Cyber Defense eMagazine May 2019
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
the de facto security standard similar to guidance from the <strong>Cyber</strong> Shield Act of 2017 about voluntary<br />
certification and labeling of IoT products.<br />
A Fly in the Ointment<br />
Whether we use a government agency like NIST, with established standards, or a non-profit organization<br />
like Underwriters Laboratories, who can develop their own standards for certification, one issue remains.<br />
The problem with certifying devices, in this day and age, is that the devices change. UL listed lightbulbs<br />
and power cords aren’t typically upgraded, augmented or altered in any way. Alternatively, today’s IoT<br />
products facilitate upgrades, updates, and modifications. While we may be heading in a positive direction<br />
with IoT security standards, alterations from upgrades, updates, modifications or added applications<br />
remain a major security certification issue. These alterations change the security configuration of a<br />
device, possibly voiding any prior certification and making the device vulnerable. Downloaded upgrades,<br />
updates, modifications and added applications means that the products that were once approved as safe<br />
are no longer the original secure product. The three-year NIST RMF cycle keeps government systems<br />
secure in continuity through continual review of any changes by the assigned engineers. Unless an IoT<br />
device is “set and forget” hardware that never requires alterations of any kind (unlikely in this day and<br />
age), they will need to be reviewed and re-certified when configuration changes are made. IoT security<br />
necessitates that: 1) IoT devices must be continuously monitored for changes to their risk status, 2) only<br />
pre-approved upgrades, updates, modifications and applications, in accordance with security certifiers,<br />
are allowed on the device and/or 3) IoT devices, once certified, are hardened to prevent any changes<br />
(i.e. set and forget/secure and endure). Any unapproved upgrades, updates, modifications or applications<br />
void the certification/security.<br />
The configuration change vulnerability forces us to focus on the continuous monitoring phase of the RMF<br />
which addresses continued security to address configuration changes. Re-certifying security is<br />
considerably easier in a controlled environment where an organization can readily track changes and<br />
adjust devices and systems ad hoc. This is a lot harder when dealing with the public at large. There is no<br />
magic pill to keep devices secure/certified, but we offer a few ideas for contemplation. Perhaps IoT<br />
devices, once upgraded, updated or modified could be re-examined by running something similar to the<br />
virus scans we do on our personal computers. These scans would be device specific and provided by<br />
the manufacturer free of charge. The IoT devices could connect to a laptop to run diagnostics/scans in<br />
the same way your car can be connected to a diagnostic computer to run tests. After a scan, the results<br />
would show current vulnerabilities and offer downloads to fix those shortcomings. Simply put, every time<br />
a device’s configuration changes (e.g. a downloaded update), a re-scan would once again certify the<br />
device as secure. Tesla vehicles receive “over-the-air” software updates that introduce new features and<br />
functionalities. There is no reason this same process can’t be used for IoT security.<br />
Without a solution that allows consumers to conveniently and cheaply secure a device, vulnerabilities will<br />
abound, and security will suffer. Certifications will mean nothing. Even making the process easy won’t<br />
95