[Posted on Behalf of Steve King, Director, Cybersecurity Advisory Services Information Security Media Group (ISMG) ]
Many cybersecurity analysts have warned of the rapidly emerging threat from an expanded IoT space. And as you have noticed, it appears we are not only failing to improve our cybersecurity defenses, but recent data suggests we are falling even further behind while the bad guys are running ahead.
We know that cybercrime is expected to hit $6 trillion by 2021 and cybersecurity spending will grow to $1 trillion by that same date. Gartner says that unfilled cybersecurity jobs will triple to 3.5 million by then and according to Cybersecurity Ventures, the global costs of ransomware alone will reach $20 billion by next year, a doubling from the $11.5 billion in 2019.
At the same time, venture capital investment in security startups in the first two months of this year is down from years past. The downward trend started gaining steam in 2019 and continued into the beginning of 2020, even before the COVID-19 pandemic sent the economy into a freefall.
In addition, VC firms have increased investing in late-stage opportunities and are doubling down on a very few cybersecurity plays that have been around a while by aggressively participating in follow-on rounds in companies with the potential to lead their markets. These are understandable “cover your bets” plays and necessary to assure market dominance.
But without ongoing support from the VC community, it will be harder to create advanced technology solutions that address machine-to-machine attack vectors and quantum-computing based malware.
With the COVID-19 pandemic driving rapid adoption of WFH protocols and a brand new borderless point of presence threat landscape emerging over which we have very little control, we are taxing existing CISO resources and skills beyond our capacity. Authentication has made some progress, but proofing identity still has a long way to go. We still have no idea who it is that logged on to our network last night at 8:30. It would be absurd to lay blame for a breach under these circumstances at the feet of your incumbent CISO who is peddling as fast as she can just to stay in place.
Adding to this load is a swarm of new IoT vulnerabilities as we have increased the adoption of connected devices that have been added to our networks. In spite of growing regulatory attempts to assure security from the start, very few of the companies who build these critical infrastructure SCADA devices, upon which our energy, communication, military defense and transportation infrastructure depend, are focused on cybersecurity.
A 2020 Business Insider Intelligence research report predicts there will be more than 41 billion Internet of Things (IoT) devices by 2027, an increase of more than 500% in less than a decade. Network monitoring is the typical method for attempting to detect threats surrounding network-attached devices and many mid to large-sized businesses have implemented some form of cybersecurity protection, defense and response initiatives around their IT operations.
On the OT side, not so much. Current threat monitoring and discovery tools are simply inadequate to detect exploits operating across industrial and IoT devices. And conventional asset discovery and tracking techniques on the information asset side (which most businesses don’t use anyway) are not engineered to detect most IoT and IIoT devices so as a result, they do not show up in asset inventories.
The old InfoSec adage about the inability to protect what you don’t know you have, applies here in earnest.
Even the smartest of today’s network monitoring and discovery systems built on behavioral analytics and autonomous response are not designed to detect these characteristics on IoT and IIoT classes of devices. If we can’t detect changes to theses controller code sets, firmware and device configurations, it is impossible to prevent OT network infections.
Most IoT and IIoT devices are inherently insecure because they were built without internal defensive mechanisms or native capabilities to repel attacks. In particular, consumer-oriented IoT devices like smart watches and fitness trackers are typically built with low cost, ease of use and convenience as priorities over security. The almost instant migration to WFH has invited millions of digital home assistants, TV set-top boxes, IP cameras, smart-home devices, smart TVs, smart watches, and even automotive multimedia systems onto our enterprise networks.
Zscaler just released a study that found in an analysis of over one billion IoT traffic transactions a month in 2020, 83% were transmitting over plain text channels, with just 17% using secure SSL channels.
And this was before COVID-19 hit.
Devices using plain text to transfer traffic leaves the data open to interception through conventional traffic sniffing, eavesdropping, man-in-the-middle attacks and other simple exploits. It doesn’t take AI-enabled or exotic zero-day attack vectors to gain access to plain text transmissions. It only requires 2016-era technology and an elementary school script-kiddie.
While many websites have stopped sending traffic in plain text, four in five IoT devices still transfer data this way, and since we have no reliable inventory of connected assets whose presence is expanding continuously, we have a long way to go before we can be assured our networks are secure.
Commercial or industrial IoT devices lack inherent security because manufacturers considered they would be “secured through obscurity” and not exposed to threats on the Internet or private networks.
Since IoT manufacturers operate without the benefit of adopted security standards, easily enforced regulation or even any serious industry oversight, it is up to manufacturers to lead with a new mindset on security. If they begin protecting their devices from the inside (as opposed to building a security perimeter around them), they will be able to remove most of the obvious threats without affecting normal device operation.
This mindset translates to the notion that security is given a high priority throughout a device’s lifecycle, assuring that requisite cybersecurity defenses are built into devices from the start. They need to ship without vulnerabilities, be engineered for attack resistance, designed to accommodate critical updates, and be easily monitored for indicators of software failures or vulnerability exploits.
It also requires an abandonment of the notion that lowest cost is a market requirement. If we can stop manufacturing products in China over national security concerns and accept higher pricing for home-grown consumables, surely we can do the same thing with connected devices.
Innovative technology solutions are also required but very few companies today are emerging with viable diagnostic products that can efficiently be deployed across wide networks of disparate devices. We know of only one.
Without rapid adoption by IoT and IIoT manufacturers and without innovative firmware reengineering and analysis automation, the expansion of the global attack surface will surpass our ability to defend against adversarial threats not just to our corporate networks for fraud and criminal abuse but against our critical infrastructure as well.
Imagine a world in the grips of the COVID-19 pandemic operating in the dark without electricity, water, gas, heat, cooling, food, and communication or Internet connections.
Of course, we also failed to imagine a world in the grips of a global pandemic as well.
Comments