This week several reports came out designed to strike terror into the hearts of companies using connected devices. Yes, these reports were sponsored by security vendors. Amidst some of the terrifying data points and an amusing chart that claims that business leaders aren’t worried enough about IoT security, there was one worthwhile point.
In many cases enterprise respondents said there is real confusion about who is responsible for securing the internet of things. That may be because IoT is just a fancy way of describing devices connected to your network, and traditionally some of those devices were not part of IT’s domain, but it’s also a organizational question we should be talking about.
Not only should enterprises ask this question, but every single player in the connected device ecosystem needs to ask this. It does no good if the CISO, the CIO, or the plant IT manager has taken over the responsibility of securing an organization’s network if the vendors have fallen down on the job. Or if their vendors’ vendors have.
The medical device industry is an excellent example of this failure of take responsibility for security at several stages. Let’s say a hospital has a competent CISO and can convince the medical equipment purchasing committee that security matters enough to factor hugely into the purchase of an infusion pump (this is a big if because doctors and nurses typically have a lot more say in these decisions and their concerns may be different).
But the CISO’s best efforts can easily be stymied by the vendors who might include old versions of Windows as the OS inside their machines or fail to encrypt patient data inside the pump (both are actual vulnerabilities that have been discovered). These vendors may blame the FDA or their own vendors for failing to secure their devices. They may also cite costs. In some cases companies that build physical products or offer cloud services may have their own outside vendors that contract work out to others. And those vendors aren’t always secure.
These supply-chain vulnerabilities have come back to haunt movie studios recently, as well as companies relying on silicon that’s running compromised firmware. So the question of who should ultimately be responsible is a good one, but a complex one. While I believe that everyone is experiencing a huge wakeup call associated with device security at the moment, the long time to develop a product combined with the long life cycle of these devices can mean that we’re still 10 to 15 years out from having more secure devices in places like hospitals or factories.
And so when I read in a survey commissioned by Forescout that 59% of IT executives are willing to accept medium to high risk in relation to IoT security compliance because they seem to feel powerless to do anything else, I get it. They must feel like the lone hero in a movie when an entire alien civilization is about to attack. Only in the real world, there’s no strategically placed nuclear bomb or deus ex machina in place to save the day.
So what to do? I think everyone should be trying to take and apportion out responsibility for security around connected devices and services. And after that, there are some basic steps to take.
Your organization has to establish a baseline practice for security hygiene. This includes training employees about phishing, good passwords, not plugging in foreign USBs, encrypting data, thinking carefully about what data should be stored and evaluating the security of the place where it is stored. More suggestions can be found here.
Second, push your vendors to provide security by signaling that it matters. This may mean educating purchase committees and it most definitely means paying for security. As for the results of security audits, ask how long they plan to support software for the device and how many times a year you can expect security updates.
Third, monitor your networks and understand your risks. This is where the security vendors are right. You will need some of their products, although I’m not sure the security budget has to scale in a one to one ratio like the device budget. Companies that track network data, behavior of devices on your network and after data leaves your network are good. Another company whose approach feels useful is a startup called ShiftLeft.
The company deploys an agent on your production network and then instructs the agent to enact an attack. The agent goes through the steps of the attack documenting where it can attack and how it succeeds. Since this is an agent, no real harm is done, but it provides a trail of data that shows where an organization is vulnerable. That seems worth knowing and running as the threat surface gets larger because of more connected devices.
Finally, have a plan in place for vulnerabilities or problems before they happen. Obviously a company can’t plan for every potential vulnerability or attack, but having a plan to deal with a software vulnerability, a data breach, or a hack that threatens the physical integrity of a hospital or plant, seems like the bare minimum. It’s exactly like prepping for a fire by having an evacuation and safety plan in place. That’s why many organizations make use of vulnerability management services offered by companies such as gasystems.com.au in the hope that they can sure up their software’s security.
As more of our physical infrastructure is tied to IT networks and the internet, the concept of fire drills for software breaches may not be so far fetched.
As a former cybersecurity practitioner in IOT/embedded, I agree with your insights. Not long ago, security in embedded (before it was called IOT) was given mostly to physical isolation and no field updates. When IOT features – connectivity and manageability – are added without rethinking security, things are bound to fail.
Generally speaking, security is about design, people and practices. It is layered, in the organization, supply chain and the system; and it constantly evolves over time with no end state.