The Internet of Things (IoT) has had a profound impact on our lives. However, it also means that more personal information and business data will be passed back and forth in the cloud, and with that comes new security risks, new attack surfaces, and new kinds of attacks. And with an unprecedented number of companies staking the future of their businesses on the pervasive connectedness that the IoT world promises, business leaders need to empower their technical teams to create secure IoT networks.
Most organisations deploy disparate technologies and processes to protect key elements of their businesses, including the information technology that is typically focused on information protection and operational technology charged with managing control networks that support critical infrastructure, as well as physical spaces. I recently encountered a company that implements more than 80 security products for different tasks. Many of these systems don’t work together, which in turn limits the level of security this company can achieve.
In an IoT environment, we need to accommodate the priorities of both IT and OT networks, balance physical safety and security requirements, and also begin to implement cybersecurity solutions to equally protect all networks from attack. Solutions must be put into place to protect the device, control levels of the network, and the data contained and shared. We need to shift our mindset from considering each object in isolation, to looking at the whole. Attackers are taking a holistic view of the IoT and defenders must do the same.
Properly securing IoT networks will require that IT and OT professionals work together to ensure that a consistent level of security and dynamic controls are applied across the extended network, and that they are applied appropriately in each of the respective environments. By working together, security can be applied across the extended network and enable the flexibility required for policies to be enforced in a differentiated manner to accommodate the specialised needs of each of the two environments.
In order to work together to secure what is at stake in the IoT, business and technical leaders need to consider three approaches that connect with one another – visibility, threat awareness, and action.
- Visibility: We need to see a real-time, accurate picture of threats, applications, devices, and data – including the relationships between them – to improve our ability to make sense of their associated intelligence. This requires dynamic controls that foster automation and analytics that allow informed decisions.
- Threat awareness: The IoT creates an amorphous security perimeter. Therefore, we need to presume compromise and hone our ability to identify threats – based on understanding normal and abnormal behaviour – identify indicators of compromise, make decisions, and respond rapidly. This requires overcoming complexity and fragmentation in our environments.
- Action: Once we identify a threat or anomalous behaviour we need to take action. This requires the right technologies, processes, and people working together and swiftly to be effective, and an adaptive trust that allows automation to do its job.
These approaches aren’t just words, they are critical to a security posture, especially as the attack surface exponentially grows through the IoT. A recent attack that we call the “String of Pearls” highlights the importance of having true visibility across multiple domains of infrastructure and the ability to really analyse and understand threat actors. In short, the attack starts with spear phishing, exploits a feature within Microsoft Word – on a Windows desktop – which then triggers a macro that downloads malware from Dropbox and then seeks to move laterally using the network. A singular lens into just one of these vectors – email, desktop, cloud-based file sharing or network – without a holistic picture of the threats, the vectors, the data and relationships between them wouldn’t have shown an active attack through the “String of Pearls” malware campaign, nor would a company be able to take quick and decisive action.
“String of Pearls” is just one example of the types of attacks that organisations are facing. As we connect more automobiles, industrial systems, and medical devices, and more companies develop business models based on this connectivity, it only stands to reason that our visibility and awareness of threat actor behaviour must extend beyond traditional security domains. And it should go without saying that we need the ability to take action when we find these attacks, which is why I’m going to start writing more about this in the future, because I’m confident that people-intensive processes and procedures alone are not what is needed for us to win this battle.
We have to get this right if we want the IoT to deliver all of the great benefits that it promises for our businesses, and even our personal lives.