Internet of Things initiatives are no longer driven by a single purpose and incorporating IoT solutions and managing business outcomes is complex.
The bad guys are getting better. They can find a way in, from infrastructure vulnerabilities to cyber-physical systems (CPS) and the Internet of Things (IoT). CPS and IoT products contain sensors or other technologies to share data with other devices via the Internet or communications networks. Unfortunately, they are also less secure—older devices are not equipped to address the surge of new IoT. This means that every device connected to your network potentially gives the bad guys away to infiltrate your work, mess with your data, and/or surveil your system.
In fact, mal actors are evolving at a rate faster than we can stop them. According to Gartner, “Attacks on organizations in critical infrastructure sectors have increased dramatically, from less than 10 in 2013 to almost 400 in 2020 — a 3,900% change.”
Tony Sager, Sr. Vice President and Chief Evangelist for the Center for Internet Security (CIS)—a nonprofit leading the way in securing IT systems and data—believes our problem is that we have too many resources. “Why can’t we keep up? For me, the “fog of more” is a way to convey it’s not the lack of resources. It’s that there’s too much. So, people become paralyzed. They’re overwhelmed not only by the technical problems and the changes in the business—the way it uses technologies and the demands of the customers—but the emergence of new technology, [and] the bad guys are changing all the time. So, the challenge is sorting all that out.”
Strategies to help cut through the fog and lock systems down.
CIS is helping those in government and industry focus their hardening practices with standards-based benchmarks and controls that provide a secure baseline security for your enterprise. CIS benchmarks are similar to the security technical information guides (STIGs) used in the DoD and the Cybersecurity Maturity Model Certification (CMMC) criteria used in the DIB. These inventories and checklists are based top cybersecurity expert’s collective wisdom and help organizations create a secure baseline for their enterprise.
That might be enough if this was just a fight. But it’s a war. The good news is that are many other resources and strategies available to stave off cyberattacks, protect your information technology, and ensure end-to-end security.
Standardized labeling for IoT products. On February 4, 2022, NIST released their new Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things Products. Adding standardized labels will help consumers assess risk and make better technology choices, and it will also help address recurring security issues with IoT products. Essentially, the demand for more secure products will encourage manufacturers to supply.
A collective force for good.
Twenty-two major nonprofits have banded together to develop, share, deploy, and increase awareness of best practices in cybersecurity, including tools, standards, and services across the
public and private sectors. All Nonprofit Cyber coalition members are cybersecurity-focused and include CIS, the Cloud Security Alliance, and the Anti-Phishing Work Group.
Continuous diagnostics and mitigation (CDM).
Once you have established a secure and compliant baseline, it is unlikely to stay that way. Every time a device or capability is added to your enterprise, that baseline is subject to drift. CDM means keeping a continual eye on endpoints and controls and remediating issues as they arise.
Automation makes the job easier.
The more complex technology and its attackers get the more complex maintaining security. Manually scanning and remediating endpoints is so laborious that you will likely be backlogged and, as a result, vulnerable to attack. STIG/CIS/CMMC standards can all be automated to create a baseline then to perform CDM from that point forward.
Zero Trust is the recommended stance.
Last year, the White House released their Cybersecurity Executive Order (EO) mandating, among other things, a Zero Trust stance. The Zero Trust model shifts focus from various authentication and access controls to tailored controls around sensitive data stores, applications, systems, and networks in its simplest form. The strategy is to make it much harder for users having no permission to gain access to your systems in the first place, along with preventing mal actors from moving around within the systems if access is gained.
Adopting a pragmatic cyber-security risk mindset and automate your defenses.
From food, water, and energy to transportation, healthcare, and government, every human on the planet relies on the world’s mission-critical infrastructure for the proper function of society. Over time, the technologies that underpin critical infrastructure have become more digitized and connected, creating cyber-security systems composed of both legacy infrastructure and new assets. Unfortunately, these systems are being deployed with vulnerabilities.
Using the resources, we’ve outlined here to support your efforts, we recommend a security approach that addresses operational technology OT and the industrial internet of things (IoT) as part of a coordinated effort. Then, with a pragmatic approach, checklists, a little help from government and nonprofits, and automation, you can better focus on understanding the threats and vulnerabilities before experiencing a melt-down.