The IoT market continues to grow, with investments expected to top $1 trillion by 2020, according to IDC. With the rollout of 5G, Ericsson forecasts that the number of cellular IoT connections is expected to reach 3.5 billion by 2023, and DBS Asian Insights predicts that IoT devices and services will reach an inflection point of 18-20% adoption in 2019 alone.
Security continues to be one of the greatest barriers to IoT adopters in 2019. Insecure components, prevalent malware and shortsighted attempts to apply traditional security measures to IoT networks act as formidable challenges to these adopters. Heeding to this new zephyr, threat actors are also adapting and innovating new attack services and hacking tools that will be more complicated and more difficult to detect and respond to. In accordance, we can anticipate a substantial increase in supply chain attacks, IoT botnets, and cryptominers alike.
We predict that device manufacturers will put an increased focus on security in 2019 versus previous years, but the number and scope of attacks will continue to rise. Microsoft reports that more than 90% of consumers want manufacturers to step up their security practices, and 74% would pay more for a product with additional security built in. This demand will drive innovation and increased adoption of trusted hardware and software systems. It will also force manufacturers to adopt and adhere to industry recommendations for data management and privacy, bring about increased awareness of supply chain security management and so forth. Manufacturers will also look to include bug bounty programs and responsible disclosure programs for manufactured and deployed devices to improve the security of their products.
Alternatively, consumers will also pay heed to IoT security governance and adopt processes and technologies that assist in the governance of the IoT landscape — an amalgam of several technologies comprised of the cloud, device, mobile, edge devices and so forth. For instance, they will look for IoT monitoring systems and platforms for better visibility and management, data protection technologies for better security and privacy, cloud protection technologies and active threat detection technologies.
Moreover, consumers and manufacturers alike will invest heavily in technologies that assist them in determining the maturity of their security programs. Companies will also look to cyber-risk insurance to safeguard their business from formidable cyberattacks nonetheless.
Furthermore, as IoT security products and services innovation and adoption gains momentum, assisting technologies, such as machine learning, artificial intelligence and blockchain, will make strong and forced inroads into IoT security products, assisting in building improved trust, threat detection, identity management, and data and device management at scale. But, to a large extent, government regulations will bring about a culture of shared responsibility for protecting the IoT landscape.
This article was orginally featured in IoT Agenda.
Today, we are announcing the launch of our new Blockchain Security Center, a full-service practice that represents the culmination of decades of experience securing our clients’ businesses. The Center’s goal is to enable our clients to securely transform their enterprises using the power of blockchain and other Digital Ledger Technologies (DLT).
We believe that Kudelski Security is well-positioned to serve enterprises as they venture into the world of blockchain and DLT. Our 30 years of leadership in cryptography, data protection, and secure system design prepare us to partner with clients on their most innovative endeavors.
Why Blockchain? Why Now?
Blockchain is exiting its honeymoon phase. The unprecedented boom of 2017 followed by the Great Crypto Crash of 2018 has shifted much of the mainstream opinion from “miraculous” to “frivolous”. This opinion shift is valid to an extent; blockchain is not the solution to every problem. The bubble surrounding the boom, much like the technology bubble of the early 2000s, was destined to pop at some point. However, not all is lost. While the starry-eyed optimism of technology enthusiasts coupled with the “get rich quick mentality” of the ill-informed got us here, robust and sensible solutions for the enterprise will lead the way on.
Looking beyond cryptocurrency, we believe that enterprises are the future of blockchain. Blockchain and related DLT allow business leaders to disrupt old processes in a way that will impact bottom-line results and shape future markets. We have seen blockchain enable our clients to rethink their businesses far beyond the typical cryptocurrency scenarios, and we are confident that the long-term impact of the technology will be great enough to one day be immortalized in textbooks.
There are plenty of known scenarios where blockchain can enable disruption and thousands yet to be conceived, especially in areas where provability of source, monitoring of transport, or assertion of delivery is essential.
* Blockchain can save lives by bringing much-needed trust and transparency to the pharmaceutical industry. For decades, the industry has been beset by fraud and errors throughout its supply chain. Raw materials flow through a series of unrelated players on their way to becoming consumable remedies. Once completed, these remedies are distributed through yet another series of unrelated parties before making it to patients. Smart contracts supported by closed consortium-based or private permissioned blockchains could serve as a reliable and efficient mechanism for tracking the flow of information, financial capital and materials throughout the entire supply chain. This implementation of the technology could ultimately improve the quality of medications given it to patients around the world and slow illegal trafficking.
* Blockchain-based identity verification systems will enable trust, provide transparency and reduce friction across business ecosystems, driving huge resource savings for enterprises. These trust-based mechanisms have the potential to reduce the burden of complying with know-your-client (KYC) and anti-money laundering (AML) regulations, making onboarding new clients cheaper and less time-consuming.
* The fine foods industry is ripe for disruption from blockchain, as counterfeit goods dilute brands, endanger consumers, and ultimately strain profits. Often these fine foods are traded
between unrelated parties on a low-trust basis. By the time the products make it to the shelves, consumers are left guessing about the legitimacy of the food they intend to purchase. Tracking the movement of these goods on an immutable ledger allows the entire value chain to justify higher prices by restoring the product’s credibility to the end consumer.
The Blockchain Security Center: Up Close
The Blockchain Security Center will deliver advisory, design, and development services for enterprises internationally and later on in 2019, we anticipate launching a suite of enterprise-focused solutions. Through our experience over the past several years we have noted that the most vulnerable point of most blockchain applications is on their periphery. Though the blockchains themselves may be secure, the architecture around them is typically susceptible to intrusion. The secure-by-design mentality of blockchain must transcend the ledger itself into the development of the full stack.
For the past two years, we have assisted start-ups and enterprises in their quest to validate their blockchain applications, build ecosystems around their existing blockchains, and craft their business models based on the promise of blockchain. Taking our program forward is Scott J. Carlson, the Head of Blockchain Security. Scott will be leading the new Center, bringing decades of experience in emerging technologies, enterprise architecture, and, most recently, blockchain security for the enterprise.
We look forward to working with you.
The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.
These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.
This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.
IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.
It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.
To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.
Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.
I recently attended a meeting of likeminded Chief Information Security Officers who were discussing the challenges of their role. Conversation bounced between the need for better reporting metrics to the lack of value in threat intelligence, but one topic seemed to come up continuously – the difficulty in finding qualified security talent. Makes sense given a recent report by Forbes described a shortage of over one million cybersecurity experts in the United States. In Atlanta alone there are 115 cybersecurity companies, all fighting for the same talent, and that does not include the more traditional companies requiring talent for their security departments. This shortage seems to be getting worse as demands on the average information security officer increase daily. What options exist to mitigate this never-ending problem?
Good security candidates today have expectations about positions and have the leverage to demand that their expectations be met. The right compensation is only the basic ante for access to the talent. For this reason, this post is focused on non-compensation related strategies. Frankly, without the right compensation and benefits packages, none of the below matters.
Our experience is that modern candidates expect:
- Personalized technology (e.g. the endpoint of their choice or the latest IDE)
- The use of latest methodologies (e.g. Agile Software Development)
- Influence over the technology roadmap, regardless of rank
- Flexibility to innovate when required (e.g. new approaches are encouraged)
- The ability to work in collaborative, technically-challenging environments
Many companies that I meet with are working hard to create personnel pipelines but pay no attention to the internal environment that is attractive to top-end talent. Not every company can be like Google or Facebook, but without the right environment they shouldn’t be surprised when it is hard to find talent. Companies might consider including a technology package in the offer letter or job description to entice candidates.
Companies should also not overlook the small benefits when recruiting. For many candidates I have recently interviewed, all things being equal, access to standing desks, MacBook Pros, and free coffee have been important differentiators between positions. All too often, I speak with CISOs who believe that the honor alone of working for their company should be enough. Short of being one of the big names (e.g. Uber, Facebook, Google, Twitter, Netflix, etc), honor alone is tough to sell. Not to mention, creating the right culture is of paramount importance to those big names.
Where can talent be found?
In my experience, companies are leveraging three general techniques to fill their pipelines: universities, industry technical groups, and internal skill transition.
Local universities present a great option for finding new talent. Many universities will carefully modify their curriculum to meet local company needs and are hungry for outside ideas and funding for capstone projects. While creating these university pipelines at multiple universities leads to more hires, it is a long bet for primarily junior talent. Furthermore, simply financially supporting these programs is not enough. It requires a time commitment from leadership within the company and active involvement in the program from career fairs, co-operative programs, internships, capstone projects, and active partnership with student organizations. The primary advantage of university-trained talent is access to classically trained engineers and scientists.
I often ask CISOs if a college degree is an important attribute for their company when looking for new employees. Almost universally, unequivocally, I hear no. For many of them, a requirement for a college degree eliminates too many technically qualified candidates. While there is certainly a role for university-trained talent, many positions simply don’t require the classic computer science or engineering background. It is hard to compare an engineer with five years of Red Hat experience to a newly graduated candidate who understands the Linux scheduler but has never managed Linux in a product environment. Local technology meetups and industry groups such as ISACA and ISSA are great places to identify hard to find talent. If an engineer is invested in their field enough to join an industry group, there is a good chance they are good at their profession. At Kudelski Security, we actively participate in Open Stack related meet-ups to stay abreast of local, qualified talent.
Short of finding qualified talent, many CISOs are looking to transition IT talent. As one CISO told me, “if you can’t find them, make them.” This approach requires the development of information security programs and technologies that do not require years of security experience. For example, I recently met with a company re-purposing Perl developers to build security automation systems – they partnered each few development team with a security architect to mitigate any experience gaps. Another approach is to build a farm system of security talent or a minor league team. Through internships and other temporary positions, companies may be able to train talent internally. The challenge with this approach is that you are paying for talent that is not contributing in the short term.
It is worth noting that employees that like their job are more likely to stay and will also try and attract top level talent to join them. The security community is not that large and both good and bad information on employers travels quickly. Six degrees of Kevin Bacon is alive and well within the community – even the candidate doesn’t know someone who worked at a company, they likely know someone, who knows someone, who did.
Overall, finding qualified talent is difficult and outside the box thinking is often required. I have seen more progressive companies take serious outside-the-box approaches to finding and re-training existing talent. While somewhat self-serving as a Managed Security Service Provider (MSSP), it is important to note that careful outsourcing of capabilities can help reduce the impact of this problem. By outsourcing tasks that a company cannot possibly hope to staff, this enables them to focus on staffing qualified talent they can find. My experience is that CISOs that first focus on building an environment that is attractive to top talent do not struggle as much with talen shortfalls. Correlation or causation?
There have now been 2 massive rounds of DDoS attacks recently using Internet of Things devices. The first round of attacks took down OVH, an Internet Hosting Provider and cloud hosting service, and KrebsOnSecurity. The second round just occurred, and brought down Dyn, a major DNS hosting provider. This latest attack impacted many sites, including Twitter, Amazon, and Netflix. KrebsOnSecurity has a good article explaining the impact and cause [here].
So why is this happening now? The general feeling is that the release of the Mirai botnet source code has given an IoT army to anyone who wants it. Mirai took advantage of default passwords in IoT devices, and amassed enough resources to produce over 620GB of DDoS Traffic. With the source code released, anyone can run the program to take over the same IoT devices. However, the botnet is really just a symptom. A symptom of the current disregard of security best practices by some in the IoT industry.
In this attack, the botnet is benefiting from IoT device white-labeling. Many IoT vendors will include chips and devices from other manufacturers upstream and sell them as their own. In this case, according to this Flashpoint report, a Chinese manufacturer was providing DVR, NVR, and IP based camera boards to downstream manufacturers. These boards had default usernames and passwords that were effectively unmodifiable. In addition, they also included default-enabled services that allowed easy access to these accounts.
For an IoT manufacturer, there are two points where this attack could have been prevented. First, the Chinese manufacturer should have done a security analysis of their device and removed the account. Second, the IoT downstream vendor should have done a security analysis of any chip or board they were including in their product. They could have asked the upstream provider to fix the issues or provided countermeasures in their own product.
Realistically, all IoT vendors do not have the security expertise to architect robust, safe systems that are hardened against attack. That said, IoT vendors need to become more security conscious. They need to pressure their industry to enable security by default as well as embrace already common corporate practice of external penetration testing and security assessments to assess their devices, for the safety and security of us all. The problem with this is that there is nowhere for IoT vendors to turn for this expertise and support. On that topic there is more to come, and very soon. Stay tuned…