The Health of the IoT Depends on Cyber Security

It's time to change the framing around what cyber security means and how to adequately maintain the health of our digital networks.
By Rebecca Lawson

To maintain good cyber hygiene, organizations with connected OT environments and connected devices must educate employees on how and why cyber security is a fundamental part of their company's culture, conduct asset inventories and regular security assessments, and roll out a robust incident response (IR) plan to mitigate the impact of a cyber-attack. These steps may include:

Training: People are the most critical element in cyber security. Raising awareness among non-technical staff about risky behaviors and aligning technical staff across procedures for safe digital operations, and about their roles in the event of an incident, will help to ensure that an organization improves its resiliency against cyber threats. As threats become more persistent and advanced, training tailored to the industrial cyber landscape will help businesses meet the growing need for new skills, and drive better awareness around OT-specific security requirements for both operators of assets and IT security professionals.

Asset inventory and assessment: According to the SANS Institute, only 26 percent of organizations have performed a security assessment within the past quarter. Considering that the average length of time between a breach and the discovery of an infiltration (dwell time) is between four and six months, the data suggests that assessments should be conducted more frequently. Further, NIST Guidelines mandate asset inventory and management as the first critical step to improving an organization's security posture. In IT environments, computers interact with the network every time someone logs in, making it easier to keep track of access and network traffic. In OT environments, however, assets may be connected, but not actively communicating with other machines. This doesn't mean they aren't vulnerable. Operators must keep tabs on their equipment to recognize risks and appropriately scale resources for a response effort.

Incident Response: Organizations can increase awareness and implement great tools, but without planning and preparing for real scenarios and incidents, they won't increase their readiness for an attack. According to FireEye's 2016 Industrial Control System (ICS) Vulnerability Trend Report, approximately 33 percent of the vulnerabilities examined did not have a fix available at the time of public disclosure. This means that more than one-third were zero-day vulnerabilities. When vulnerabilities and attackers are unknown, organizations must quickly and efficiently execute incident response programs. Organizations with large OT environments must have incident response preparations for OT vulnerabilities and should be regularly exercising the plan to identify and remediate any incorrect assumptions or miscommunications. There should be an incident captain, defined roles and responsibilities, clear lines of communication with detailed contact information and continuous updates for key stakeholders, suppliers and customers that may be impacted.

While organizations need to shift the association around cyber security away from "crime," this process doesn't diminish the severity of the threats—the majority of which are, in fact, crimes. According to the SANS Institute's 2016 assessment of ICS security, 17 percent more organizations placed blame on hackers this year than they had in 2015, and attributions to organized crime were up 11 percent in 2016. (Employees, activists and suppliers were among the other sources respondents indicated.)

Attacks on industrial organizations and connected devices are more likely associated with planned attacks and skilled attackers. These organizations must embrace cyber security as a standard business practice and remain constantly vigilant concerning the health of assets and the networks on which they communicate. OT cyber security begins with awareness and grows into a robust practice through increased training and cultural transformation across the organization.

Rebecca Lawson is the executive director of cyber for Wurldtech, GE Digital. Lawson has a long-standing background of 25 years in product management, strategy, marketing communications and business development. She is also a frequent public speaker and the published author of several technology-related publications.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations