Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Phil Neray
Phil Neray
Connect Directly
E-Mail vvv

How the Rise of IoT Is Changing the CISO Role

Prepare for the future by adopting a risk-based approach. Following these five steps can help.

The role of the CISO is rapidly changing to include managing safety risks, as well as protecting sensitive information, according to a recent Gartner report. This shift is being driven by the deployment of cyber-physical systems (CPS) such as Internet of Things (IoT) devices used in building management systems and healthcare facilities, as well as operational technology (OT) devices used in manufacturing plants, oil and gas facilities, energy and water utilities, transportation, mining, and other critical industrial infrastructure.

Because CPSs encompass both the digital and physical worlds, they are prime targets for adversaries seeking to cause major safety and environmental incidents and/or operational disruption. Examples include the TRITON attack on safety systems in a petrochemical facility, the Ukrainian grid attacks, NotPetya, and the Norsk Hydro ransomware attacks.

In addition, last August Microsoft reported that it observed a Russian state-sponsored threat group using IoT smart devices as entry points into corporate networks, from which they attempted to elevate privileges to launch further attacks. More recently, we've also seen attackers compromising IoT building access control systems to pivot deeper into corporate networks.

Industry analysts estimate that some 50 billion IoT devices will soon be deployed worldwide, dramatically increasing the attack surface. Because these embedded devices can't be protected by agent-based technologies — and are often unpatched or misconfigured — CISOs need new strategies to mitigate IoT security risk. Otherwise, it's not hard to imagine that regulators and corporate liability lawyers will soon hold C-level executives negligent — and even personally liable — for failing to implement safety-related security controls.

Five Steps Toward Mitigating CPS and IoT Risk
Idaho National Labs (INL) has developed a methodology for addressing CPS and IoT/OT risk called consequence-driven cyber-informed engineering (CCE). Based on this INL approach, here are five steps that all organizations should consider prioritizing in the near future:

  1. Identify crown jewel processes: You can't protect everything all the time, but you can protect the most important things most of the time. Therefore, ruthless prioritization of the functions whose failure would result in major safety or environmental incidents, or operational disruption, is key. Through conversations with business owners, infrastructure managers, and OT personnel, identify the things you most need to protect upfront.

  2. Map the digital terrain: Identify and categorize all connected assets in the organization, regardless of whether they're considered IT, IoT, building management systems (BMS), OT, or smart personal devices, such as Alexa and gaming systems. This includes understanding how information moves through your network and who touches the equipment, including third-party vendors and maintenance contractors with remote access connections.

  3. Illuminate the most likely attack paths: Analyze risks and vulnerabilities in your network to determine the most likely attack vectors to your crown jewel assets and processes. This can be done using automated threat modeling as well as by using red-team exercises to identify other entry points, such as social engineering and physical access to your facilities.

  4. Mitigate and protect: Once you have an idea of the most likely attack paths, develop a prioritized approach for mitigating risk. This can include steps such as reducing the number of Internet-accessible entry points, using zero-trust micro-segmentation policies to segregate IoT and OT devices from other networks, and patching critical vulnerabilities that are present in the most likely attack paths. Ongoing compensating controls are primarily around leveraging continuous network security monitoring and agentless security to immediately identify suspicious or unauthorized behavior — such as a CCTV camera browsing Active Directory.

  5. Remove silos between IT, OT, IoT, and CPS: As the CISO, securing the enterprise means being accountable for all digital security — whether it's IT, OT, IoT, or CPS. Creating unified security monitoring and governance requires a holistic approach to people, processes, and technology. Technical aspects include forwarding all IoT/OT security alerts to the security operations center and leveraging existing security information and event management (SIEM), security orchestration automation and response (SOAR), and prevention mechanisms (firewalls and network access control systems) to rapidly respond to IoT/OT incidents, such as rapidly quarantining devices that have been detected as sources of malicious traffic.

Proactively Preparing for the Future
Today's adversaries — ranging from nation-states to cybercriminals and hacktivists — are motivated, determined, and highly capable of causing disruption and destruction.

Industry experts agree that determined attackers will eventually find a way into your network, so a better strategy is to deploy monitoring to spot them in the early reconnaissance stages of the kill chain in order to mitigate attacks before they can cause any significant damage. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversaries were inside the network for several years before being discovered due to a bug in their malware that inadvertently shut down the plant for a week.

It is imperative for boards and management teams to recognize the new safety and security risks posed by IoT and CPS systems — and proactively prepare for them using a risk-based approach.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Phil Neray is VP of IoT & Industrial Cybersecurity for CyberX, a Boston-based security firm founded by blue-team experts with a track record of defending critical national infrastructure. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/12/2020 | 8:38:01 PM
Sharing Resources between IT and OT Environment
I highly disagree with sharing IT resoures between IT and OT environments. While at a major energy firm we separated the two because of a Boundary Protection requirement in NISTIR 7628. The requirement ensures that a failure of an IT component does not impact an OT network. So IT resources like a SIEM should not be shared between the two. You can monitor them both separately. There is extra product cost for these products but the design enables better Availability in the OT energy grid itself.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.