Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/11/2020
02:00 PM
Phil Neray
Phil Neray
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How the Rise of IoT Is Changing the CISO Role

Prepare for the future by adopting a risk-based approach. Following these five steps can help.

The role of the CISO is rapidly changing to include managing safety risks, as well as protecting sensitive information, according to a recent Gartner report. This shift is being driven by the deployment of cyber-physical systems (CPS) such as Internet of Things (IoT) devices used in building management systems and healthcare facilities, as well as operational technology (OT) devices used in manufacturing plants, oil and gas facilities, energy and water utilities, transportation, mining, and other critical industrial infrastructure.

Because CPSs encompass both the digital and physical worlds, they are prime targets for adversaries seeking to cause major safety and environmental incidents and/or operational disruption. Examples include the TRITON attack on safety systems in a petrochemical facility, the Ukrainian grid attacks, NotPetya, and the Norsk Hydro ransomware attacks.

In addition, last August Microsoft reported that it observed a Russian state-sponsored threat group using IoT smart devices as entry points into corporate networks, from which they attempted to elevate privileges to launch further attacks. More recently, we've also seen attackers compromising IoT building access control systems to pivot deeper into corporate networks.

Industry analysts estimate that some 50 billion IoT devices will soon be deployed worldwide, dramatically increasing the attack surface. Because these embedded devices can't be protected by agent-based technologies — and are often unpatched or misconfigured — CISOs need new strategies to mitigate IoT security risk. Otherwise, it's not hard to imagine that regulators and corporate liability lawyers will soon hold C-level executives negligent — and even personally liable — for failing to implement safety-related security controls.

Five Steps Toward Mitigating CPS and IoT Risk
Idaho National Labs (INL) has developed a methodology for addressing CPS and IoT/OT risk called consequence-driven cyber-informed engineering (CCE). Based on this INL approach, here are five steps that all organizations should consider prioritizing in the near future:

  1. Identify crown jewel processes: You can't protect everything all the time, but you can protect the most important things most of the time. Therefore, ruthless prioritization of the functions whose failure would result in major safety or environmental incidents, or operational disruption, is key. Through conversations with business owners, infrastructure managers, and OT personnel, identify the things you most need to protect upfront.

  2. Map the digital terrain: Identify and categorize all connected assets in the organization, regardless of whether they're considered IT, IoT, building management systems (BMS), OT, or smart personal devices, such as Alexa and gaming systems. This includes understanding how information moves through your network and who touches the equipment, including third-party vendors and maintenance contractors with remote access connections.

  3. Illuminate the most likely attack paths: Analyze risks and vulnerabilities in your network to determine the most likely attack vectors to your crown jewel assets and processes. This can be done using automated threat modeling as well as by using red-team exercises to identify other entry points, such as social engineering and physical access to your facilities.

  4. Mitigate and protect: Once you have an idea of the most likely attack paths, develop a prioritized approach for mitigating risk. This can include steps such as reducing the number of Internet-accessible entry points, using zero-trust micro-segmentation policies to segregate IoT and OT devices from other networks, and patching critical vulnerabilities that are present in the most likely attack paths. Ongoing compensating controls are primarily around leveraging continuous network security monitoring and agentless security to immediately identify suspicious or unauthorized behavior — such as a CCTV camera browsing Active Directory.

  5. Remove silos between IT, OT, IoT, and CPS: As the CISO, securing the enterprise means being accountable for all digital security — whether it's IT, OT, IoT, or CPS. Creating unified security monitoring and governance requires a holistic approach to people, processes, and technology. Technical aspects include forwarding all IoT/OT security alerts to the security operations center and leveraging existing security information and event management (SIEM), security orchestration automation and response (SOAR), and prevention mechanisms (firewalls and network access control systems) to rapidly respond to IoT/OT incidents, such as rapidly quarantining devices that have been detected as sources of malicious traffic.

Proactively Preparing for the Future
Today's adversaries — ranging from nation-states to cybercriminals and hacktivists — are motivated, determined, and highly capable of causing disruption and destruction.

Industry experts agree that determined attackers will eventually find a way into your network, so a better strategy is to deploy monitoring to spot them in the early reconnaissance stages of the kill chain in order to mitigate attacks before they can cause any significant damage. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversaries were inside the network for several years before being discovered due to a bug in their malware that inadvertently shut down the plant for a week.

It is imperative for boards and management teams to recognize the new safety and security risks posed by IoT and CPS systems — and proactively prepare for them using a risk-based approach.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

Phil Neray is VP of IoT & Industrial Cybersecurity for CyberX, a Boston-based security firm founded by blue-team experts with a track record of defending critical national infrastructure. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gregorymachler
50%
50%
gregorymachler,
User Rank: Apprentice
3/12/2020 | 8:38:01 PM
Sharing Resources between IT and OT Environment
I highly disagree with sharing IT resoures between IT and OT environments. While at a major energy firm we separated the two because of a Boundary Protection requirement in NISTIR 7628. The requirement ensures that a failure of an IT component does not impact an OT network. So IT resources like a SIEM should not be shared between the two. You can monitor them both separately. There is extra product cost for these products but the design enables better Availability in the OT energy grid itself.
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.