Special Editions 6.29.17
Ep 16 | 6.29.17

IoT 2017 – Securing the Things: A CyberWire Special Edition


Dave Bittner: [00:00:03] The IoT, or internet of things, broadly defined, is the collection of physical objects with IP addresses connected to the internet. From consumer devices like security cameras, DVRs, and smart thermostats to industrial control systems and autonomous cars, the IoT offers potential for opportunity and vulnerability. In the first half of this CyberWire Special Edition, we speak with IOT experts for their take on the current state of the internet of things for consumers, enterprise, industrial control and even self-driving cars. Later in the program, we examine third-party risk, with some sobering statistics from a recent IoT industry survey. Stay with us.

Dave Bittner: [00:00:49] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course, you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Katie Curtin: [00:01:41] We're certainly living in a new world - in a new connected world, that is.

Dave Bittner: [00:01:45] Katie Curtin is director of IoT cybersecurity product management for AT&T.

Katie Curtin: [00:01:50] You know, with self-driving cars quickly emerging or smart manufacturing environments really ran by robots or even the smart city environments where all the data and diagnostics is collected through connected energy grids or street lights or a water supply network - we're really living in a new type of world where connectivity is paramount. It's driving new types of devices now being connected to the internet and creating a lot of value for the consumers of those devices.

Katie Curtin: [00:02:19] However, when we talk about security and these newly connected devices now back on the grid becoming really critical components of how the business and the public systems are now using these devices - have now become almost like infrastructure. So the need to secure these devices and security these environments - folks cannot afford a compromised scenario. So with IoT security definitely growing and more concern and as we see more headline examples where devices can be leveraged for malicious reasons, certainly security is top of mind now and more so is brought into those conversations when we start addressing the value of IoT.

Chris Poulin: [00:02:53] There's two parts to that. No. 1 one is, where are we from the actual functional perspective, right? So why are people making and adopting IoT devices?

Dave Bittner: [00:03:02] Chris Poulin is a principal at Booz Allen Hamilton, leading the internet of things security strategy for their strategic innovation group, as well as their industrial control group.

Chris Poulin: [00:03:12] We're still sort of on the beginning stages of that, I think. Yeah, we're transitioning away from people just coming up with random ideas and putting them into products and actually starting to think about what the value is - that's good; the problem is that we're still finding our way. We're still sort of at the beginning of figuring out how to make things and how to instrument them and how to make them intercommunicate. And as always, though, the second component is security, which is - when I say, as always, I mean it's an afterthought, so. I know that there are lots of IoT makers who are starting to think about security.

Chris Poulin: [00:03:44] And a lot of them, by the way, think about security early on in the process, but they don't bother to flush it out because it's slow - it slows down progress; it slows down development of the product in the first place. Security is often at odds with functionality, you know, so the perfectly secure product does nothing - right? - and the perfectly functional product has no security. So you know, there's always this tension between those two things, and so it's usually put off until after the product has been proven and produced and there's a market for it.

Katie Curtin: [00:04:13] So one of the big problems in this space is that a lot of these devices that are now being connected to the internet were never built to be connected to the internet. They're legacy devices - PLCs, HMIs - that serve a great purpose and are very robust devices and perform robust operational functions. But now that they're being connected to the internet, it brings a boatload of new security concerns and questions about how to secure these devices.

Katie Curtin: [00:04:37] So one of the big key learnings that we've learned in talking with our customers is that, you know, while manufacturing energy and similar industrial verticals are adopting IoT for the obvious reasons and value that it provides, the ability to secure these environments and these industrial control systems - you can't quite treat them the same as you do with your IT security strategy. You know, traditional IT security measures do not necessarily translate to the operational side or operational technology. I wouldn't say that they're necessarily lagging behind; I think instead we need to build out a stronger strategy to specifically address those OT-specific needs and adopt strategy to specifically start securing these environments and addressing the unique nuances that it brings.

Dave Bittner: [00:05:23] On the consumer side of the IoT, we hear of devices like security cameras or DVRs being herded into botnets and being used for things like distributed denial of service attacks, while still maintaining their original functionality. There's little incentive for either the consumer or the manufacturer to update the installed device.

Chris Poulin: [00:05:42] I think the Mirai botnet and WannaCry - you know, as the most recent example - they've proven that the insecurities at the consumer level can actually affect enterprises, and in fact, with Mirai, it can affect the internet infrastructure, you know, by going after some infrastructure provider. What that means is that you don't have any incentive on the consumer side, so you have to put regulation in place. And the regulation is going to be difficult to impose on the consumers themselves. So it actually, by necessity, is going to have to be imposed on the manufacturers.

Chris Poulin: [00:06:10] And in the case of Mirai, the way to deal with that is to actually go back to the consumers and - excuse me, to the makers and say, if you put hardcoded passwords - accounts and passwords in your product, then we're going to penalize you, and you have to conform to certain best practices, such as in order for this device to be installed and usable at a consumer's site, they have to set a password, and it has to conform to certain strength requirements, and it has to be updatable.

Katie Curtin: [00:06:42] Now that we are seeing more top headlines around various different cyberattacks, I do think that the general consumer space is getting a bit more aware. Granted, we still have a lot more work to do in that space, and I think we also need to kind of dumb down the language around cybersecurity so it's not deemed to be such a more complex topic and make it more consumer-friendly. But really, its consumer behavior will drive the types of devices or the types of products that OEMs should be building. And I think when we talk about kind of liability in the event of a breach, the various different pieces of the ecosystem - hopefully, we will see that changing where, you know, manufacturers could be taking on more ownership, or there will be standards or, you know, guidelines that certain individuals or companies would have to abide by.

Dave Bittner: [00:07:33] What do you think of this notion of there needing to be sort of an equivalent of Underwriters Laboratory for IoT?

Katie Curtin: [00:07:39] Definitely, I think, top of mind, and I've been hearing it in our circles quite frequently recently. I'd say it's a best practice when we're talking about a IoT or, really, broader to your cybersecurity posture, to have a third party, an unbiased third party, an outsider, to come and evaluate your environment and essentially provide a risk assessment or recommendation on how best to increase or improve your security. Now, we're talking about IoT, especially since that's such a nascent and new area, where a lot of customers are grappling with how to secure their IoT infrastructure or IoT networks and don't quite have a strategy in place. Adopting a UL-type of program, or you have, you know, outside consultants to assess where you are in that risk assessment, based on these newly connected devices into your environment - certainly a best practice and would recommend.

Chris Poulin: [00:08:29] Totally in favor. However, (laughter) it's an interesting conundrum, right? The UL is really good at dealing with hardware sides of things. So let's just take the toaster or refrigerator, which seem to be ubiquitous consumer-based IoT devices. When toaster from the UL, if it catches fire in normal operation, then the manufacturer can be held liable for that, you know, and the UL is - sets the guidelines and does the testing for those things. But then on the other hand, right? - so basically, the liability falls back on the makers, is what I'm saying. On the other hand, when you look at software nowadays, the end-user license agreement pretty much puts all the liability on the consumer. So when you start connecting toasters from a UL perspective, and then you have software, you basically are combining two different liability models, and who actually ends up being liable if the toaster catches fire because of a software flaw?

Chris Poulin: [00:09:19] And then looking at it from a sort of an orthogonal perspective, what if, because of the right to repair, a consumer decides that they're going to soup up their toaster, for whatever reason. Now, they modify the firmware and toaster catches catch on fire. Who's liable at that point? I agree that we should have some sort of UL type of certification, but I don't know how we're going to do that with software. I think there are ways to do it, but I also know that, having worked in the software industry for over 30 years, that we still don't write secure code, and there's no definitive way to say something - that something has a quantitative measure of security. So we've got to figure out how we're going to quantify what we consider to be code-level security, figure out the liability calculus, and once we do those things, if we can do those things, then we'll have a UL type of certification for products.

Dave Bittner: [00:10:10] Another emerging and rapidly evolving IoT sector is the automotive industry, with semi-autonomous cars on the roads today and projects well underway for fully autonomous vehicles, and many new cars these days are equipped with integrated mobile internet connections.

Chris Poulin: [00:10:25] Car manufacturers are quite concerned. I would say that there's pretty broad level of maturity or at least commitment to solving the cybersecurity problem. In other words, they're all committed to doing it; they understand. And interestingly - I don't know how much of the history you know - but back in 2010, the University of California, San Diego, and University of Washington put out a paper that basically profiled how you could hack into a car, and then they produced a second paper in 2011 showing how the external threat surface allowed you to hack into it from outside the car. And then those same researchers, three or four years later, sort of mimicked that same research by doing it, you know, sitting in the backseat of the car with a cable snaking across into the dashboard, and then, you know, a year and a half later, they manage to hack the jeep remotely across the airwaves.

Chris Poulin: [00:11:12] And so some automotive manufacturers are actually taking it absolutely seriously, and they've rearchitected their organization to provide security at all levels, and that's great. Some of them actually are concerned about it, but they're not spending a lot of money, and they have not yet realized that they need to have governance and guidance across the entire organization, instead of just within the car design and then separately in the backend systems, which accept the data and mediate the communications to and from the car. So we're seeing - I see a broad level, but they're all interested in it.

Chris Poulin: [00:11:45] But the one thing I will say that's kind of interesting about that is right now we haven't seen a sweeping motive for a threat after it actually attacked the cars. You know, and I personally believe that in most of the cases - aside from, you know, some extremists, which comprise probably a small, fairly small segment of risk - the motive is going to be largely financial and potentially nation-state. So the two use cases that I think are most likely are ransomware in a vehicle - you know, so stopping your car from starting - and demanding bitcoin over your entertainment system - you know, the screen in the car - before you can start your car.

Chris Poulin: [00:12:23] And then the second one is a nation-state potential motivation would be not to do anything harmful to the passenger. I don't think that, in general, cybercriminals are motivated to harm somebody; that's a ethical line that I don't think is going to be crossed anytime soon, at least not purposefully. But nation-states would want to break in and then listen to state secrets on government vehicles, for example, over the answering microphone. Those are the two of the more likely motives that I can see in the near future.

Dave Bittner: [00:12:55] Looking toward the horizon, both Chris Poulin and Katy Curtin are cautiously optimistic about the IoT; it's still relatively new and rapidly evolving.

Chris Poulin: [00:13:05] Cyber is one of those things that, when you make it just an economic incentive, then you're not doing the industry a service. And so I think, to a certain extent, we need to do two things. No. 1 - as researchers and people who are on the leading edges, go start working with these products. You know, so go buy a connected car; don't just be the fearful security person. Go get those things and start understanding how they work, and you know, if you've got a technical background, start working with them, you know. See if you can plug into the OBD2 port and leverage some other people's work and see what kind of things seem to be secure in your vehicle. So in other words, eat your own food, in a way, and then that will help to inform you as a security person, and then you can also share that with the research community and in the consumer product and in the enterprise product community.

Chris Poulin: [00:13:56] But No. 2 is also start doing something that is more of a crowdsourced way to help people. So one of the things that's sort of interesting to me is - you know, we talked about the consumer products and how Mirai botnet took advantage of the fact that consumers don't know how to protect their products. So one of the ways we might be able to do it, to help out with consumers, is go find these products that are insecure. So if people have web cameras that are insecure - they have default passwords on them - and then work with law enforcement because, technically, we don't have the ability to, you know, go in - even if I know what the password is for somebody's webcam, and I know that it's insecure, it's beyond my legal rights to actually log in and change their password and send them an email saying, hey, I just helped you. That's not kosher; don't do that. So work with law enforcement to find out a way and say, look - we found that there's this systemic problem with a webcam, or we found a problem with a energy and utility; there's been some generator that's exposed online.

Chris Poulin: [00:14:57] So work and actually go out and find these things that are insecure, find the right people and notify them. It's sort of what researchers are doing now, you know, except that they're breaking into - or they're reverse engineering firmware in vehicles and things like that. I'm not saying go do that because not everybody has that skill set, but a lot of - there are a lot of us out there that can actually determine when something is exposed when it shouldn't be. And so take the time to actually find out how to notify someone in authority - who has the authority to help to make that thing more secure. And that's just one example, by the way. Find out what your own project is, and then try to help other people without demanding payment for it.

Katie Curtin: [00:15:38] Now, I think it first starts with awareness and continuing to highlight the risks and issues that these IoT applications and infrastructures could potentially cause. You know, we hear it more often than not that security is that afterthought and oftentimes adopted or considered only when a - you know, another company in it was in the same vertical or their competitor was in the same vertical - got hacked, then they start thinking about it. We really need to stop that type of thinking and ensure that security is built within the design phase and folks are more aware as they're adopting IoT practices to ask those security questions; you know, ensure that you're purchasing the right type of application or device from a trusted or well-known device manufacturer, but you're asking those questions right at the forefront.

Katie Curtin: [00:16:25] But outside of that, I think the technology needs to emerge. When we talk about IoT and kind of the nuances that IoT brings, especially around the device itself, it's kind of the wild, Wild West. And when we talk about the various types of devices that are now in the ecosystem and the lack of standards that we really have - so the technology needs to emerge where we can get to a widely adopted standard when we're talking about IoT protocols or IoT clients on the device itself because a lot of these devices, the IoT devices, may not be as robust as a smartphone device where you can run robust security software. Being able to apply the right technology and the right security controls to those types of devices, whether it be through known, standard protocols or bringing those protections into the network, we really need to bring that technology so it is more readily accessible for the wide, vast number of devices and device types that are now within the IoT ecosystem.

Dave Bittner: [00:17:23] That's Katie Curtin from AT&T and Chris Poulin from Booz Allen Hamilton. In the second part of our program, we take a look at third-party risk. The Ponemon Institute recently released an independent research report, titled, "The Internet of Things

Gary Roboff: [00:17:55] Third-party risk is a term that really applies to companies who outsource specific activities to vendors or third parties. And when a company outsources a given activity, it actually can outsource the activity but it can't outsource the management or the responsibility for controlling that risk. And that's the heart of the issue. So if, for example, I'm a company and I have a certain security hygiene standard, it's incumbent on me to make sure that, if I've outsourced that particular activity to another entity, that that company is meeting the same level of security hygiene that would be in place if I had been doing the activity myself.

Larry Ponemon: [00:18:44] What we found is that, in general, our respondents - 553 qualified respondents to the survey - in general identified IoT risk as something that is very significant for their organizations.

Dave Bittner: [00:18:57] That's Dr. Larry Ponemon.

Larry Ponemon: [00:18:59] At the same time, they recognize the need to innovate in IoT. You know, in other words, IoT's not necessarily a bad thing. It actually accomplishes all sorts of good things for society, and it can be very profitable for companies. So it wasn't about stopping the IoT train, freight train. It was about, how do you make it more secure? So even though there was a high level of awareness about IoT as a potential risk area, organizations were doing very little to manage that risk. You know, one of the surprising findings is that the majority of respondents believe that IoT was not on the radar screen of C-level executives - you know, the people who drive the organization - weren't necessarily understanding or seeing IoT risk as something that could be potentially very serious.

Gary Roboff: [00:19:47] When we asked whether the board of directors requires assurances that IoT risk among third parties is even being assessed, only 25 percent of the respondents said, yes, my board wants those assurances. So that's a very important finding.

Dave Bittner: [00:20:05] Yeah. I mean, I would say that's a bit of a sobering finding. I mean, what do you think is behind this disconnect between what I think many people, certainly on the IT side, are recognizing as an important risk and the boardroom maybe not being up to speed on realizing it?

Larry Ponemon: [00:20:22] What we found - and not only in this study but, you know, other Ponemon studies, is boards of directors and C-level executives are being held responsible by regulators and the public at large for ensuring that information or IT infrastructure is maintained at a high level of security. In reality, a lot of boards and C-level executives do not see security as a strategic issue. They see it as tactical, and therefore they push responsibility down in the organization. And so what we see is this schism where you have security experts, and IT operations folks and all sorts of good people fighting fires and dealing with problems. But the issues are not necessarily elevated to the C-level or to members of the board.

Larry Ponemon: [00:21:10] Occasionally, when there's a disaster - I'm sure, for example, the Target board of directors, they were informed. You know, but it was probably after the fact. So these are long-lasting problems. And it is incumbent on organizations to build a culture for security so that information about security risks, security vulnerability, threats and so forth are known to the board and to the CEO and other C-level executives.

Gary Roboff: [00:21:38] One of the issues on boards, generally, is that often there is not a level of security expertise, which is being increasingly demanded at least by regulators in the financial services industry. You've seen a number of large boards actually go hire individuals to serve on the board, usually on risk committees, that have a degree of dedicated expertise in emerging risk issues. That's a very important trend. A lot of that is a function of what the tone at the top is like at the board level, how good a job the board has done in structuring a risk-management regime that enables two-way communication.

Gary Roboff: [00:22:26] So not only does the board want to be setting the tone for the types of expectations that it has about compliance and ethical behavior and really conveying the risk appetite that any board will develop over time - that certainly needs to be diffused throughout the organization. On the other hand, the - you know, all levels of the organization have to have a clear communications channel up to the board, and the board has to listen. There has to be a structure in place to enable that conversation to take place, and we're gradually beginning to see, I think, some progress in those areas.

Larry Ponemon: [00:23:10] So one of the questions we ask - we use a likelihood scale. You know, how likely will this scenario occur? And we asked our respondent to kind of think two years ahead - what is the likelihood? And we've got this one result that was just amazing. The likelihood that a security incident related to unsecured IoT devices or applications could be catastrophic to the company - 94% believe that to be so.

Larry Ponemon: [00:23:35] Here's another striking result. The loss or theft of data caused by unsecured IoT devices or applications - 78% believed that that was likely over the next two years. And finally, a cyberattack caused by unsecured IoT devices or applications - other words, we left a hole in our chain. Our chain of trust, I should say, wasn't working very well. And that was - 76% believe that to be likely. So, you know, again, our respondents believed that this is a problem, and it will probably get worse over the next two years, even though we're really not doing a lot right now to create that secure infrastructure.

Gary Roboff: [00:24:14] If you believe what security people inside of organizations say, they really recognize that there is a huge security hole. You know, you can also say that's a very positive outcome. I think what you have to then look at are other things that have come out of the survey - things like, is managing third-party IoT risk a priority in your organization? Only 30% said yes, right? And then, does your organization allocate specific resources to managing IoT third-party risks? Only 27% said yes. So you have that gap between - at the moment - the recognition and sort of the - you're getting a sense of the culture within organizations. And what you hope and expect is that that gap will begin to shrink pretty quickly.

Dave Bittner: [00:25:13] In terms of the regulatory framework, do we see - what is the influence that we're going to see from there? In other words, you know, buildings were required to have fire escapes, and that helped a lot more people survive fires. Do we think we're going to be in a situation where we're going to see more regulations to ensure that some of these vulnerabilities are taken care of?

Gary Roboff: [00:25:37] My thinking is twofold. First, you know, in some sectors, such as financial services, there's already high-level guidance that actually incorporates, in a broad way, the internet of things. I'm not sure that boards have recognized that yet, but they will, and regulators will enforce it. You can see an environment where there are many different types of attacks that cause different sectors - we've talked about the medical sector. We've talked about the automobile industry. Anything that is connected where you have the ability to cause a headline that involves serious consequences to a large number of individuals or even, in some cases, a small number of individuals is likely to involve some type of standardized approach to solve the problem. In some places, that's definitely going to be a regulatory intervention.

Gary Roboff: [00:26:44] It's really essential to include third-party IoT risk in all levels of governance, right? So we see that that is missing as a priority at the board level. We see that resources are not being allocated properly to address IoT risks today. So No. 1 recommendation is, there has to be recognition of the problem that's got to be incorporated into enterprise risk management systems and processes that exist already. The board has to understand fully what the consequences of IoT attacks might be for their firm.

Gary Roboff: [00:27:27] Recommendation No. 2 is that asset management processes and inventory systems really must include IoT devices. And more than just a simple inventory, it's essential that firms understand the security characteristics of every IoT device that's both within their four walls and, ideally, within the four walls of their vendors if those vendors support critical activities that can cause serious consequences for the firm that has done the outsourcing. And when devices are found to have an adequate security controls, they need to be replaced, and they should be replaced quickly. You want to make sure that your third-party assessment techniques and the processes around those techniques are really adequate to ensure the presence and effectiveness of controls around IoT devices - very basic.

Larry Ponemon: [00:28:28] So IoT today, it's about technology that allows us to do all sorts of really great things. There will continue to be innovation in the IoT ecosystem, but the idea is that there's no reason why we don't build security in as part of the innovation process. In other words, you know, it's not an either-or, but it's both. There's no reason why we can't start to see organizations in the early phase and when - during the engineering phase of the product development life cycle starting to think about how to secure those devices. I think regulations will play an important role, but I think it's going to be incumbent upon organizations even from a profitability point of view to make sure that they're starting to build security into these devices at a very early phase in the development life cycle. We're starting to see that in the medical device area. But we don't see that in, you know, other IoT devices like your refrigerator or microwave or television set.

Gary Roboff: [00:29:21] Or your car, really.

Larry Ponemon: [00:29:23] Or your car. Yeah, exactly.

Dave Bittner: [00:29:25] Yeah. Gary, I'm curious, you know, in - when it comes to quantifying the risk from IoT devices, you know, again, using the analogy of fire prevention, you know, I can - when I'm thinking about fire for the building that I own, I can install sprinklers, and I can also buy insurance. And those are two different approaches to dealing with the possibility of having a fire. In something that's rapidly evolving the way it is and also is as new as it is, how do you go about helping organizations determine how best to invest their money in that spectrum of possible ways to deal with these sorts of risks?

Gary Roboff: [00:30:05] You know, it's very - first of all, it's very important to collaborate. You want to be able to collaborate with peers, with associations. You want to socialize approaches in ways that will give you insights that you might not necessarily see within your own four walls. I can't stress how important it is to collaborate with industry experts, with associations, even with regulators. That can be a very important way to even begin to think about how you address some of the concerns.

Gary Roboff: [00:30:43] There are concerns that come from outside and about which you might have little ability to stop, and an example of that is a distributed denial-of-service attack. You're going to have no effective say about whether a - an attempt of a denial-of-service attack happens on your company, but you will have something to say about how effective it can be. We've already seen distributed denial-of-service attacks that come from IoT devices. Firms ought to be taking steps to prevent the consequences of those attacks from having a material impact on their ongoing operations. There are steps that you can take as a corporation or as any organization to help prepare yourself, both from the perspective of what happens within your own four walls and what happens with the vendors that you use, to help you complete processes that are essential.

Gary Roboff: [00:31:51] We've talked about some of those. It's about inventory control. It's about making sure that you have effective controls all over all of your IoT devices. That's sort of IoT risk management 101. And to the extent that you can follow through with even some very basic steps, you have the ability to at least partially mitigate the consequences of IoT issues in your own environment.

Larry Ponemon: [00:32:26] We think that this research is important because it, you know, starts to establish a risk management perspective, the need to, you know, think broadly about IoT devices in different forms, you know, will impact the organization. And I think this shows that we have a lot of work to do to improve the state of security and security posture, you know, with respect to IoT. But it's a starting point. And as Gary mentioned, there's also some lessons that - basic steps that organizations can take immediately that will not drive costs up - cost too much, anyway, like policies and procedures and training and creating awareness. Creating a governance process and the culture for security, I think, will go a long way to reducing, you know, some of these more salient IoT risks that we discussed.

Dave Bittner: [00:33:16] And that's our CyberWire Special Edition. Our thanks to Dr. Larry Ponemon, Gary Roboff, Katie Curtin and Chris Poulin for joining us.

Dave Bittner: [00:33:23] And thanks to Cylance for sponsoring the show. To find out how Cylance can help protect your data using artificial intelligence, visit cylance.com.

Dave Bittner: [00:33:32] If you enjoyed this program, we hope you'll share it with your friends and colleagues and will subscribe to our podcast and leave a review on iTunes. It really does help people find our show.

Dave Bittner: [00:33:40] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.