Is it just me, or is the frequency and impact of IoT cyberattacks accelerating around the world? Week after week, we hear about yet another serious incident. Last fall, it was the massive distributed denial of service (DDoS) attack that brought Twitter, Netflix, Spotify, and other popular web sites to their knees. Then in May and June, there were two widespread global ransomware attacks—WannaCry and Petya, which shut down the IoT operations of a number of companies. And these are just a few of the attacks that have made it onto the evening news.
It’s true that hackers seem to be getting more aggressive. But many of these attacks could have been avoided if everyone—from regular users and enterprises to governments and vendors--was more aware of common-sense security practices. Simply requiring organisations and users to reset default passwords on Internet-connected cameras during the setup process would have prevented last October’s DDoS attack. The recent ransomware attackers gained access to their victims because older computers and their operating systems were not properly patched and employees didn’t stop to think before clicking on a link in a phishing email. All this proves once again that most security breaches take advantage of well-known vulnerabilities that haven’t been properly addressed, despite ample alerts.
Bottom line: Even with the most effective cybersecurity technology, such as Cisco’s Talos integrated threat defence (that blocks 20 billion threats each day—that’s more than six times the number of Google searches conducted daily), we still need to cultivate a culture of greater security awareness. And that’s the seventh ingredient in my recipe for IoT success: Make security everybody’s top priority. Users, manufacturers, integrators, security vendors, technology vendors, IT teams, Operational Technology teams, employees—all of us have a critical role to play. Cybersecurity is everyone’s responsibility.
Start with some best practices
First, all of us must realise there is no silver bullet or fool proof solution ensuring complete IoT security if we want to enjoy the full benefits of connected systems. Even physical isolation doesn’t work. This was demonstrated by the Stuxnet virus, which made its way into industrial operations via a thumb drive. Nonetheless, everyone can make informed decisions around risk versus cost by applying a few key principles:
· Use risk assessments to determine how much risk you can tolerate for each system and business process. Then use policies, analytics, and automation to enable your systems to prioritise, contain, and defeat attacks based on these assessments. Engage top management in this process since enterprise security issues already put their jobs on the line.
· Take an architectural approach, break down current functional silos, engage with your Chief Information Security Office (CISO) to create a unified and policy-based security architecture across the enterprise, and design security into everything, right from the start. Don’t just bolt on security after designing the solution.
· Minimise “Shadow IT.” To avoid compromising enterprise-wide security, work with your IT and security teams to “bring into the fold” all the teams and departments implementing their own tools, devices, and connections.
· Adopt a comprehensive before/during/after approach. Implement strategies before an attack to prevent unauthorised access (from both external and internal players). During an attack, quickly identify the breach and shut it down. Then, after the attack, assess and minimise the damage—and adjust security practices based on lessons learned.
· Integrate physical security and digital security. Many IoT security attacks originate inside the organisation. Thus, implementing security best practices that include both physical security (including tailgating prevention policies and use of biometrics to control access) and digital security (role-based access, etc.) is essential.
· Adopt industry-supported standards. Proprietary approaches will cripple your security efforts down the road and increase their cost.
· Automate and monitor IoT security end-to-end. Build in intelligence and predictive analytics. The fast-growing volume of IoT activity will quickly swamp manual efforts, even in small organisations. We suffer from a severe shortage of security experts—especially in IoT—and this challenge will continue. Automation and deployment of smart tools is the answer.
· Segment traffic and use a multi-tenant network infrastructure to isolate problems. It’s one thing to have a DDoS attack that shuts down employee access to the HR system for a few hours. It’s quite a different thing to have a breach that crashes your production line. So keep interface components separate from critical infrastructure.
· Finally, educate everyone about security practices and policies. This includes employees, partners, vendors—everyone in your business ecosystem.
Make IoT security everybody’s responsibility
Security doesn’t begin and end in the CISO’s office; it’s everybody’s job throughout the value chain—from manufacturers to end users:
· Device manufacturers: As IoT matures, the burden for securing end-user devices is falling increasingly on manufacturers. In the United States, the Federal Trade Commission has released new guidelines for how manufacturers should inform customers about device security, including whether and how the device can receive security updates, and the anticipated timeline for the end of security support.
· Security vendors: After last fall’s IoT DDoS attacks, all major vendors have finally started to invest in IoT security. The industry is accelerating work in standards, interoperability, and certifications, reminiscent of how it responded to Wi-Fi security challenges 15 years ago.
· Businesses: Back in the day when industrial enterprises ran self-contained, proprietary systems, “security by obscurity” was standard practice—if you’re not connected to anything, no one can break in. That approach no longer applies in today’s connected IoT environment (if it ever did), so businesses must rely on the policy-based architectural approach outlined above.
· Employees: Train every employee in security best practices, whether “security” is in their job description or not. Incorporate both digital and physical security best practices into all of your standard procedures. Train, retrain, reinforce.
· End-users: Education and awareness must extend to consumers. We should be requiring users to reset default device names and passwords when setting up home IoT systems such as cameras or smart appliances while the industry is working to adopt more modern ways to secure consumer-class devices.
Re-think IoT security, but don’t reinvent the wheel
It is true that IoT security is in many ways unique: It is more distributed, more heterogeneous, and more dynamic than traditional IT security environments. It also introduces new scenarios (think connected cars, sensor swarms and consumer-class devices in the workplace) that require brand new approaches to security.
For most organisations, the logical first step on their IoT security journey is to leverage 30+ years of experience and best practices that IT security systems give us. So don’t reinvent the wheel. Instead, take a comprehensive, strategic, policy-based architectural approach by extending and enhancing current IT security architectures to cover IoT devices, infrastructure, solutions, and use-cases.
Yes, we are dealing with an active adversary. But it doesn’t mean that security should be something we fear. The right answer is to develop an informed risk assessment and monitoring strategy, accompanied by an appropriate and proportional security response that accounts for the particular threat level and the amount of value at risk. Because securing your IoT deployment is not a one-time event—implement it as an ongoing process like the IoT journey itself. And that begins with making security job one for everyone.
What do you think?
Maciej Kranz, Vice President, Corporate Strategic Innovation Group, Cisco
Image Credit: Jefferrb / Pixabay
Follow the rest of our IoT coverage on this link.