assisting in building improved trust, threat detection, identity management, and data and device management at scale. But, to a large extent, government regulations will bring about a culture of shared responsibility for protecting the IoT landscape.
This article was orginally featured in IoT Agenda.
Today, we are announcing the launch of our new Blockchain Security Center, a full-service practice that represents the culmination of decades of experience securing our clients’ businesses. The Center’s goal is to enable our clients to securely transform their enterprises using the power of blockchain and other Digital Ledger Technologies (DLT).
We believe that Kudelski Security is well-positioned to serve enterprises as they venture into the world of blockchain and DLT. Our 30 years of leadership in cryptography, data protection, and secure system design prepare us to partner with clients on their most innovative endeavors.
Why Blockchain? Why Now?
Blockchain is exiting its honeymoon phase. The unprecedented boom of 2017 followed by the Great Crypto Crash of 2018 has shifted much of the mainstream opinion from “miraculous” to “frivolous”. This opinion shift is valid to an extent; blockchain is not the solution to every problem. The bubble surrounding the boom, much like the technology bubble of the early 2000s, was destined to pop at some point. However, not all is lost. While the starry-eyed optimism of technology enthusiasts coupled with the “get rich quick mentality” of the ill-informed got us here, robust and sensible solutions for the enterprise will lead the way on.
Looking beyond cryptocurrency, we believe that enterprises are the future of blockchain. Blockchain and related DLT allow business leaders to disrupt old processes in a way that will impact bottom-line results and shape future markets. We have seen blockchain enable our clients to rethink their businesses far beyond the typical cryptocurrency scenarios, and we are confident that the long-term impact of the technology will be great enough to one day be immortalized in textbooks.
There are plenty of known scenarios where blockchain can enable disruption and thousands yet to be conceived, especially in areas where provability of source, monitoring of transport, or assertion of delivery is essential.
* Blockchain can save lives by bringing much-needed trust and transparency to the pharmaceutical industry. For decades, the industry has been beset by fraud and errors throughout its supply chain. Raw materials flow through a series of unrelated players on their way to becoming consumable remedies. Once completed, these remedies are distributed through yet another series of unrelated parties before making it to patients. Smart contracts supported by closed consortium-based or private permissioned blockchains could serve as a reliable and efficient mechanism for tracking the flow of information, financial capital and materials throughout the entire supply chain. This implementation of the technology could ultimately improve the quality of medications given it to patients around the world and slow illegal trafficking.
* Blockchain-based identity verification systems will enable trust, provide transparency and reduce friction across business ecosystems, driving huge resource savings for enterprises. These trust-based mechanisms have the potential to reduce the burden of complying with know-your-client (KYC) and anti-money laundering (AML) regulations, making onboarding new clients cheaper and less time-consuming.
* The fine foods industry is ripe for disruption from blockchain, as counterfeit goods dilute brands, endanger consumers, and ultimately strain profits. Often these fine foods are traded
between unrelated parties on a low-trust basis. By the time the products make it to the shelves, consumers are left guessing about the legitimacy of the food they intend to purchase. Tracking the movement of these goods on an immutable ledger allows the entire value chain to justify higher prices by restoring the product’s credibility to the end consumer.
The Blockchain Security Center: Up Close
The Blockchain Security Center will deliver advisory, design, and development services for enterprises internationally and later on in 2019, we anticipate launching a suite of enterprise-focused solutions. Through our experience over the past several years we have noted that the most vulnerable point of most blockchain applications is on their periphery. Though the blockchains themselves may be secure, the architecture around them is typically susceptible to intrusion. The secure-by-design mentality of blockchain must transcend the ledger itself into the development of the full stack.
For the past two years, we have assisted start-ups and enterprises in their quest to validate their blockchain applications, build ecosystems around their existing blockchains, and craft their business models based on the promise of blockchain. Taking our program forward is Scott J. Carlson, the Head of Blockchain Security. Scott will be leading the new Center, bringing decades of experience in emerging technologies, enterprise architecture, and, most recently, blockchain security for the enterprise.
We look forward to working with you.
The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.
These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.
This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.
IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.
It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.
To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.
Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
I recently attended a meeting of likeminded Chief Information Security Officers who were discussing the challenges of their role. Conversation bounced between the need for better reporting metrics to the lack of value in threat intelligence, but one topic seemed to come up continuously – the difficulty in finding qualified security talent. Makes sense given a recent report by Forbes described a shortage of over one million cybersecurity experts in the United States. In Atlanta alone there are 115 cybersecurity companies, all fighting for the same talent, and that does not include the more traditional companies requiring talent for their security departments. This shortage seems to be getting worse as demands on the average information security officer increase daily. What options exist to mitigate this never-ending problem?
Good security candidates today have expectations about positions and have the leverage to demand that their expectations be met. The right compensation is only the basic ante for access to the talent. For this reason, this post is focused on non-compensation related strategies. Frankly, without the right compensation and benefits packages, none of the below matters.
Our experience is that modern candidates expect:
- Personalized technology (e.g. the endpoint of their choice or the latest IDE)
- The use of latest methodologies (e.g. Agile Software Development)
- Influence over the technology roadmap, regardless of rank
- Flexibility to innovate when required (e.g. new approaches are encouraged)
- The ability to work in collaborative, technically-challenging environments
Many companies that I meet with are working hard to create personnel pipelines but pay no attention to the internal environment that is attractive to top-end talent. Not every company can be like Google or Facebook, but without the right environment they shouldn’t be surprised when it is hard to find talent. Companies might consider including a technology package in the offer letter or job description to entice candidates.
Companies should also not overlook the small benefits when recruiting. For many candidates I have recently interviewed, all things being equal, access to standing desks, MacBook Pros, and free coffee have been important differentiators between positions. All too often, I speak with CISOs who believe that the honor alone of working for their company should be enough. Short of being one of the big names (e.g. Uber, Facebook, Google, Twitter, Netflix, etc), honor alone is tough to sell. Not to mention, creating the right culture is of paramount importance to those big names.
Where can talent be found?
In my experience, companies are leveraging three general techniques to fill their pipelines: universities, industry technical groups, and internal skill transition.
Local universities present a great option for finding new talent. Many universities will carefully modify their curriculum to meet local company needs and are hungry for outside ideas and funding for capstone projects. While creating these university pipelines at multiple universities leads to more hires, it is a long bet for primarily junior talent. Furthermore, simply financially supporting these programs is not enough. It requires a time commitment from leadership within the company and active involvement in the program from career fairs, co-operative programs, internships, capstone projects, and active partnership with student organizations. The primary advantage of university-trained talent is access to classically trained engineers and scientists.
I often ask CISOs if a college degree is an important attribute for their company when looking for new employees. Almost universally, unequivocally, I hear no. For many of them, a requirement for a college degree eliminates too many technically qualified candidates. While there is certainly a role for university-trained talent, many positions simply don’t require the classic computer science or engineering background. It is hard to compare an engineer with five years of Red Hat experience to a newly graduated candidate who understands the Linux scheduler but has never managed Linux in a product environment. Local technology meetups and industry groups such as ISACA and ISSA are great places to identify hard to find talent. If an engineer is invested in their field enough to join an industry group, there is a good chance they are good at their profession. At Kudelski Security, we actively participate in Open Stack related meet-ups to stay abreast of local, qualified talent.
Short of finding qualified talent, many CISOs are looking to transition IT talent. As one CISO told me, “if you can’t find them, make them.” This approach requires the development of information security programs and technologies that do not require years of security experience. For example, I recently met with a company re-purposing Perl developers to build security automation systems – they partnered each few development team with a security architect to mitigate any experience gaps. Another approach is to build a farm system of security talent or a minor league team. Through internships and other temporary positions, companies may be able to train talent internally. The challenge with this approach is that you are paying for talent that is not contributing in the short term.
It is worth noting that employees that like their job are more likely to stay and will also try and attract top level talent to join them. The security community is not that large and both good and bad information on employers travels quickly. Six degrees of Kevin Bacon is alive and well within the community – even the candidate doesn’t know someone who worked at a company, they likely know someone, who knows someone, who did.
Overall, finding qualified talent is difficult and outside the box thinking is often required. I have seen more progressive companies take serious outside-the-box approaches to finding and re-training existing talent. While somewhat self-serving as a Managed Security Service Provider (MSSP), it is important to note that careful outsourcing of capabilities can help reduce the impact of this problem. By outsourcing tasks that a company cannot possibly hope to staff, this enables them to focus on staffing qualified talent they can find. My experience is that CISOs that first focus on building an environment that is attractive to top talent do not struggle as much with talen shortfalls. Correlation or causation?