Event: Security Strategies uniting IT and OT, in the era of industrial-IoT Event Type: Roundtable Organiser: Trend Micro (https://www.trendmicro.com) Date: Wednesday 31st July 2019 Location: Scott's Restaurant in Mayfair, London
Trend Micro hosted this very interesting event that saw a small group of around 20 people (including Trend Micro staff) from different sectors unite around a table at Scott’s Restaurant in Mayfair to discuss Cyber Security surrounding Internet of Things devices. There were guest speakers including Robert Orr and Scott Atkin who took it in turns to speak between each dinner course about their experience within the IoT sector and the problems surrounding securing Internet of Things devices.
Following each speech a discussion took place around the table where many points of view were put across however what became quickly apparent was that it didn’t matter what sector you came from; NHS, Government or Corporate we all faced the same challenges surrounding Cyber Security. These challenges included:
- User awareness/training – You can’t prevent something you don’t know exists.
- Cultural change required by everybody, including end-users, management, vendors and us as IT professionals.
- Regulations – They exist… don’t they?
- Finance – Do we want Cyber Security? Yes. Can we afford Cyber Security? Hmm…possibly? Will management spend the required money on Cyber Security? No.
All of these points could realistically apply to all areas of Cyber Security however let’s look at what IoT devices are and then how each of these points individually relate to the security of IoT devices.
What are IoT devices?
IoT (short for Internet of Things) devices are devices that have the ability to transfer data. This term is commonly reserved for devices you would not usually expect to have a network connection for example; smart lightbulbs, smart meters, smart doorbells, smart thermostats and smart watches. You would not usually expect these devices to transmit and receive data over the network however smart versions of these devices do possess such characteristics and therefore these versions fall within the IoT devices category. Other common IoT devices include smart hubs such as the Google home and Amazon Alexa.
Hold on, what about your laptop or smart phone? Well your laptop is expected to have a network connection so does not normally fall within the IoT devices category. Your smart phone, well this depends who you ask, some argue a smart phone is an IoT device and others disagree (there are strong arguments on both sides), so as you can see there is still some ambiguity surrounding what classifies as an IoT device and what doesn’t.
User Awareness/Training
You’re only as strong as your weakest link, and this is particularly true when it comes to Cyber Security. It is our responsibility as the professionals within the industry to make sure our users are aware and understand the security threats that are posed every day. We are not experts and do not understand the finer details of the roles fulfilled by our users so why should we expect them to understand the finer details of our roles such as what is involved in mitigating and where possible eliminating Cyber Security threats? It is crucial we empower our users to securely operate devices required to fulfil their duties and the most effective way to achieve this is to provide a rigorous and robust Cyber Security awareness program.
Non-IT professionals are still coming to terms with the security threats that are posed against their everyday devices like laptops and mobile phones but, and understandably, they do not recognise the security threats that other IoT devices they may use are subject to. Let’s take an IoT insulin delivery device as an example. As far as the medical professional and the patient using the device are aware, this device delivers the required amount of insulin to the patient and that’s all there is to it however recently MedTronic have recalled some of their devices (particularly MiniMed 508 and Paradigm insulin pumps) due to a vulnerability discovered in them. These devices could be exploited by a malicious person in nearby proximity by spoofing commands being sent from the Carelink controller device to adjust the amount of insulin being provided to the patient, creating a life threatening situation. MedTronic accepted this vulnerability could not be effectively patched so they voluntarily recalled the devices and provided replacement devices that did not suffer the same security flaw to their users. This demonstrates that even devices you least suspect to have security vulnerabilities can actually experience the most serious kind of security flaw that could lead to loss of life. Visit https://nvd.nist.gov/vuln/detail/CVE-2019-10964 for more information.
Cultural Change
For positive changes to happen successfully they needs to be accepted by all involved and this was identified as a key feature to enhancing Cyber Security surrounding IoT devices. Cultural change is required by everybody; management, vendors, government, end-users and ourselves! With more Cyber Security awareness being provided the cultural change should be a lot easier to implement. When management realise the importance of hardening security for IoT devices their culture towards it will become more positive and they can then use their influence to improve cultural change within their organisation. Once management have accepted the change it is then far easier to dedicate the resources to educating end-users with the Cyber Security threats that are faced daily and the simple steps they can take to do their part by adapting their culture to make sure the organisation remains as secure as possible. With management and end-users cultural change towards a more secure environment pressure can be put on Vendors to change their culture into making sure any equipment they provide has been rigorously tested to be as secure as they can make it and stopping them simply concentrating on selling their devices to make as much money as quickly as possible.
Regulation
Regulations exist surrounding securing IoT devices but the problem is they are not enforced to the extent they should be by the regulators. Vendors must be accountable for the security of their products. A common theme that appeared during the discussions by professionals across different industries was that there are regulations in place but they need to be more forcefully implemented forcing vendors to adhere to a strict code of conduct. Enhancing Cyber Security is a collective task and particularly in relation to IoT device this must include vendors doing their utmost to ensure devices they provide are as a robust as possible. Enforcing effective regulations will make sure vendors cannot simply concentrate on their bottom line and can expect to be severely reprimanded for distributing vulnerable devices. Going back to the earlier MedTronic example relating to vulnerable insulin pumps it was great that they voluntarily recalled their devices but what happens if they didn’t?
International standards must be defined and imposed that all IoT devices should adhere to in respect of their security. Regulators must then force vendors to comply with this international standard before they are able to distribute any of their devices. With the standard being international users can expect to get the same quality of device no matter where they are in the world.
The UK Government have announced they will be introducing a new law for IoT devices that will include a labeling process for each device that rates it’s security. As long as this is administered effectively and the requirements for each rank/level are clear, precise and accessible this could be a positive change towards enforcing vendors to concentrate on the security of their devices as they will have to publicly disclose how secure their device actually is. However, on the other side of this, disclosing all of this information will provide valuable information to those with malicious intent. This law will almost certainly increase the cost of IoT devices as vendors will have to dedicate more resources to making sure the security of their devices are competitive and meet the appropriate requirements.
Finance
Finance is not only one of Cyber Security’s biggest allies it’s also one of it’s biggest enemies. Robust Cyber Security costs a considerable amount of money. With more attack vectors surfacing, more resilience is required and this costs money. One of the biggest challenges faced by professionals within the Cyber Security industry is the lack of resources available due to the cost.
A sentiment that was echoed throughout the evening by many attendees was the challenge of getting budget holders to part with the money required to develop and sustain a secure environment. It seems that Senior Management in organisations across the country (and even the world) all appreciate the importance finance plays within their company but don’t yet fully appreciate the importance of Cyber Security. This is likely down to the lack of awareness about the security threats that are posed every day and the requirement for culture change. Absolutely, finance is critical to the on-going nature of a company or organisation and when funds are spread thin it is hard to justify the expenditure on enhancing Cyber Security but on the flip side the cost of a security breach must be extensively considered. Security breaches are immensely costly; the reputation damage, any fines incurred, compensation to those impacted, cost to rectify any damage to the data and cost to make sure the situation is not repeated.
Sometimes, more secure IoT devices come at a higher price but the peace of mind and the mitigated chances of a breach are well worth the additional cost. If there was a security breach on a cheaper device it will soon cost you more than if you originally purchased the more secure option. This isn’t to say you should always purchase the most expensive IoT but the message is not to compromise on the security of your IoT device.
Finance should be an enabler to Cyber Security, rather than only concentrating on not having enough finance to develop the “ideal” security resilience, concentration should be spent on using the available finance to at least develop as much security resilience as is possible with the available funds.
A thorough and well designed risk assessment will identify the key areas to improve Cyber Security within the organisation. Providing the appropriate user awareness training to those responsible for defining risk assessments (normally the risk management committee), will make it easier to secure the required funding to enhance the security of the IoT devices used within the company.
Conclusion
In my opinion and what does seem to be the case following this insightful, interesting and informational event hosted by Trend Micro is that there are four key areas to improving Cyber Security strategies for IoT devices. These areas are; user awareness, cultural change, enforcing regulations and financial investment. The reality is all 4 of these areas rely on each other to succeed. Perhaps company priorities are too often viewed and ranked as lists with each item being prioritised independently when they should be viewed more as a pie chart, prioritising them cohesively.