It’s hard to beat being able to tell your sound system to select and play a particular song, or order something online using just your voice, or have your refrigerator tell you when you’re running short of food, or have your office printer diagnose itself and demand service automatically from the vendor.
Features like this are driving the demand for smart offices, smart homes, smart appliances, smart buildings, and smart cities — all connected through the Internet of Things (IoT).
The IoT is the network of physical objects equipped with sensors, software and other technologies for exchanging data with other devices and systems over the Internet. These include embedded systems, wireless sensor networks, control systems, home and building automation systems, and smart home devices, as well as smartphones and smart speakers.
There were 7.6 billion active IoT devices worldwide at the end of 2019 and there will be 24.1 billion in 2030, according to digital transformation research firm Transforma Insights.
Connected Teddy Bears – Wait, What?
Surely spurred by the work-from-home necessities of 2020, people have connected a multitude of non-business devices to their corporate networks. Some are predictable and others might be surprising. For example, teddy bears and other toys, sports equipment such as exercise machines, gaming devices and connected cars, according to global cybersecurity firm Palo Alto Networks‘ 2020 IoT Security Report.
The increasing number and variety of devices hooked up to IoT networks is making it progressively difficult to implement cybersecurity, because every device is a potential weak point.
For example, it’s possible to hack large numbers of connected cars to shut down cities by causing gridlock.
Smart buildings and even cities can be hacked to compromise automated systems that control HVAC systems, fire alarms and other critical infrastructure.
Digital intruders have reportedly accessed homes through smart thermostats to terrorize families by turning up the heat remotely; and then speaking to the residents through the cameras connected to the Internet.
The effects of hacking will likely be most severe in the healthcare industry, where equipment failure or hijacking will endanger lives.
“Connected medical devices — from WiFi enabled infusion pumps to smart MRI machines — increase the attack surface of devices sharing information and create security concerns including privacy risks and potential violation of privacy regulations,” wrote Anastasios Arampatzis, an author for security vendor Tripwire.
Holding CEOs’ Feet to the Fire
So, who will be responsible for cybersecurity in an IoT network? The vendors of individual appliances or equipment? Whoever owns or runs the network? The company or organization using the IoT network?
Gartner defines CPSs as “systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”
These systems “underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments.”
OT consists of hardware and software that detects or causes a change in industrial equipment, assets, processes and events through direct monitoring and/or control.
In other words, 75 percent of CEOs could be held responsible for IoT security failures by 2024.
Why CEOs? Because regulators and governments will drastically increase the rules and regulations governing CPSs in response to an increase in serious incidents resulting from failure to secure CPSs, Gartner research VP Katell Thielemann wrote. “Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
Holding CEOs responsible “is a definite possibility and is consistent with the way that CEOs are held accountable for the accuracy and legitimacy of their financial attestations under the Sarbanes-Oxley Act of 2002,” Perry Carpenter, Chief Evangelist and Strategy Officer at security awareness training firm KnowBe4, told TechNewsWorld.
The Sarbanes-Oxley Act was created to crack down on corporate fraud.
The National Association of Corporate Directors (NACD) “realizes that cybersecurity and, by extension, cyber-safety should be an issue that even rises to the level of the Board of Directors,” Carpenter said. “It has issued guidance for how to do so.”
Companies can buy cyber insurance, but cyber-insurance policies “are notorious for not paying out if the company does not meet a high bar of security excellence,” Carpenter remarked.
Further, “regulatory bodies won’t be in a hurry to offer easy outs for CEOs and companies who may be demonstrably negligent.”
Is a Risk-Based Approach Feasible?
There is a move among enterprises towards adopting a risk-based approach to cybersecurity, global management consultant firm McKinsey & Co. found, but that won’t provide CEOs blanket protection.
Risk-based approaches to information security let organizations adopt strategies tailored to their unique operating environment, threat landscape and business objectives, according to CDW, which provides technology solutions to business, government, education and healthcare customers in the U.S., the UK, and Canada.
They let adopters “understand the impact of risk mitigation efforts, providing a comprehensive view of risk and filling gaps that may be left by other approaches to security. The use of a risk-based approach fits neatly within the enterprise risk management (ERM) strategies being adopted by many organizations.”
“Risk is always part of the equation,” Carpenter said. “The problem comes when organizations or CEOs have an unacceptably high tolerance for risk or simply choose to stick their heads in the sand.”
It’s widely acknowledged that there is no such thing as a fully secure system, so wouldn’t holding CEOs responsible for the failure of a CPS be overkill?
“The point won’t be to have 100 percent protection,” Carpenter said, “but rather to ensure that there’s proper due care in how systems are architected. CEOs can’t just throw up their hands and use [the fact that 100 percent security doesn’t exist] as an excuse, they need to build with safety and resilience in mind.”
Pointing Fingers Not So Simple
Despite possible parallels to the Sarbanes-Oxley Act, the question of blame will not be easy to resolve.
“Ultimately, the CEO is responsible for the operation of their organization, but the reality is more nuanced than just simply ‘the buck stops here’,” Saryu Nayyar, CEO of global cybersecurity company Gurucul, told TechNewsWorld.
“Cyberattacks are complex and often involve many moving pieces,” Nayyar said. “Placing liability on the CEO because they are the CEO may not be appropriate.”
That said, CEOs should be held personally accountable when they fail to set a high standard for their security teams or ensure that standard is reached, Nayyar noted.
It’s not clear who would be or should be held responsible, Salvatore Stolfo, founder and chief technology officer at Allure Security, a security-as-a-service application that protects against phishing scams, told TechNewsWorld.
“Is it the CEOs of companies that manufacture insecure IoT devices, or the CEOs of companies that buy and deploy them?” he asked. “There is no current legislation making it clear who would theoretically hold the liability.”
An alternative to holding CEOs personally responsible would be to adopt the recommendation of the Cyberspace Solarium Commission (CSC) to hold IoT device manufacturers liable for selling defective products or not providing for basic security features including the ability to update device software when security vulnerabilities become known as recommended by, Stolfo suggested.
This is one of 80 recommendations made by the CSC, which was established in 2019 to develop a consensus in defending the U.S. in cyberspace.
How to Make IoT Networks More Secure
Palo Alto Networks recommends these steps for securing IoT networks:
- Employ device discovery to get a detailed, up-to-date inventory of the number and types of devices connected to your IoT network, their risk profiles, and their trusted behaviors;
- Segment your network to contain IoT devices in their own tightly controlled security zones, keeping them separate from IT assets;
- Adopt secure password practices, replacing the default password of newly connected IoT devices with secure ones adhering to enterprise password policies;
- Continue to patch and update firmware when available; and
- Actively monitor IoT devices at all times.
Securing IoT networks requires a combination of purchasing products that are secure by design, and taking a holistic approach to security, Andrea Carcano, Co-founder of operational technology (OT) and IoT security firm Nozomi Networks, told TechNewsWorld.
“IT professionals can no longer just worry about the security and connectivity of their IT networks,” Carcano said. “They must think about the security of their cyber and physical systems.”