The demands to defend the information on edge devices have reached a new pinnacle and continues to grow beyond what current capabilities can handle. Legacy cybersecurity systems that ensure the confidentiality, integrity, availability and the proper use of data from edge devices are not sufficient for the growing scale of the Internet of Things (IoT) and Industrial IoT (IIoT). Innovation in technology and process is needed to deliver the robustness necessary to defend against a world of ever-evolving cyber threats.
By Andy Brown, CEO and Co-Founder, Sand Hill East; and Matthew Rosenquist, CISO, Eclipz
A policy framework is required that is specifically crafted for edge environments and implemented through technical controls and configuration. A structure of robust architectures and practices must protect the data from exposure, exploitation, and manipulation. They must be designed for sustainability over the extended lifecycle of these types of products, and adapt to the new tactics of emerging threats.
Since their inception, internet-connected devices have become vastly more complex, capable, and specialized. To improve performance and responsiveness, much of the computing is now pushed closer to end-users, thus becoming edge devices. These act as sensors capable of providing valuable data to localized feedback loops. Continuous streams of information enable real-time insights into operations, potential issues, and emerging opportunities. Such designs empower organizations around the world to automate processes and make favorable decisions promptly. In short, feedback loops powered by edge devices are fueling the global digital transformation to deliver efficiency and modern automation.
A significant reduction of costs and an increase in functionality have propelled the explosive adoption rates of IoT/IIoT devices. However, the benefits of greater visibility and empowerment come with risks that are unfamiliar and, in many cases, hidden. The exposure and corruption of this feedback data can cause catastrophic downstream impacts for the continuity of operations, protect personal privacy, and people’s safety. The breaching of sensors and the data they create can be wielded for unethical or undesired purposes, to the detriment of organizations, partners, customers, and society.
Secure the data
Data security has emerged as a crucial requirement for complex automated systems. However, providing trust in digital systems is proving difficult because legacy technologies are not well-suited for a more autonomous world. All major industries are embracing digital technologies for enhanced capabilities, faster results, and better decisions. In doing so, they are also inheriting the risks of undermined systems.
Data provides a competitive advantage. Manufacturing, retail, transportation, defense, and every sector of Critical Infrastructure (CI) are leveraging digital sensors and becoming reliant upon the insights they provide. A continuous stream of the right data is the key to assessing situations and acting decisively. In complex environments, interconnected feedback and decision loops are the backbones of most operational practices. These systems need a constant stream of incoming information to adjust and achieve the desired goals. However, erroneous or tampered data may pose a risk by providing incorrect information that undermines good decisions. Without proper security controls, honest mistakes or malicious attackers can undermine the very foundations of automation and business decisions.
Increased scale and complexity; increased risk
Much of our growing digital ecosystem is or will be reliant on the principles of the simple feedback loop through sensors that provide data for instantaneous decision-making. There is a race to embrace new technology and adopt automation solutions that deliver a business advantage. The possibilities are as limitless as our imagination, but so are the associated risks. Sensor data makes possible the automated online processes we have come to take for granted, such as online storefront order processing, shipment logistics, and healthcare monitoring. Manufacturers can increase production speed and improve consistency. Dangerous environments can be monitored and managed for safety. Manipulation of digital sensors and data can make all of these automated processes go wrong. Industry professionals have long expressed concern that most of the billions of IoT and IIoT devices in the world are vulnerable. This reality places global services, national economies, personal privacy, and the safety of people’s lives at an ever-growing risk.
The defense of sensors and edge devices can’t be achieved with the same techniques that evolved with traditional desktops, servers, and laptops. Modern personal computers and servers are built with tremendous computational power, memory, and storage resources to be flexible across a wide range of tasks. IoT sensors and devices are designed with the opposite in mind, generally with a specific purpose to be as economical and streamlined as possible. They are in a different class entirely and do not benefit from an abundance of computing resources.
Current tools fall short
Most cybersecurity tools have evolved to leverage the extensive system resources in personal computers and servers to provide comprehensive protection. These solutions are not compatible due to IoT limitations. Very few solutions are available to meet the specialized needs of something as small as a sensor.
The scale and diversity of the IoT landscape compound the problem. An additional 4 billion IoT devices are predicted to come online in 2020. These systems will add to the vast amount of data already existing for an estimated total of 100 trillion gigabytes by the end of 2020. IoT/IIoT are often deployed in clusters, aren’t very well-protected, and may represent the weakest link that hackers and malicious agents can use to gain a foothold to attack other systems.
The IoT industry has begun to address the first order of issues that resulted from poor designs and the omission of basic security features. As a first step, the focus is on protecting the devices themselves from exploitation. Changing default passwords, removing manufacturer administration and testing backdoors, and requiring user authentication are now standard practices. What has not been addressed is the more difficult problem of fortifying the data and network connections to and from these devices. Vast exposures are still present.
What exactly is at risk?
Digital sensors and systems contribute to the safety of employees and customers and are vital components to critical systems. Due to this importance, they are targeted by cyber threats. The more the world relies upon computer-based services, the more the attackers’ leverage when they disrupt or control these systems. As automation increases, the complexity grows, and systems become more sensitive to significant impacts. An increasingly online yet unguarded world creates many possible safety concerns.
After years of warnings from cybersecurity professionals, the predictions came true: attackers turned their attention to IoT devices. Everything from industrial controls, healthcare tools, entertainment systems, vehicles, telecommunications, and home surveillance cameras have been successfully hacked. An IoT-powered botnet brought down significant portions of the Internet on the American eastern seaboard for an uncomfortable amount of time in one attack. Implanted medical defibrillators and pacemakers were shown to be exploitable and had to be replaced in patients. Power plants and regional distribution grids have been targeted. Hackers can also tap into cameras and watch victims in public settings, offices, and in the privacy of their homes. There have been instances of hackers taking control of automobiles and aircraft. Private information has been scraped from retail devices and personal health monitoring devices. Implanted medical devices and emergency room equipment are vulnerable to compromise. The range is incredible, from small sensors and home appliances to the biggest planes, ships, chemical plants, and power distribution networks.
Even a trivial device makes a difference. Sensor data for chemical spills, fires, and unsafe breathing conditions may automatically trigger fire suppression, evacuations, and emergency response. Data that falsely report an unacceptable temperature drop in stored foods might require the assets to be discarded. Worse, if the controls were tampered with and the temperature did drop to unsafe levels without any alarms, then lethal consumables might be released for distribution to the public.
The list of confirmed vulnerable devices grows every week, demonstrating that these systems and the data they generate are at significant risk. The abundance of these dangers, whether actual or potential, requires a greater oversight to support a higher degree of confidence in the technology upon which we all depend. Malicious online attackers breed new threats that can undermine the confidentiality, integrity, and availability of data. Criminals target systems that they can easily manipulate to seize control, commit fraudulent activities, and steal sensitive information. Data, both at-rest, and in-transit must be protected from such attacks, and edge devices are easy targets on the front lines.
Innovation is necessary to safeguard data across the new digital landscape
The traditional model for digital security begins to unravel when enormous numbers of less sophisticated IoT/IIoT devices generate a vast amount of data that is not adequately protected. Current solutions simply don’t operate well within the limitations of IoT deployments. As cybersecurity professionals, we need innovative new technologies and processes to mitigate risks posed by current and emerging threats for this fastest-growing sector of computing devices. Solutions must overcome the challenges that traditional protections are unable to address. Securing devices, network connections, and the data that travels across them are paramount. The future of the Digital Transformation (DT) movement resides in preserving the trust that people place in technology, that it will act for their benefit and not maliciously against them. The solutions of the past become more obsolete as every day passes. Innovation that is specifically tailored to IoT is necessary to safeguard the benefits across the new digital landscape.
About the Authors
Andy Brown currently serves as CEO of Sand Hill East, LLC, which provides strategic management, investment, and marketing services to emerging companies. Brown is also a member of the boards of directors of Guidewire Inc., a public traded company in the PNC insurance business; Zscaler, Inc., a publicly-traded company providing cloud security services; LMRKTS LLC, a company providing FX and Swaps compression utilities; Moogsoft, a next-generation AI-Operations company; SiteHands, a company providing “field engineering as a service,” and Pure Storage, Inc., a publicly-traded software-defined data storage solutions company. He is also CEO and co-owner of Biz Tectonics LLC, a privately-held consulting company. From September 2010 to October 2013, Brown served as Group Chief Technology Officer of UBS, an investment bank. Prior to that, he served in a variety of executive management and leadership roles at a variety of leading banking companies including Bank of America, Merrill Lynch, and Credit Suisse. Brown holds a BSc Honors Degree in Chemical Physics from University College London.
Matthew Rosenquist is the Chief Information Security Officer (CISO) for Eclipz, the former Cybersecurity Strategist for Intel Corp, and benefits from 30 diverse years in the fields of cyber, physical, and information security. Mr. Rosenquist specializes in security strategy, measuring value, developing best-practices for cost-effective capabilities, and establishing organizations that deliver optimal levels of cybersecurity, privacy, ethics, and safety. As a cybersecurity strategist, he identifies emerging risks and opportunities to help organizations balance threats, costs, and usability factors to achieve an optimal level of security. Mr. Rosenquist is very active in the industry. He is an experienced keynote speaker, collaborates with industry partners to tackle pressing problems, and has published acclaimed articles, white papers, blogs, and videos on a wide range of cybersecurity topics. Mr. Rosenquist is a member of multiple advisory boards and consults on best-practices and emerging risks to academic, business, and government audiences across the globe.
Disclaimer
All views are personal and attributed to the author(s). The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
