Although widely expected that the Internet of Things (IoT) will be a source of competitive advantage or industry disruption for supply chains within the coming decade, many companies remain concerned about managing the cybersecurity aspect. That is, how—in a world where devices communicate in ways both known and unknown—to protect their organization against malware, malicious attacks, hackers, ransomware, competitive espionage and more.
The fourth quarter 2018 issue of MHI Solutions delved into this topic in “Cybersecurity Threats to Supply Chains in an IoT World,” bringing together six experts to collect their insights about biggest internal and external risks posed by IoT, and the cybersecurity steps that can be taken to mitigate those risks. Here’s a few highlights from each. In this post, three of the experts are featured; the second post can be found here.
Irfan Saif, Deloitte Risk and Financial Advisory Cyber Risk Services Principal at Deloitte & Touche:
“When deploying connected IoT devices, the first risk is a lack of strategy and governance over what is going to become a very heterogeneous environment. Meaning, in traditional manufacturing and supply chains, you have closed systems that can be very tightly controlled in terms of the controllers used, software and firmware versioning, and network traffic. In a more open, intelligent environment, a lot of the value is going to be derived from these devices being interconnected and working together. The next risk is related to managing the tremendous amount of data these devices put out. The pace at which they will interoperate and the kinds of data they will be putting out is far greater than today.
“In terms of managing IoT cybersecurity risks, consider ‘secure, vigilant and resilient.’ Being secure is about the protection and configuration of the device and governance of the data. Vigilant is monitoring, threat intelligence, and predictive and responsive actions to be taken when there’s an indicator of compromise. Resilient is the ability to appropriately respond to and mitigate the impact of some event, such as a technology malfunction, a user or configuration error, or something malicious.”
Steve Durbin, Managing Director of the Information Security Forum:
“…of the greatest concern to me, is companies don’t necessarily understand the breadth of their IoT real estate—because IoT devices have been around for years, and you may not know they’re present in your equipment. For example, one of our U.S. members had a scheduled manufacturing plant shut down for maintenance. In the middle of it, the plant came back to life. Why? Because some of unknown IoT devices picked up on some Internet traffic and sparked off some of the machinery. The only way they could take it down was by unplugging the plant from the Internet, and investigating exactly where these devices actually sat and how much they had…
“…when you consider the potential impact of a security breach, such as ransomware, the supply chain is not the only aspect of your organization to be impacted. A plant shutdown affects the employees who work there, the end customers, revenues, stakeholders and their confidence and so on. For that reason, IoT and cybersecurity is a whole company issue and should involve the boardroom in developing a risk profile that the organization is comfortable with. Companies need to view this much more holistically rather than it just being an Information Technology (IT) or operations issue.”
Rishi Bhargava, Co-Founder of Demisto:
“It’s difficult for organizations to achieve competence in multiple fields. Whenever an original equipment manufacturer (OEM) makes an IoT-enabled device, they often struggle to reconcile their expertise in their original industry with their unfamiliarity in Internet connectivity and security. This results in manufacturers having outdated operating systems and patching features on their products, being lax with password protection and changes, and having no regular software update mechanisms to communicate to their customers…
“I see three ways to mitigate these risks. First, it’s vital to protect and secure the networks connecting IoT devices to the Internet… Second, deploy authentication and encryption protocols… Finally, in case of a breach, an incident response platform that connects to on-premise security tools as well as to IoT devices through application programming interfaces (APIs) makes it easier for security teams to recognize the root cause of the attack and execute actions on the IoT devices directly.”