With billions of connected consumer devices now on the market, and billions more soon to follow, there’s need for a strong global baseline for Internet of Things (IoT) security in the next generation of consumer products. Through the World Economic Forum’s Council of the Connected World, leaders representing more than 400 organizations globally collaborated to recognize an emerging consensus on baseline cybersecurity provisions for consumer IoT devices. So what does this mean, and why was it necessary?
Put simply, there’s a wide array of problems to contend with, said Hadyn Povey, founder of Secure Thingz and chief security officer at IAR Systems. Compromises are a natural part of complex systems, and attacks like Colonial Pipeline and SolarWinds showed just how vulnerable these systems are. While the IoT is great for streamlining business, it’s only going to increase the threat.
“In many ways, the IoT stretches that boundary between traditional IT (information technology) systems and operational technology (OT) and is really at that fulcrum of cyber physical systems,” Povey said. “The reality is that that’s where we are seeing more and more pernicious attacks, attacks which don’t just impact data, but they impact the physical world, as well, whether that is affecting oil pipelines or drilling, whether it’s water treatment, whether it’s manufacturing plants. All of these devices where we’re adding connectivity are also opening attack vectors.”
Improving IoT security
Povey said the biggest question his customers are asking is: Where do we start when it comes to securing the IoT? Security is a massive challenge that impacts almost everything we do and most of our systems. Things like improved passwords, proper cryptographic authentication, managing vulnerabilities and regular updating need to be fundamental hygiene moving forward.
But even managing something “simple” like an update initiated by a compromise can be complicated. How do you let all of your customers know that there is a challenge, and how and when do you update?
“If you’re in a critical system, you may have to wait until there is specific downtime,” Povey said. “It has to be scheduled in. You need to make sure that those updates are applied without breaking the system. Many industrial manufacturing systems are on 24/7, so the application of updates and the management of security has to take into regard the realities of these industrial systems.”
Industrial systems can be much more complicated for a number of reasons, not the least of which is that they can be older, legacy systems, and updates may no longer be available.
As Povey said, there are many different systems out there, and we need to understand where the threat is coming from. We can no longer assume that the attacker is always on the outside; modern attackers are often on the inside where they have a vector of attack inside of the demilitarized zone (DMZ).
One way to help protect IoT systems is to leverage some of the standards, like IEC 62443. This particular standard helps define the levels of necessary IoT security, from level one, which is a relatively lightweight attack, all the way through to level four, which could be a nation-state attack with practically infinite resources. The goal is to build frameworks that can scale, are cost effective and are right for the industrial marketplace.
A more connected world
Given the proliferation of IoT devices and the risk they can pose, the World Economic Forum’s Council of the Connected World recently collaborated to find consensus on baseline cybersecurity provisions for consumer IoT devices. This statement lays out five key capabilities for setting a baseline for IoT security.
“These are, in many ways, from a cybersecurity perspective, hygiene, but it’s amazing how many people don’t have this in their systems,” Povey said. “When we’re looking at purchasing components for our industrial control systems, we have to think about these.”
The first standard is moving away from traditional passwords to proper cryptographic authentication. That has an impact in that every device has to be truly unique. Modern manufacturing systems, however, aren’t generally geared for that, so we have to think about provisioning and application of secure programming.
The second is a vulnerability disclosure policy. Every organization needs to sell their products with a policy for how they’re going to manage and maintain them, what happens when something goes wrong and how white hat hackers can contact them about flaws they’ve discovered.
The third provision is updating. We will always have compromises in our systems. In the industrial domain, we must determine how updates can be scheduled in.
Beyond that, there is privacy of data. The data that we collect on our devices, whether they’re consumer or industrial, belongs to the people who have implemented that system.
“Too often today, we find that our private data is exfiltrated and used to sell us goods,” Povey said. “You don’t want that from a private perspective. You certainly don’t want that in an industrial domain. Just because it’s an IoT device does not mean it should be sending data across the network.”
The fifth standard is geared primarily toward the consumer domain, but it does have ramifications in the industrial sector. All data should be eviscerated once the device is at end of use. When you’re selling a good, whether it is a refrigerator or an industrial pump, it should be reset back to a known state that doesn’t retain any of your data.
The economics of IoT security
While these guidelines are useful, there is an obvious question: Why is the World Economic Forum involved in such a technical domain? They’re typically talking about how to rebuild the global economy or what to do about global poverty. Industrial cybersecurity does not usually fall within their purview.
“The reality is actually this level of cybersecurity is so fundamental to the world economy today, it is so crucial to keeping critical national infrastructure moving, transportation systems moving, food production operating and all of these sorts of things, that it becomes a component of the global infrastructure,” Povey said. “It’s really important that this shout-out from the World Economic Forum, it goes to the global leaders, the Fortune 500 executives who attend, and of course, the governmental and NGOs, which attend the Davos event. Security is a fundamental right of every person and of every system, and we have to make sure that it’s fit for purpose for the 21st century.”
In Part 2 of our interview with Haydn Povey, he will discuss governmental legislation surrounding industrial cybersecurity and how much it can really help to secure systems. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.