By Francis Cianfrocca
Why is IOT cybersecurity management such a black hole? Because no single vendor has yet brought all the pieces together into a cohesive framework that addresses each phase of the problem.
Operators and CISOs often find themselves confronting a dozen or more vendors, ranging from venture-funded startups to established providers that are limited because their roots are in the IT world. Most vendors address only one aspect of the problem, and all are competing for new budget dollars.
Phases of IOT Security Management
There are the four things you need to get right, and a vendor that is strong in only one or two of them doesn’t solve your problem. These “core four” are Asset Inventory, Systems Management, Threat Hunting and Incident Response:
- Asset Inventory is more than just a list of assets. You also need to identify firmware versions, patch levels, known vulnerabilities, and network maps. You need a very clear pictures of rogue and sporadic devices in OT space.
- Systems Management includes patch and firmware management, backup verification, vulnerability scanning, and hardware/software health. It also includes security, which in most cases doesn’t even exist. No firewalls, no internal segmentation, and no clear guidelines on whether you need or should invest in these things.Proper IOT security management makes clear whether investments in traditional network security make sense, from both a cost and a benefit perspective. Managing traditional network security in OT space is tremendously challenging because the assets are geographically dispersed; trained personnel are few and far between; and the consequences of problems can include physical safety.
- Threat Hunting is simply essential to detect potential direct attacks and breakout attacks in the OT space. And it’s all kinds of difficult. The true problem is scale. There are many anomaly-detection solutions on the market, but they suffer from a near-total lack of context, which means they typically can’t distinguish between normal operational divergences and real problems. You need much better AI.
- Incident Response is valuable because it gives you playbooks to respond to the various security threats and operational problems as they present themselves. Unlike traditional IT-based IR, in OT the local plant-management personnel need to be part of the loop, because outages are generally unacceptable. Sometimes the only possible response is simply to step up the risk-weighting of a given locale, process, or group of devices.
Reactive vs Proactive IOT Management
IT is a lot easier than IOT because it’s a lot more deterministic. In IT, problems stand out readily against a uniform noise background. In IOT, the cyber-physical systems share a highly heterogeneous network space, and the noise background is far more difficult to pick signals out of.
CISOs, like anyone else, respond to their incentives. As regards OT and IOT security, their profile isn’t dominated by the key questions of protecting revenue and avoiding safety/compliance problems, but rather by board-level questions:
- “Tell me how we’re doing relative to our peers”
- “Tell me that we won’t get written up in the Wall Street Journal as the next target.”
Of course, this means they’re focus on the most superficial aspects of the problem.
Also, the biggest barrier to making any progress is the disconnect between CISO orgs and production management. The traditional distrust between these groups is now going away in many places, but it’s still very much the case that CISOs struggle to get production people to focus on cybersecurity issues. And when they do, the production people often say “Well, we have our automation vendors, and we’ll wait for them to tell us how to do security.”
Fortunately, if you can manage all four of these aspects well, you have the beginnings of a proper IOT risk management process. Risk management means identifying the areas of greatest risk to the business, and assuring their continued operations. Which means that the primary metric you should target is resiliency.
That will put you ahead of most of the market, because most CISOs are still playing whack-a-mole.
Francis Cianfrocca is CEO at Insight Cyber Group.