This is the second of a two-part blog sharing insights from six experts about biggest internal and external risks posed by IoT, and the cybersecurity steps that can be taken to mitigate those risks. Part 1 of the post can be read here.
Christopher Roach, National IT Practice Leader and Managing Director of CBIZ Risk & Advisory Services:
“When considering the risks associated with IoT connectivity to vendors, it’s also important to remember your own service providers—not just your trading partners. One of the things we look at are the environmental controls at larger operations, which typically contract with their HVAC vendor to provide remote monitoring and maintenance of equipment associated with one or more facilities. Many companies just give the service provider an open port as an external access point—it’s come to be known as a weak spot. The same applies if the manufacturer remotely monitors a facility’s automated material handling equipment. If that port is open, unmonitored and accessible via a single user identifier, there’s high risk to your operation.
“When considering cybersecurity at the vendor or service provider level, the best defense is to have a sound vendor risk management assessment program in place. This is a process that assesses the vendor, the tools they use and the security protocols they have in place. It’s not perfect and you likely won’t find every flaw, but simply by having this program in place shows any vendors engaging with you that you’re serious about security. And a vendor risk assessment is not a one-and-done thing, either. Vendors mature and vendors change, so we recommend an assessment of each one at least annually.”
Mark Hung, Research Vice President and Lead IoT Researcher at Gartner:
“On a high level, as more things are connected because of IoT, the general attack surface has increased greatly. The typical enterprise planning for cybersecurity today is focused on employees’ laptops, phones, tablets or servers that are either on-premise or in the Cloud. Yet, with IoT, the types of endpoints that could connect to the network are much more diverse, much greater in number, and significantly different from each other. Securing them takes a lot more effort and know-how.
“With regard to IoT endpoints not being physically protected, that’s where hardware-based security can help. For example, secure elements (SEs) are tamper-proof chips that only allow authorized applications or people to access the device, or trusted execution environments (TEEs), an isolated or secure area of a device’s processor that protects the data loaded inside. Combining those two solutions can solve the overall breadth and depth of the security issues that may arise with exposed IoT endpoints.”
Chris Roberts, Chief of Adversarial Research and Engineering, Lares Consulting:
“…the top risks created by IoT connectivity between trading partners and suppliers would again be data leakage; internal intelligence on various supply chain factors getting into the wrong hands, being leaked or being taken via espionage; and the integrity of data accessible by the very systems that have vulnerabilities and other issues that can be exploited. This is why companies deploying IoT systems need to know the risks. If you don’t, then bring in folks who do. Educate yourself and/or also work out where to get intelligence from your solutions. Look at open source tools to keep up with current code issues. There are also several government resources for researching issues, including the National Cybersecurity and Communications Integration Center (NCCIC).
“Determine where your data is, and who has access to it, by building a technical roadmap of what dependencies you have across the board and of your vendors and suppliers—and, what are their dependencies as well. Further, put cybersecurity policies, procedures and controls in place and measure them. Get a maturity roadmap in place and work with a team to stick with it.”
To read the full MHI Solutions article, click here.