Despite its many blessings, let’s call IoT what it is: The Internet of Threats.
Most of the current 15M IoT devices are completely open to cybercriminals because they constitute a greatly expanded and largely unprotected attack surface.
According to McKinsey, almost 50 percent of CXOs with IoT investments admit they have been attacked. More than 25 percent of those attacked estimate that they had high or severe damage. Yet the bottom line is that doing IoT at scale is such a strategic imperative that these attacks do not slow IoT implementation. Yes, companies are investing seriously in everything cybersecurity, from vulnerability management software to cloud security. However, securing the network is still a huge problem that doesn’t seem to curtail strategic IoT investments.
Historical Retrospective: The Problem
Let’s look at how we got here so we might arrive at a solution.
Industrial Control System (ICS) environments in the past were not connected to the Internet. For example, a beer-producing plant that is automated to produce millions of bottles of beer (brew, ferment, clean the bottles, label, and fill them) through Operational Technology (OT) was not Information Technology (IT)-enabled. Instead, they were isolated islands that did not have IP connectivity. Now that IT and OT are merging in strategic IoT investments, we have to admit we’ve brought the risks from the IT environments to the OT/ICS environments.
Making that challenge even more difficult are classical OT people, who work on industrial solutions but have no IT or even IP knowledge. In the IoT world of connected devices, we are asking OT professionals to expand their skills to not only support critical manufacturing processes but understand how IT technology impacts that environment. On the other side of the coin, we are asking IT-trained professionals (experts in TCP/IP and packet drops) to work in an ICS/OT environment, where they will inevitably disrupt the beer production process.
Let’s review what we know about IoT today.
Threats to the greater IoT attack surface are:
Historic:
- Proliferation of botnets
- Ransomware
- Phishing attacks
And additionally, IoT-specific:
- Physical access (data stolen directly from the IoT device)
- Open access (IoT devices are not secure by default)
IoT devices must be designed with encryption, robust access controls, and regular updates to patch vulnerabilities, and they must be operated with network segmentation that can isolate IoT devices from critical infrastructure systems, limiting their exposure to external threats. They must also be reinforced with regular user education so that employees are trained on the risks associated with IoT devices and provided with the knowledge and tools to use these devices securely. That should be a regular part of corporate training, updated annually or more often to educate the workforce.
The Two-Pronged Solution
The proposed security measures above are good to detail but are clearly all in place. If we’re viewing strategic IoT projects as security-first, we need to be proactive to minimize the holes in the planning stage. That requires that we bridge the chasm between OT and IT professionals so they work in unison and not at cross purposes.
1. Training to solve for this gap
We should start by using the MITRE ATT&CK® framework to protect our Industrial Control Systems (ICS). The freely available framework helps model cyber adversaries’ tactics and techniques—and then shows how to detect or stop them. The ATT&CK knowledge base outlines common tactics, techniques, and procedures used by cyber adversaries. ATT&CK provides a common language for defenders to have conversations about emerging threats and develop effective defensive strategies. Bringing the framework into the ICS world provides a common set of processes and procedures that allow OT and IT to work together to ensure strategic value while minimizing cyberthreats.
2. The Oath of IoT Hygiene
Given the Biden Administration’s Cybersecurity Executive Order, CISOs must carefully protect their customers, employees, investors, and more by assuming a proactive posture around IoT cybersecurity in 2023 and beyond. Or possibly face fines?
To that end, I propose that an industry leader or group of leaders take the initiative to boldly propose that the security community commit to an informal oath of what I’ll call IoT hygiene.
“We must act vigorously to mitigate IoT attacks. We cannot afford to wait for a major security breach to occur before taking action. We must, as security professionals, be proactive in addressing the vulnerabilities of IoT devices and take a holistic approach to security. We are the only ones who are going to protect our organizations and our customers from the devastating consequences of IoT cyberattacks.”
It may sound like window dressing, but it can spotlight the key steps that everyone should agree on before the house of cards falls.