The role of the CISO is rapidly changing to include managing safety risks and protecting sensitive information, according to a recent Garner report. This shift is being driven by the deployment of cyber-physical systems (CPS) such as Internet of Things (IoT) devices used in building management systems and healthcare facilities, as well as operational technology (OT) devices used in manufacturing plants, oil and gas facilities, energy and water utilities, transportation, mining, and other critical industrial infrastructure.
Because CPSs encompass both the digital and physical worlds, they are prime targets for adversaries seeking to cause major safety and environmental incidents and/or operational disruption. Examples include the TRITON attack on safety systems in a petrochemical facility, the Ukrainian grid attacks, NotPetya, and the Norsk Hydro ransomware attacks.
In addition, last August Microsoft reported that it observed a Russian state-sponsored threat group using IoT smart devices as entry points into corporate networks, from which they attempted to elevate privileges to launch further attacks. More recently, we’ve also seen attackers compromising IoT building access control systems to pivot deeper into corporate networks.
Industry analysts estimate that some 50 billion IoT devices will soon be deployed worldwide, dramatically increasing the attack surface. Because these embedded devices can’t be protected by agent-based technologies — and are often unpatched or misconfigured — CISOs need new strategies to mitigate IoT security risk. Otherwise, it’s not hard to imagine that regulators and corporate liability lawyers will soon hold C-level executives negligent — and even personally liable — for failing to implement safety-related security controls.
Five Steps Toward Mitigating CPS and IoT Risk
Idaho National Labs (INL) has developed a methodology for addressing CPS and IoT/OT risk called consequence-driven cyber-informed engineering (CCE). Based on this INL approach, here are five steps that all organizations should consider prioritizing in the near future:
- Identify crown jewel processes: You can’t protect everything all the time, but you can protect the most important things most of the time. Therefore, ruthless prioritization of the functions whose failure would result in major safety or environmental incidents, or operational disruption, is key. Through conversations with business owners, infrastructure managers, and OT personnel, identify the things you most need to protect upfront.
- Map the digital terrain: Identify and categorize all connected assets in the organization, regardless of whether they’re considered IT, IoT, building management systems (BMS), OT, or smart personal devices, such as Alexa and gaming systems. This includes understanding how information moves through your network and who touches the equipment, including third-party vendors and maintenance contractors with remote access connections.
- Illuminate the most likely attack paths: Analyze risks and vulnerabilities in your network to determine the most likely attack vectors to your crown jewel assets and processes. This can be done using automated threat modeling as well as by using red-team exercises to identify other entry points, such as social engineering and physical access to your facilities.
- Mitigate and protect: Once you have an idea of the most likely attack paths, develop a prioritized approach for mitigating risk. This can include steps such as reducing the number of Internet-accessible entry points, using zero-trust micro-segmentation policies to segregate IoT and OT devices from other networks, and patching critical vulnerabilities that are present in the most likely attack paths. Ongoing compensating controls are primarily around leveraging continuous network security monitoring and agentless security to immediately identify suspicious or unauthorized behavior — such as a CCTV camera browsing Active Directory.
- Remove silos between IT, OT, IoT, and CPS: As the CISO, securing the enterprise means being accountable for all digital security — whether it’s IT, OT, IoT, or CPS. Creating unified security monitoring and governance requires a holistic approach to people, processes, and technology. Technical aspects include forwarding all IoT/OT security alerts to the security operations center and leveraging existing security information and event management (SIEM), security orchestration automation and response (SOAR), and prevention mechanisms (firewalls and network access control systems) to rapidly respond to IoT/OT incidents, such as rapidly quarantining devices that have been detected as sources of malicious traffic.
Proactively Preparing for the Future
Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are motivated, determined, and highly capable of causing disruption and destruction.
Industry experts agree that determined attackers will eventually find a way into your network, so a better strategy is to deploy monitoring to spot them in the early reconnaissance stages of the kill chain in order to mitigate attacks before they can cause any significant damage. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversaries were inside the network for several years before being discovered due to a bug in their malware that inadvertently shut down the plant for a week.
It is imperative for boards and management teams to recognize the new safety and security risks posed by IoT and CPS systems — and proactively prepare for them using a risk-based approach.
Phil Neray is VP of IoT & Industrial Cybersecurity for CyberX, a Boston-based security firm founded by blue-team experts with a track record of defending critical national infrastructure. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, … View Full Bio