+
EDITOR’S QUESTION
SAM CURRY, CHIEF
SECURITY OFFICER
AT CYBEREASON
/////////////////
T
here are many issues around the
dissemination of connected ‘things’,
mostly to do with public safety and
almost digital pollution; however, the real
issue for most CISOs isn’t so rarefied. Far
more pragmatically, the question of what to
do with the oncoming wave of OT-enabled
and IoT devices is much more immediate.
What to do next is a big enough question
and the industry is by and large filled with
FUD, hyperbole and the normal noise of
early hype cycle language abuse and froth.
It can be broken down much more simply,
to start among identity concerns, device
integrity concerns and environmental
resilience concerns. Above all, though, CISOs
have to be prepared to say no loudly if
guidelines aren’t met.
First up, we have identity. Too many
devices are shipping with default identity
accounts and weak passwords. CISOs should
immediately insist on strong device identity
and the inability to go live in a manner
within the domain that can be hijacked
trivially. There’s no excuse for weak, default
passwords or even fully-enabled default
accounts. A process for enterprise OT and
IoT devices to get them ready is not too
onerous, but the devices that don’t allow
sanitising account and authentication
options should be outright banned.
In an ideal world, hardware-roots-of-trust,
secure enclaves and strong, hardware-based
cryptography is ideal; but we shouldn’t push
for ideal up front across the board. Reward it
if you see it and enforce it where you must;
but settle for good, manageable identity
hygiene in the meantime.
Next, we have device integrity, which is a big
one. It is imperative that clear catalogues
of hardware and software are available
and that secure update services must exist.
Many of these devices will be in the field for
www.intelligentcio.com
a long time and may be in physically or even
digitally inaccessible locations. It is inevitable
that vulnerabilities and critical ones at that
will exist.
This means that they must expose their
components and enable update in secure
fashion. They should also share logs via
standard syslog output, expose APIs in a
secure fashion for querying the device and
should share telemetry about components
for tracing threads, files, users, processes,
services, daemons, registries and the
equivalent based on ongoing functions.
Finally, we have the ability to monitor and
isolate from an environmental perspective.
There are products that can infer from
communications at the network what a
device is or is doing. Traffic analysis, protocol
analysis, data analysis and general network-
level and Enterprise-level behaviour is vital.
Having said that, the need to segment
the network pre-exists OT and IoT, but
it is imperative in the new emerging IT
environment. The potential exists for not just
lateral movement from these new devices
as autonomous islands but also for internal
DDoS attacks and espionage.
Therefore, limiting the visibility by rogue,
captured devices and exposure is a way of
containing and limiting damage.
INTELLIGENTCIO
37