Why IoT security should be top of your list

null
(Image credit: Pixabay)

What are some of the most pressing threats businesses are facing today?

The biggest cybersecurity threats facing businesses today are phishing and business email compromise attacks, while ransomware continues to remain a concern.

Conventional awareness and training programs are partially effective, meaning novel measures will be required to significantly curtail both phishing and business email compromise attacks in the long run. For ransomware, effective patching remains the best defence.  

How can organisations embrace the opportunities of the IoT without putting themselves at risk of attack?

Firstly, organisations can reduce their vulnerability in IoT and Industrial IoT (IIoT) by defining a perimeter surrounding the Operational Technology (OT) environment. This can be achieved by implementing strict constraints on what traffic can enter and exit the facility. This edge can be as broad as an entire production facility or as narrow as a single IoT-enabled branch office.

Second, organisations should look to segment the network within the OT environment, which can interrupt the spread of malicious code and traffic.

Finally, firms need to isolate and secure the company’s critical assets within the OT environment. For instance, organisations can disallow updates on key servers, whitelist processes which can run, and also disable services not necessary for the specific device’s function – these efforts combined should ensure the safety of the IoT opportunity.

What is Trend Micro doing to ensure its customers remain secure in the face of IoT threats?

Trend Micro has a set of offerings to permit both device protection and segmentation, and ensure organisations are able to combat IoT threats. These include next-generation firewall technologies, intrusion prevention and detection capabilities, SDKs for on-device protection, and OT protocol analysis through our TXOne joint venture with Moxa.  

(Image credit: Pixabay)

(Image credit: Pixabay)

Who ultimately should bear responsibility for IoT security? We've seen the UK government this week announce plans for a minimum security standard for IoT products - but should customers and security vendors also shoulder some of the responsibility?

Product manufacturers must assume liability for services, including security patching throughout the life of the device. In cases where a device manufacturer abandons a product line, some form of owner maintenance, such as the “right to repair,” should be available.

It’s worth noting that if a device is sealed with no user interface, it is impossible for a user to accept any responsibility for a defective piece of technology.

In the face of growing threats, how can Industry 4.0 ensure it stays protected from threats?

Without doubt, regulation will establish a baseline, but specific industry segments will often require more than baseline security capabilities, just as critical industrial processes have more stringent performance requirements for key sensor and PLC technologies.  

Ultimately it will be on the manufacturers to provide adequate cyber security, just as it is with them to provide baseline safety and operational resilience. Organisations exploring Industry 4.0 will have to include their specific security requirements in their Request for Proposal (RFP) or Request for Quote (RFQ) process, which will inform and incentivise manufacturers to provide adequate security capabilities.

What changes need to be made to the IoT security landscape to ensure the technology can be used to help benefit as many organisations as possible?

Conformance to Cybersecurity Certificate Programs such as IEC 62443 would be a good start, particularly for manufacturers of Industrial Control Systems (ICS) as well as for the organisations deploying it. Standards like the ISA’s IEC 62443 establishes a baseline set of controls for ICS, paralleling ISO 27001.

It’s crucial that manufacturers design not only tools, but systems as well to help minimise data gathering for privacy purposes and to maximise security capabilities. This would improve authentication and authorisation issues, data confidentiality, data integrity, and non-repudiation. This set of capabilities is actually included in ISO 7498-2, which provides a general description of security services and related mechanisms.

Bill Malik is VP of Infrastructure Strategies, Trend Micro