Securing your supply chain is as important as securing your devices
The Ponemon Institute published its annual report on third-party IoT risks in May, 2019. The report focused on identifying what companies do not know — or understand — about the risks inherent to IoT devices and applications, particularly when used by third parties. The report drives home the fact that, although integrators and end users understand that it is important to protect connected devices, many do not understand the full landscape of threats that these devices face.
Concerningly, the Ponemon report indicates that the percentage of organizations that have suffered a data breach, specifically because of unsecured IoT devices or applications, has risen from 15% to 26% in the past three years alone; a number that Ponemon points out is likely low due to the unfortunate reality that it is often difficult to recognize when a breach has occurred.
Perhaps more importantly, the report also notes that the percentage of companies experiencing data breaches caused by unsecured IoT devices or applications belonging to third parties has risen from 14% to 18% since 2018, and cyberattacks caused by those devices have risen from 18% to 23&. These numbers underscore the fact that even the most secure network can be compromised by failing to properly vet third-party suppliers, and securing your supply chain is often as critical as securing your devices.
Built-in security is key, but it isn’t enough
Understandably, when it comes to keeping IoT devices secure, responsibility often falls on the manufacturer. Smart — and conscientious — manufacturers have a vested interest in ensuring that their devices have strong and effective security capabilities. This is truer than ever now that national and international regulations such as GDPR have taken effect, and even been supplemented by additional regulations incorporating language that mandates information security by design and default.
Both individuals and organizations are increasingly asserting their right to expect a basic level of security when they purchase and use a device. Other groups, like the National Institute for Standards and Technology, have issued their own recommendations for creating a core baseline for securing connected devices.
The concept of by design and default means that manufacturers must make good on many individual’s expectations of built-in security; but it’s important to understand what security really means. Including built-in security measures doesn’t make a device impenetrable, nor does it ensure that users or integrators will understand how to best make use of those measures.
Measures such as creating unique default passwords for each new device can prevent certain malware infections like the Mirai Botnet and its many offshoots from taking control of massive numbers of devices at once. But it can’t prevent an integrator from creating an inadvertent backdoor into the system, nor can it stop an employee from leaving their new credentials lying around where they can be easily viewed or stolen.
Research has shown that 90% of data breaches are can be tied to largely avoidable problems including human error, poor configurations and poor maintenance practices, according to Axis Communications. While end users naturally want to know what manufacturers are doing to build security into a product on the software side, the truth is that built-in security can only do so much.
Ensuring that the knowledge is there to prevent configuration and maintenance errors is equally important. This further underscores why securing the other levels of the supply chain is a critical aspect of IoT security.
Education is key for manufacturers, integrators and end users
When bringing IoT products into a network, the integrator must work closely with the information security team to ensure clear communication of the control set for the network, the framework upon which it is built and more. The communication must happen before the installation even begins, so that the integrator understands how to approach the project in the best possible way. This means end users must understand the products they are purchasing and how they fit into the wider network.
Although manufacturers understand the benefits of built-in security controls, if an integrator or contractor doesn’t line up a network’s controls with its access users, then it doesn’t matter how securely built the products are. Even if the manufacturer has done threat modeling by having a secure software group come in to determine potential attack methods on a given product, information must be effectively conveyed to the integrator so that they can install the product using the most effective security framework. Even a minor communication disconnect between a manufacturer and an integrator can cause major problems in this manner.
Manufacturers can help improve overall security by taking steps to ensure that encrypted connections are established from the start. Many manufacturers are turning to features like Secure Boot, which only allows a device to boot using software that is trusted by the Original Equipment Manufacturer; preventing hackers or other cyber criminals from installing unknown programs onto a device. These measures are not enough on their own, but taken in conjunction with improving integrators’ and end users’ knowledge and understanding of product security, they represent an important piece of the puzzle.
Establishing trust is critical, but that trust must be earned
Vendor and manufacturer vetting are a part of the new trust dimension. Whether or not a manufacturer’s products can provide a solution and meet the technical requirements to solve a given problem are no longer the only concerns for end users.
Today’s businesses want to know the cybersecurity approach taken by the manufacturer before they purchase a given product. Today’s manufacturers have an obligation to educate their integrators to ensure that those products are being deployed in the most effective way. Conveying that to end users is important, and establishing trust in the marketplace is a multi-step process.
Transparency is key. In any industry, organizations that are open and honest will naturally foster greater trust. Similarly, demonstrating good processes and practices when it comes to securing customer data can also go a long way; particularly as data breaches make the headlines with increasing frequency.
Even though most applications on IoT devices don’t contain much Personally Identifiable Information (PII) of the type covered by GDPR, compromised devices can be used as a jumping off point for privilege escalation and cross-breach to the IT network. This is where PII and other data can be easily obtained. End users want to know they can trust a product to secure data effectively, and manufacturers with a reputation for using features like Secure Boot can help provide that confidence.
It is important to strengthen the ties between manufacturers, integrators and end users to create new avenues for communication, and ensuring that a proper level of knowledge of both the products in use and the needs of the customer is established for all parties involved.
Education is critical, and everyone must be willing to take the steps needed to build a more secure and knowledgeable future. For many, this means supply chain mapping to detail every touch point of all material, processes and shipments. As IoT devices continue to become more commonplace across a wide range of industries, securing the supply chain will only become more important.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda