Senior Director of Digital Economy, Technology, & Innovation, Canadian Chamber of Commerce
Area VP & Country General Manager, Optiv Canada
The art of balancing innovation and risk management in the world of IoT
As organizations continue to digitally transform, Internet of Things (IoT) devices such as cell phones, tablets, watches, refrigerators, medical devices, vehicles and many more, are becoming critical components to enable companies to act quickly on information to increase competitive advantages and operational efficiencies.
The addition of these devices to IT environments allows for improved data utilization to better manage technology, increase output and reduce costs and downtime. However, the effort to utilize these new data sources significantly alters an organization’s threat landscape, opening up vulnerabilities that previously couldn’t be exploited. In many instances, network security is unable to detect IoT connections or provide visibility into the extent of an organization’s expanded threat landscape.
Organizational goals are often focused on accelerating time to market. As such, much of the attention and celebration goes to the developers and pioneers who create these IoT tools. In the rush to market, many companies’ security programs are not optimized or utilized at all.
In conversation with Cheryl McGrath, Area VP & Country General Manager at Optiv, Ulrike Bahr-Gedalia, Senior Director of Digital Economy, of Technology & Innovation at the Canadian Chamber of Commerce, takes a closer look at some of the key concerns around IoT security. As the discussion demonstrates, the importance of this issue is pressing, as the trail of technological innovation, especially over the last five years, has also served as a pathway for threat actors to target what they should go after next.
The term IoT is increasingly being used, and yet, the risks of its real use and application aren’t necessarily well understood. How can this discrepancy be explained?
Companies are looking to unlock data from the next asset class to consume and monetize — and that’s IoT.
The physical interface to digital systems is changing along with everything else. Developers have unlocked tools and gadgets for a wide range of applications — machines that don’t run off of regular user laptops or standard servers. Keyboards and mice are being replaced with voice commands and VR. And that is just the beginning. The development of this is still in its infancy and is guaranteed to create vast issues for security teams during this evolution.
For critical infrastructure, let’s face it — IoT devices control most of the physical world. Everything from the gas in the pumps to our cars, medical devices, the temperature in food processing plants and nuclear facilities. Devices that operate without standard operating procedures are everywhere.
You can’t secure what you can’t see and most organizations don’t have complete visibility to all of the devices on their networks. If threat actors exploit these IoT vulnerabilities, it can be disastrous. Look at Log4j.
The physical interface to digital systems is changing along with everything else.
How will security be knitted into these new environments?
These devices are becoming integrated into many new forms of data. For example, consider modern distribution centers, where product is moved from one side of a factory to another via conveyer belt. Once these facilities had just a few sensors used for measurements for the whole facility. Now, more than a hundred sensors are used — per foot. We’re livestreaming terabytes of data regarding destination, package shape and weight and much more, but not securing the system any differently. Some security teams are still assuming that one external firewall will secure the facility. Contrast this with the cathedrals of defense implemented on the IT side. The rate of data creation is outstripping our ability to use and secure it.
As we look ahead to the next three years, what should people and businesses be considering with regard to IoT?
There are “three wants” that need to be considered.
Uptime: Many facilities care more about the ability to operate than they do about security. We are replacing aged digital infrastructure with modem cloud networks. A shift of this scale requires people to change their mentality and that can sometimes be a big ask. We also know that people are often wary of new business practices, so that needs to be thought through and immediately actioned.
Digital tools: Think of something as ubiquitous as temperature controls. Many automation systems are trained and honed to regulate small bands of temperature constraints. This plays out in many environments in varying degrees of criticality, ranging from data centers to food storage. All of these facilities have their own digital record, which will need to be extracted, centralized and made tamper-proof.
Security: In many organizations, these new data paths and devices have not been fully monitored or assessed against company risk thresholds. It took us 15 years to secure the modern ATM. These new IoT devices can be larger and closer to more valuable data (yes, more valuable than an ATM full of cash). With information this valuable and technology this new and vulnerable, security and risk mitigation have to be at the forefront of all organizations.
What can companies do to mitigate IoT risks?
To be proactive, businesses can:
1. Tap into their production networks to identify all IoT-connected devices and identify the most vulnerable assets. Then assess devices for vulnerabilities and mitigate outstanding security issues.
2. Understand security in relation to new IoT devices that an organization is looking to purchase and how they may affect their network. Companies may want to hire a trusted security provider with IoT labs to test devices before they’re implemented on company networks. This is done in order to ensure third party devices aren’t erroneously capturing private data via back door portals and to test integrations with their other technologies end-to-end.
3. Adopt a policy-driven, risk framework based on the organization’s business needs. These policies should include a baseline platform for the development of automated vulnerability management and incident response solutions for IoT.