CS1907
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
industrial cyber security<br />
MULTIPLE CHALLENGES<br />
How do you stop a wave of innovation from<br />
becoming a tsunami? Cyber security<br />
specialists will know this dilemma well,<br />
acknowledges Mike Nelson, VP of IoT<br />
Security, DigiCert. "The IoT promises to<br />
revolutionise not just how we live at home,<br />
but how we do business and, more<br />
importantly, how we provide those critical<br />
resources that society runs on: gas, water,<br />
electricity and so on. Given the opportunities<br />
that are being offered to seemingly every<br />
level of society - who could say no? Then<br />
again, a cyberattack on a Fitbit is a very<br />
different thing to a cyberattack on a water<br />
treatment facility."<br />
Securing each, he adds, will take very<br />
different efforts and before we even start<br />
doing that we're presented with several<br />
problems. "First, critical assets were built for<br />
failure, not attack. The legacy systems that<br />
run those facilities have often been doing<br />
so for many years and were never created<br />
to withstand a cyberattack, let alone an<br />
attempt to penetrate their pitiful security by<br />
the concerted effort of a nation state. As we<br />
fill in the decades-old airgap between critical<br />
assets and the internet, we are introducing<br />
them to a whole environment full of threats<br />
that they are largely unprepared for."<br />
Secondly, there’s the simple, well-known<br />
fact that the IoT is insecure. Just behind the<br />
rapturous applause for the IoT's arrival has<br />
been a quieter, but no less impassioned,<br />
warning about its vulnerabilities, Nelson<br />
states. "Throughout this period, there has<br />
been little oversight - government or<br />
otherwise - as manufacturers have produced<br />
insecure devices and retailers have sold them<br />
on to an eager public. That insecurity could<br />
have to do with the whole device or it could<br />
have been inserted along the often long and<br />
labyrinthine supply chain that these devices<br />
are assembled on. Even if a manufacturer<br />
says their product is secure, there are plenty<br />
of potential points of failure from the factory<br />
floor to the customer's hands."<br />
And we are only beginning to address<br />
these problems now, he says. "A variety of<br />
governments and industry bodies are<br />
attempting to introduce regulation and<br />
standards that seek to protect this wave of<br />
innovation. Though these efforts are<br />
encouraging, they are not going to patch<br />
over mistakes already made and they won't<br />
pay the security debts that have already been<br />
racked up by the over-eager adoption of<br />
insecure technology. Hopefully, the<br />
regulation stick will lead to better, more<br />
standardised, approaches to IoT security."<br />
That insecurity is not going to be solved<br />
soon and new vulnerabilities will always crop<br />
up, but device manufacturers can use<br />
technology available now to protect devices,<br />
suggests Nelson. "Public Key Infrastructures<br />
[PKI] with digital certificates, for example,<br />
are already being used to secure IoT<br />
devices from the factory floor to use<br />
across distributed networks. PKIs' ability to<br />
authenticate device identities, protect the<br />
integrity of code and firmware updates, and<br />
encrypt data are proven to be scalable and<br />
are interoperable. Well-run PKIs can police<br />
the connections between large networks of<br />
devices and that makes them a good fit for<br />
industrial IoT."<br />
MULTIPLE CHALLENGES<br />
The supply chain for IoT products is often<br />
so complex that it's hard to trace - let alone<br />
make reasonable security judgements about.<br />
"Just because a vendor can vouch for the<br />
integrity of its supplier and that supplier can<br />
vouch for the integrity of its manufacturers,<br />
it doesn't mean that trust, or even security<br />
considerations, are present at all of the<br />
critical stages of development," says Scott<br />
Gordon, CMO, Pulse Secure. That problem<br />
becomes bigger when we're talking about<br />
the IIoT (Industrial Internet of Things) - "not<br />
because the supply chain is less trustworthy,<br />
but because human safety is inextricably<br />
linked to cyber security".<br />
Defending these often undependable<br />
devices is just as much of a problem for the<br />
Mike Nelson, DigiCert: critical assets were<br />
built for failure, not attack.<br />
John Titmus, CrowdStrike: firmware and<br />
hardware-level visibility is the best option<br />
for protecting the supply chain.<br />
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security<br />
31