Creating cybersecurity awareness for IoT – Technologist

CB Insights predicts that digital twins will take off in 2022 as organisations seek to hedge against supply chain disruption.

“Moving from the cloud to the factory floor, some manufacturers are turning to a micro-factory model, which relies on automation and robotics to create more flexible manufacturing frameworks that can be deployed in a fraction of the time and at scale.”

CB Insights

IoT Analytics forecasts the Internet of Things (IoT) market will grow by 18% to 14.4 billion active connections. It also posits that by 2025, as supply constraints ease and growth further accelerates, there will be approximately 27 billion connected IoT devices.

These billions of connections are a natural magnet luring cybercriminals looking for new targets and new opportunities.

According to CB Insights this “plunging deeper into virtual worlds opens up the playing field to more cybercrime: security solutions will become a major priority, especially as crypto hype and data privacy controversies continue to boom.”

Creating awareness about IoT vulnerabilities

BlackBerry EVP and CTO, Shishir Singh says the massive network of connected things will require interoperability between systems. He posits that organisations need to sensitize employees to the fact that IoT introduces unprecedented safety and privacy risks.

He believed that employees in government and enterprise organisations need to wake up to the fact that bad actors can now access records from any device, anywhere, in real-time, and cautioned that more worrisome is the fact that IoT device makers oftentimes omit rigorous testing and support just so they can get products out to the market sooner.

“They also frequently abandon development of software and security updates the moment products are released, leaving customers—both enterprise and consumers—with an ever-increasing number of unsecured devices in their environments,” Singh continued.

But while IoT is proliferating in any enterprise, it is on production floors of industrial operations where industrial IoT (I-Iot) is rapidly becoming an integral part of the Operational Technology (OT) landscape,” said Rafael Maman, vice president of OT security at Sygnia.

He posits that it is this risk related to I-IoT that is not well articulated, resulting in low awareness.

“These I-IoTs must be considered as part of the OT environment, both to work towards better cyber preparedness and resilience, and organisational awareness.”

Rafael Maman

According to Srinivas Kumar, VP of IoT solutions at DigiCert, vulnerabilities in IoT extend beyond published exposures and exploits. He noted that the “closed” and “siloed” nature of OT/IoT ecosystems provide limited visibility through on-device logs or control through third-party intervention.

“OT/IoT devices are micromanaged by the original equipment manufacturers (OEMs) in production environments. This creates a blind spot for NOC/SOC supervision and mitigation. Application security by design and a security profile for device field operations are essential to qualify and certify IoT devices for compliance and achieve cyber resilience in connected systems.”

Srinivas Kumar

“A comprehensive approach to digital trust ensures that all access points and data are properly authenticated and encrypted, and that identity- and access-based attacks are given an extra layer of protection that can be enforced and monitored throughout the organisation,” said Kumar.

Recommendations for creating sustained awareness around IoT security

Sygnia’s Maman recommends considering IoT, specifically I-IoT, as an integral part of the OT environment, and managing the related risk landscape as part of the overall OT security framework.

“And include it in all your cyber awareness campaigns and training programmes – again, as an integral part of your operational technology – and make sure to highlight the additional risk it introduces to your OT environment,” he pushed forth.

Kumar adds that cybersecurity in multi-vendor and heterogeneous device ecosystems is a collaborative effort and requires OEMs, device operators, device owners, and regulators to set mandatory compliance standards and best practices for endpoint security on headless field devices.

“The paradigm shift in OT/IoT ecosystems is to harden devices for protection throughout the active service life that may span 10-30 years,” concluded DigiCert’s Kumar.

BlackBerry’s Singh believes that an effective way to drive greater awareness about IoT vulnerabilities is to inform employees about their responsibilities from day one – adapting cybersecurity processes and policies as part of the company’s onboarding is a good method to educate users.

“Besides regular and mandatory training programmes that all employees must undertake, conducting cybersecurity drills like simulated crisis management exercises can raise awareness, preparedness, and ultimately reduce the impacts of critical events.”

Shishir Singh

“Lastly, ensure that IoT security training is targeted and easy to consume. Sharing irrelevant and confusing details about the threats of IoT vulnerabilities can be counterproductive. Communications should be kept simple, concise, and easy to understand as not every employee is an IT expert,” concluded Singh.