Crushing the Internet of Threats: Mitre Att&ck to the Rescue (Cyber Trends 2024)
Despite its many blessings, let’s call IoT what it is: The Internet of Threats.
Most of the current 15M IoT devices are completely open to cyber criminals because they constitute a greatly expanded and largely unprotected attack surface.
According to McKinsey, almost 50 percent of CXOs with IoT investments admit they have been attacked (of those who even know!). More than 25 percent of those attacked estimate that they had high or severe damage. Yet the bottom line is that doing IoT at scale is such a strategic imperative that these attacks do not slow IoT implementation.
Yes, believe it or not companies are investing seriously in everything cybersecurity from vulnerability management software to cloud security, However, securing the network is still a huge problem that doesn’t seem to curtail strategic IoT investments.
Historical Retrospective: The Problem
Let’s look at how we got here so we might arrive at a solution.
Industrial Control Systems (ICS) environments in the past were not connected to the Internet. For example, a beer producing plant that is automated to produce millions of bottles of beer (brew, ferment, clean the bottles, label and fill them) through Operational Technology (OT) was not Information Technology (IT) enabled. Instead they were isolated islands that did not have IP connectivity. Now that IT and OT are merging in strategic IoT investments we have to admit we’ve brought the risks from the IT to the OT/ICS environments.
Making that challenge even more difficult are classical OT people who work on industrial solutions but have no IT or even IP knowledge. In the IoT world of connected devices we are asking OT professionals to expand their skills to not only support critical manufacturing processes but understand how IT technology impacts that environment. On the other side of the coin, we are asking IT-trained professionals (experts in TCP/IP and packet drops) to work in an ICS/OT environment where they will inevitably disrupt the beer production process. Don’t spill that beer, boys and girls!
Let’s review what we know about IoT today.
Threats to the greater IoT attack surface are:
Historic:
● Proliferation of botnets,
● Ransomware, and
● Phishing Attacks
And additionally IoT-specific:
● Physical Access (data stolen directly from the IoT device), and
● Open Access (IoT devices are not secure by default).
IoT devices must be:
Designed with:
● Encryption,
● Robust access controls, and
● Regular updates to patch vulnerabilities and
Operated with:
● Network segmentation that can isolate IoT devices from critical infrastructure systems, limiting their exposure to external threats, and
Reinforced with regular user education so that:
● Employees are trained on the risks associated with IoT devices and provided with the knowledge and tools to use these devices securely. That should be a regular part of corporate training, updated annually or more often to educate the workforce.
The proposed security measures above are good to detail, but are clearly all in place. If we’re viewing strategic IoT projects as security-first, we need to be proactive to minimize the holes in the planning stage. That requires that we bridge the chasm between OT and IT professionals so they work in unison and not at cross purposes.
Training to solve for this gap
We should start by using the MITRE ATT&CK framework to protect our Industrial Control Systems (ICS). The freely-available framework helps model cyber adversaries’ tactics and techniques — and then shows how to detect or stop them. The ATT&CK knowledge base outlines common tactics, techniques, and procedures used by cyber adversaries. ATT&CK provides a common language for defenders to have conversations about emerging threats and develop effective defensive strategies. Bringing the framework into the ICS world provides a common set of processes and procedures that allow OT and IT to work together to ensure strategic value while minimizing cyberthreats.
Given the Biden Administration’s Cybersecurity Executive Order, CISOs must carefully protect their customers, employees, investors and more by assuming a proactive posture around IoT cybersecurity in 2023 and beyond. Or possibly face fines?
