Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Phil Neray
Phil Neray
Connect Directly
E-Mail vvv

How the Rise of IoT Is Changing the CISO Role

Prepare for the future by adopting a risk-based approach. Following these five steps can help.

The role of the CISO is rapidly changing to include managing safety risks, as well as protecting sensitive information, according to a recent Gartner report. This shift is being driven by the deployment of cyber-physical systems (CPS) such as Internet of Things (IoT) devices used in building management systems and healthcare facilities, as well as operational technology (OT) devices used in manufacturing plants, oil and gas facilities, energy and water utilities, transportation, mining, and other critical industrial infrastructure.

Because CPSs encompass both the digital and physical worlds, they are prime targets for adversaries seeking to cause major safety and environmental incidents and/or operational disruption. Examples include the TRITON attack on safety systems in a petrochemical facility, the Ukrainian grid attacks, NotPetya, and the Norsk Hydro ransomware attacks.

In addition, last August Microsoft reported that it observed a Russian state-sponsored threat group using IoT smart devices as entry points into corporate networks, from which they attempted to elevate privileges to launch further attacks. More recently, we've also seen attackers compromising IoT building access control systems to pivot deeper into corporate networks.

Industry analysts estimate that some 50 billion IoT devices will soon be deployed worldwide, dramatically increasing the attack surface. Because these embedded devices can't be protected by agent-based technologies — and are often unpatched or misconfigured — CISOs need new strategies to mitigate IoT security risk. Otherwise, it's not hard to imagine that regulators and corporate liability lawyers will soon hold C-level executives negligent — and even personally liable — for failing to implement safety-related security controls.

Five Steps Toward Mitigating CPS and IoT Risk
Idaho National Labs (INL) has developed a methodology for addressing CPS and IoT/OT risk called consequence-driven cyber-informed engineering (CCE). Based on this INL approach, here are five steps that all organizations should consider prioritizing in the near future:

  1. Identify crown jewel processes: You can't protect everything all the time, but you can protect the most important things most of the time. Therefore, ruthless prioritization of the functions whose failure would result in major safety or environmental incidents, or operational disruption, is key. Through conversations with business owners, infrastructure managers, and OT personnel, identify the things you most need to protect upfront.

  2. Map the digital terrain: Identify and categorize all connected assets in the organization, regardless of whether they're considered IT, IoT, building management systems (BMS), OT, or smart personal devices, such as Alexa and gaming systems. This includes understanding how information moves through your network and who touches the equipment, including third-party vendors and maintenance contractors with remote access connections.

  3. Illuminate the most likely attack paths: Analyze risks and vulnerabilities in your network to determine the most likely attack vectors to your crown jewel assets and processes. This can be done using automated threat modeling as well as by using red-team exercises to identify other entry points, such as social engineering and physical access to your facilities.

  4. Mitigate and protect: Once you have an idea of the most likely attack paths, develop a prioritized approach for mitigating risk. This can include steps such as reducing the number of Internet-accessible entry points, using zero-trust micro-segmentation policies to segregate IoT and OT devices from other networks, and patching critical vulnerabilities that are present in the most likely attack paths. Ongoing compensating controls are primarily around leveraging continuous network security monitoring and agentless security to immediately identify suspicious or unauthorized behavior — such as a CCTV camera browsing Active Directory.

  5. Remove silos between IT, OT, IoT, and CPS: As the CISO, securing the enterprise means being accountable for all digital security — whether it's IT, OT, IoT, or CPS. Creating unified security monitoring and governance requires a holistic approach to people, processes, and technology. Technical aspects include forwarding all IoT/OT security alerts to the security operations center and leveraging existing security information and event management (SIEM), security orchestration automation and response (SOAR), and prevention mechanisms (firewalls and network access control systems) to rapidly respond to IoT/OT incidents, such as rapidly quarantining devices that have been detected as sources of malicious traffic.

Proactively Preparing for the Future
Today's adversaries — ranging from nation-states to cybercriminals and hacktivists — are motivated, determined, and highly capable of causing disruption and destruction.

Industry experts agree that determined attackers will eventually find a way into your network, so a better strategy is to deploy monitoring to spot them in the early reconnaissance stages of the kill chain in order to mitigate attacks before they can cause any significant damage. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversaries were inside the network for several years before being discovered due to a bug in their malware that inadvertently shut down the plant for a week.

It is imperative for boards and management teams to recognize the new safety and security risks posed by IoT and CPS systems — and proactively prepare for them using a risk-based approach.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Phil Neray is VP of IoT & Industrial Cybersecurity for CyberX, a Boston-based security firm founded by blue-team experts with a track record of defending critical national infrastructure. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/12/2020 | 8:38:01 PM
Sharing Resources between IT and OT Environment
I highly disagree with sharing IT resoures between IT and OT environments. While at a major energy firm we separated the two because of a Boundary Protection requirement in NISTIR 7628. The requirement ensures that a failure of an IT component does not impact an OT network. So IT resources like a SIEM should not be shared between the two. You can monitor them both separately. There is extra product cost for these products but the design enables better Availability in the OT energy grid itself.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.