CTB Panel of Experts: IoT
SolarWinds pinpoints three steps for IT professionals in the defence sector to consider: consider automation; understand security information and event management processes; and monitor devices and access points. Administrators need to make sure they are using monitoring solutions to complement their automated network. Security information and event management allows users to keep an eye on real-time data and provide insight into forensic data.
Only devices with adequate security should be added to the network, and administrators should monitor for any unauthorised devices that are connecting. In addition, administrators should establish a baseline for what ‘normal’ IoT device usage looks like, and then check when devices aren’t behaving in accordance with this, such as using more bandwidth than usual or generating unexpected traffic.
We have already seen examples of this through poorly implemented IoT devices making CTV, including baby monitor live video, available to anyone in the world, or exposing control of industrial process equipment to the internet by mistake. Daykin says that embedded and proportionate cyber security cannot be an afterthought, it needs to be considered and implemented as a foundation of technology, however mundane the use case appears to be.
Leidos advise that, when developing, selecting or testing IoT equipment, consider the system as a whole and the relevant threats, identifying potential vulnerabilities and risks that require control for successful low risk deployment. In the same way as virtually any technology platform, the tools are there to implement security controls and implement a secure solution, it simply needs the investment of time and effort in a structured risk identification and management approach.
Additionally, through this risk review process it is important to consider the unique factors IoT brings, such as the new information they are producing and making available (and who that may be valuable too), but also the nature of control over the physical world these devices may have. Understanding the control you have is critical to managing risks. Whilst accessing remote CCTV images or live data can expose new information sets, the control plane is often the more impactful area. Being able to remotely control home appliances, cars, buildings or industrial processes can have a more tangible impact on the real world, either individually or if co-ordinated to shared resources such as electrical grids or transport systems. This does not mean it cannot be secured, simply that the security controls need to be proportionate. It is critical to respond to the unique nature of these threats and continually reassess and respond to the risks as they mature.
IoT brings commercial automation within reach of a far wider audience than as possible before. What happens next isn’t inherently the fault of the IoT, nor any one device within it. Chomic stresses that it is our ability to apply rigour to our developments that matters.
Gabe Chomic, ISSA UK
Gabe is a technologist at heart who has been tinkering with things from an early age. He has served as president of a national cyber security association, bootstrapped a cryptocurrency crowdfunding platform from wireframe to profitability, built security programs, analysed security processes across 14 countries and performed in-depth security engineering in heavy industry. His current passions involve the economic drivers behind insecurity and the cascading effects of small business failure.
Final thoughts: “IoT is a security risk - we cannot secure the things we do now. Enabling us to do things faster and more efficiently will enable us to fail at scale. IoT is also a pathway to a Brave New World. One of technological enablement and potential dystopian abuse. IoT, like many technological improvements before it, is not something that can be stopped, just adjusted for. IoT is a tool after all. We determine how it is used and how well we use it. But based on our track record, I would plan for it’s abuse as well as it’s use.”
Simon Daykin, Leidos
Simon Daykin is chief technology officer for Leidos UK’s Civil, Defence and Health business units, providing strategic business technology leadership for UK customers. Motivated by the benefits technology can bring, Simon is passionate about supporting digital transformations through strategy, design and delivery to solve some of the most challenging problems in today’s world. Before joining Leidos, Simon served as chief architect of NATS and CTO of Logicalis.
Final thoughts: “IoT is a natural evolution of our technology enabled and connected world, and whilst it can and will bring new security risks, these can be mitigated. We must recognise the importance of Secure-By-Design processes as we develop, integrate and test these technologies. We need to ensure we evaluate the new risks the technology can bring, embed proportional controls in the technology, and continuously reassess and respond to risks as they mature.”
Paul Parker, Solar Winds
Paul Parker brings over 22 years of IT infrastructure experience, having worked with multiple miltary, intelligence, civilian and commercial organisations. Paul has received multiple military and civilian awards for service, support and innovation, having served as vice president of engineering for the federal division of Inflobox, an IT automation and security firm, as well as holding positions at CS2, Ward Solutions, Eagle Alliance and Dynamics Research Corporation.
Final thoughts: “Is IoT a security risk or a brave new world? Well, it’s a little bit of each and a lot of neither. Certainly, there are more IoT devices around, especially as they become smaller and less resource-dependent. With the many benefits and innovations that these devices bring on the horizon, it’s just as important as ever, if not more so, to make sure they are secured and managed effectively as part of the whole defence sector IT infrastructure. Mitigating any security threat of IoT requires visibility into the network and devices running on it. Sophisticated monitoring and threat detection systems are necessary to find and remove problems as quickly as possible. When this is taken into consideration, the use of IoT devices becomes both achievable and beneficial for the defence sector.”