[BreachExchange] How the Rise of IoT Is Changing the CISO Role

Destry Winant destry at riskbasedsecurity.com
Thu Mar 12 10:18:46 EDT 2020


https://www.darkreading.com/risk/how-the-rise-of-iot-is-changing-the-ciso-role/a/d-id/1337231

Prepare for the future by adopting a risk-based approach. Following
these five steps can help.

The role of the CISO is rapidly changing to include managing safety
risks and protecting sensitive information, according to a recent
Garner report. This shift is being driven by the deployment of
cyber-physical systems (CPS) such as Internet of Things (IoT) devices
used in building management systems and healthcare facilities, as well
as operational technology (OT) devices used in manufacturing plants,
oil and gas facilities, energy and water utilities, transportation,
mining, and other critical industrial infrastructure.

Because CPSs encompass both the digital and physical worlds, they are
prime targets for adversaries seeking to cause major safety and
environmental incidents and/or operational disruption. Examples
include the TRITON attack on safety systems in a petrochemical
facility, the Ukrainian grid attacks, NotPetya, and the Norsk Hydro
ransomware attacks.

In addition, last August Microsoft reported that it observed a Russian
state-sponsored threat group using IoT smart devices as entry points
into corporate networks, from which they attempted to elevate
privileges to launch further attacks. More recently, we've also seen
attackers compromising IoT building access control systems to pivot
deeper into corporate networks.

Industry analysts estimate that some 50 billion IoT devices will soon
be deployed worldwide, dramatically increasing the attack surface.
Because these embedded devices can't be protected by agent-based
technologies — and are often unpatched or misconfigured — CISOs need
new strategies to mitigate IoT security risk. Otherwise, it's not hard
to imagine that regulators and corporate liability lawyers will soon
hold C-level executives negligent — and even personally liable — for
failing to implement safety-related security controls.

Five Steps Toward Mitigating CPS and IoT Risk
Idaho National Labs (INL) has developed a methodology for addressing
CPS and IoT/OT risk called consequence-driven cyber-informed
engineering (CCE). Based on this INL approach, here are five steps
that all organizations should consider prioritizing in the near
future:

- Identify crown jewel processes: You can't protect everything all the
time, but you can protect the most important things most of the time.
Therefore, ruthless prioritization of the functions whose failure
would result in major safety or environmental incidents, or
operational disruption, is key. Through conversations with business
owners, infrastructure managers, and OT personnel, identify the things
you most need to protect upfront.

- Map the digital terrain: Identify and categorize all connected
assets in the organization, regardless of whether they're considered
IT, IoT, building management systems (BMS), OT, or smart personal
devices, such as Alexa and gaming systems. This includes understanding
how information moves through your network and who touches the
equipment, including third-party vendors and maintenance contractors
with remote access connections.

- Illuminate the most likely attack paths: Analyze risks and
vulnerabilities in your network to determine the most likely attack
vectors to your crown jewel assets and processes. This can be done
using automated threat modeling as well as by using red-team exercises
to identify other entry points, such as social engineering and
physical access to your facilities.

- Mitigate and protect: Once you have an idea of the most likely
attack paths, develop a prioritized approach for mitigating risk. This
can include steps such as reducing the number of Internet-accessible
entry points, using zero-trust micro-segmentation policies to
segregate IoT and OT devices from other networks, and patching
critical vulnerabilities that are present in the most likely attack
paths. Ongoing compensating controls are primarily around leveraging
continuous network security monitoring and agentless security to
immediately identify suspicious or unauthorized behavior — such as a
CCTV camera browsing Active Directory.

- Remove silos between IT, OT, IoT, and CPS: As the CISO, securing the
enterprise means being accountable for all digital security — whether
it's IT, OT, IoT, or CPS. Creating unified security monitoring and
governance requires a holistic approach to people, processes, and
technology. Technical aspects include forwarding all IoT/OT security
alerts to the security operations center and leveraging existing
security information and event management (SIEM), security
orchestration automation and response (SOAR), and prevention
mechanisms (firewalls and network access control systems) to rapidly
respond to IoT/OT incidents, such as rapidly quarantining devices that
have been detected as sources of malicious traffic.

Proactively Preparing for the Future
Today's adversaries — ranging from nation-states to cybercriminals and
hacktivists — are motivated, determined, and highly capable of causing
disruption and destruction.

Industry experts agree that determined attackers will eventually find
a way into your network, so a better strategy is to deploy monitoring
to spot them in the early reconnaissance stages of the kill chain in
order to mitigate attacks before they can cause any significant
damage. In the TRITON attack on the safety controllers in a
petrochemical facility, for example, the adversaries were inside the
network for several years before being discovered due to a bug in
their malware that inadvertently shut down the plant for a week.

It is imperative for boards and management teams to recognize the new
safety and security risks posed by IoT and CPS systems — and
proactively prepare for them using a risk-based approach.


More information about the BreachExchange mailing list