Home Interviews “No silver bullet to effectively mitigate emergent IoT threats”

“No silver bullet to effectively mitigate emergent IoT threats”

Abhinav Biswas

Abhinav Biswas, the Alt. CISO for Electronics Corporation of India Limited (ECIL), Dept. of Atomic Energy, Govt. of India, has a wide range of agile experience, starting from the days of embedded systems, moving to web application Penetration testing & Vulnerability Assessments, followed by Data-Centre & Infrastructure Security and then to the latest trend of Cloud Risk Management amalgamated with Governance & Compliance.

He is currently responsible for protecting ECIL’s information assets in conjunction with maintaining CIA of enterprise services spread across all metro cities of India. In a discussion with Rudra Srinivas of CISO MAG, Biswas discusses challenges he faces in his role, measures businesses can implement to tackle security threats, and emergence of Internet of Things.

As a security leader, what are the challenges you face while implementing new security strategies and products?

There are number of challenges one faces when developing or implementing new security strategies or products. Below are the ones I faced:

  • Constantly expanding Threat Landscape of ECIL’s enterprise IT services with new Attack Vectors like Ransomware, Mass-scale Distributed Denial of Service (DDoS), Novel Spear Phishing etc. which further increases the lack of systematic security & emergency preparedness.
  • Timely application of Endpoint security patches still remains a critical security vector where numerous factors come into play like up-front upgradation costs, training, efficacy, ease of use, change management issues etc. Establishing a completely Automated Security Patch Management system is a big challenge.
  • Lack of proper skilled human resources for efficient SOC operations & proactive threat hunting requirements. Most SOC operations in ECIL have been Reactive in nature.
  • Difficulty in benchmarking APT & Anti-Ransomware solutions based on in-premise POCs conducted by top global vendors.
  • RFP creation process of SIEM (Security Incident & Event Management) systems specific to ECIL requirements. Non-Availability of standard SIEM evaluation framework.
  • Change Management issues in implementing Digital Signatures & Certificates using USB-tokens/smart-cards and integration issues with SAP ERP system.

According to you, in what aspects are Indian businesses lagging behind with regard to the cybersecurity management?

Lack of proactive security and emergency preparedness can be a big issue. Though big companies have Business Continuity Plans (BCP) & Disaster Recovery (DR) Plans implemented as part of InfoSec Policy, but they are not imbibed in their work culture. Most Indian CISOs will admit that in case of a breach, lack of proactiveness has always led to panic and caused delay in taking the right action.

If big companies are ill-prepared to face the cyber threat, small and medium enterprises (SMEs) are sitting ducks because most of them are not prepared at all. They have no processes or systems in place nor do they hire dedicated cyber professionals.

Lack of rigid Bring-Your-Own-Device (BYOD) policy is another challenge. While companies can ensure that their official devices are well-protected, they do not have much control over personal devices. We also don’t see indigenously developed security products and technologies. Trusting foreign vendors with imported hardware security products is question of national security because of the rise of embedded trojans & Stuxnet-like attacks.

What is your organization doing to give its employees a thorough understanding of the vulnerabilities of their systems?

We have taken following steps to make our employees aware of vulnerabilities:

  • Conducting in-house training programmes by security experts to educate and transform the SOC staff into a skilled workforce
  • Increasing the frequency of Red team & Blue team exercises & drills.
  • Carrying out security/vulnerability awareness training programs for regular employees supplemented with quarterly internal audits of all end-user systems.
  • Hosting Monthly Security Bulletin Report on the Intranet and sharing Audit reports of vulnerable systems with CISAG, DAE and CERT-In for remediation & further actions.

How cybersecurity requirements in the nuclear facilities differ from the ones in other sectors?

 First of all, control and instrumentation (C&I) systems in nuclear facilities typically have much longer life cycle than commercial IT systems and the innovation cycles is also very different from those in conventional Information & Communication technology (ICT). Therefore, these facilities require technologies which can provide long-term support for Industrial Control Systems (ICS) networks, in an era where threat landscape is dynamically changing.

In nuclear facilities, generally operations team assume security just by ensuring obscurity of protocols, isolation of networks, and, may be, assuming disinterest in potential attackers because of isolated installations, which in turn creates false perception of security.

Inspectability, the capability to monitor a system’s internal state, is the backbone of traditional security tools. Most desktop security tools observe the behaviour, output, and code signature patterns of system processes. This is how virus scanners identify malware and how integrity checkers identify modifications to important system files. Similarly, network intrusion detection systems rely on the ability to inspect network traffic. Forensics and reverse-engineering tools too require the ability to inspect code and binaries both statically and dynamically, as they run on a system. Embedded systems and C&I systems like PLCs, RTUs etc used in nuclear facilities are much less inspectable than desktop computers due to lack of tools and suitable interfaces.

The surge of the Internet of Things (IoT) is forcing many businesses to reconsider their approaches to cyber risk management. How the emergence of IoT devices is changing the cybersecurity landscape?

With the advent of IoT, we are drifting into an era of ubiquitous surveillance where security, privacy and trust are going to be much bigger challenges. After the revelations of Edward Snowden, we can’t trust anything digital. The sensors of the digital world are fuelled with our PII (Personally identifiable information). Our purchasing patterns, browsing patterns, driving habits, eating habits, health indicators like heartbeat, blood pressure, places we visit etc., every data is being collected by Smart IoT devices and there’s a lack of transparency between data being collected and what it is being used for.

Ransomware will soon hit IoT market as well and because the sensors of IoT devices are the gates of our digital data, attackers will try to gain control of it. Emergence of IoT devices will also increase the attack surface of business enterprises because the attackers can exploit smart home/office devices for privilege escalation & indirect intrusion into corporate networks. There’s no silver bullet that can effectively mitigate the emergent IoT threats, as we can’t apply Security by Obscurity principles in IoT. We can’t say our IoT product will be secure because it uses proprietary protocols, indigenous hardware or air-gapped networks. So, we will need to think Security by Design. Also, Security cannot be an afterthought. It has to considered and implemented in all stages of IoT product lifecycle starting from planning, design, development, implementation, verification, validation, deployment to operations.