The challenges, blockers to change, and the decisions required to embark on change vary across industry sectors. The policies and processes that have been engrained over decades of information technology (IT) dominance and stewardship may become the inhibitors of change without a strategy for change. The intrinsic nature of risks has changed and therefore the solutions must too.

Embracing digital transformation will require hardening the workflow and operations, and not clinging hopefully to out-of-date and cumbersome platform hardening guidelines. Security is not a point solution; it is a holistic chain — and it is only as strong as the weakest link in that chain.

The effectiveness of security (from soft core to hard edge) requires baked-in controls, not bolted-on controls. The economics of security lies in multi-vendor collaboration as a forethought and not multi-vendor competition as an afterthought. The induction of modern controls must be strategic, measured and rational. Imminent risks have no term limits.

Strategy by industry sector

Process automation

The major risks to process control and automation stem from three factors. The first factor is the diversity of communications methods and industrial protocols that are fundamentally open and insecure, because they were designed to operate within an implicitly secure silo. The second factor is the network firewalls and intrusion detection systems retrofitted into an interconnected and layered ecosystem they were not purpose-designed or intended for operations technology (OT). The third factor is that unlike the IT approach of quarantining infected user workstations (endpoints) with virtual LAN (VLAN) based network segmentation, process control systems in OT are live and quarantining devices in an interconnected system, disrupting service and causing undesirable outage. Reactive approaches founded on network-based anomaly detection and deep-packet inspection of application protocols will be challenged eventually by the onset of encrypted network traffic (without application reengineering) in the years ahead.

The strategy will require at least: (a) securing the integrity of signaling between systems; (b) managing the digital secrets that offer such security countermeasures — passwords and keys; (c) rotating the digital secrets using X.509 certificates for trusted delivery as a mitigation strategy for recovery on compromise; (d) tamper-resistant content delivery through the supply chain; (e) remote device recovery on compromise with trusted software and configuration updates, and automated key renewal; and (f) auditability for visibility and measurement of compliance posture.

Transportation

The major risks to ground transportation systems stem from the mobile nature of automotive systems. The electronic control units, telemetric/transmission control units, speed control units, onboard diagnostics, navigation systems and consoles will require periodic software and configuration updates. Isolation of vehicular and entertainment functions will be vital.

The strategy will require at least: (a) securing the integrity of inter- and intra-system messaging; (b) securing the digital secrets (keys) that offer such security countermeasures; (c) rotating the digital secrets at scale and as a remote maintenance activity — as a mitigation strategy for recovery on theft or recall; and (d) tamper-resistant content delivery through the supply chain.

Aviation

The major risks to the aviation industry are very broad and stem from the complexity of managing the supply chain, outdated delivery methods and the criticality of fault tolerance in safety-centric airborne systems. While some of the risks that apply to ground transportation systems are also applicable to avionics, the significant differences are due to the sheer complexity of electronic platforms onboard and implications related to insurance. The willingness and ability to invest and innovate with new technologies is deeply lacking.

The strategy will require at least: (a) securing the onboard messaging systems; (b) securing the digital secrets (keys) that offer such security countermeasures at a nation-state level of alertness; (c) rotating the digital secrets at scale and as a remote maintenance activity — as a mitigation strategy for vulnerability countermeasures; (d) using X.509 digital certificates for key lifecycle management from a secure facility to meet a high level of assurance; (e) tamper-resistant content delivery through the supply chain for traceability; and (f) historic audit trail for trackability of change ledgers.

Healthcare

The healthcare industry is the most complicated environment to secure, as it takes a village, from the medical devices community to healthcare providers, healthcare workers and government bureaucrats. This is the industry at highest risk because of the sheer volume of unmanaged or hard-to-manage devices and the consequences (life-or-death nature of the trade). The emerging nature of IoT devices and cybersecurity compliance requirements in the healthcare sector requires both equipment vendors and service providers to implement security policies that address the risks posed by cyber-attacks and insider threats. Mission-critical production systems and medical devices require protection from unauthorized software updates or configuration changes, and secure authentication of field and remote operators. Legacy enterprise IT managed systems rely on password policies, multi-factor authentication and role based physical and network access. Such controls are inadequate against zero-day cyber-attacks on headless IoT devices that subvert threat intelligence-based intrusion and/or anomaly detection systems designed to prevent data breaches. Therefore, IoT solutions in the healthcare sector require a tamper-resistant system that provides built-in protection controls, trustworthy change management and continuous integrity verification — for high scalability and availability.

The strategy will require at least: (a) securing the identity and integrity of medical devices at the grassroots level; (b) securing the integrity of data exchanges from devices to receivers (display stations and monitors); (c) securing the digital secrets (keys and certificates) on the devices and receivers; (d) rotating the digital secrets at scale and as a managed maintenance activity — for device lifecycle management and transfer of ownership (e.g. remote patient monitoring platforms); and (e) tamper-resistant content delivery through the supply chain for traceability.

Media and entertainment

The media and entertainment industry is as close to home as it gets. The set top boxes, broadband routers, and 5G gateways are at your doorstep. The implications of data privacy and protection for the consumer are paramount here given the nature of home surveillance systems and information gathering that occurs here. For the business, the major risks are loss of revenue from clones, piracy and theft of bandwidth, and flight of intellectual property. In a competitive marketplace with online stores for home-based entertainment platforms, this industry is poised to stream content and containerized applications to edge cloud platforms. This raises the bar for data privacy and protection at higher data rates, and trusted data for artificial intelligence and analytics at the backend.

The strategy will require at least: (a) securing the on-premise equipment; (b) securing the digital secrets (keys) that offer such security countermeasures; (c) rotating the digital secrets at scale and as a remote maintenance activity — as a mitigation strategy for tamper-resistance; (d) using X.509 digital certificates for key lifecycle management from a secure facility for effective licensing; and (e) tamper-resistant content delivery through the supply chain for traceability.

Defense

The battlefield on the ground, in the air, on and under water relies heavily on cyberspace and is increasingly becoming a digital ecosystem over radio waves. Tamper resistance is required at the device, inter-device, and networked systems level for mission-critical operations. The major risks stem from the complexity of managing the supply chain (defense contractors), the sophisticated tools and methods in the arsenal of nation-state adversaries, and the air-gapped nature of combat systems. The willingness and ability to invest and innovate with new technologies face budgetary constraints and the effort to integrate for timely field deployment. Further, the paranoia of integrating technologies sourced from the open source community, new vendors (outside the established supply chain) and technology startups increases the cost and timeliness to build a solution.

The strategy will require at least: (a) using industry standards-based specifications (e.g. NIST, FIPS) vetted for robustness against nation-state attacks; (b) integrating protective countermeasures on devices through the supply chain of equipment manufacturers; (c) managing digital secrets at scale and as a local or remote maintenance activity — as a function of mission control; (d) using X.509 digital certificates for key lifecycle management from a trusted facility; (e) ubiquity across heterogeneous devices and systems for interoperability; (f) tamper-resistant content delivery through the supply chain for traceability; and (g) minimizing personnel re-training to operate the hardened devices and systems on the battlefield.

Printing

The conventional printers for paper documents are evolving in the era for additive manufacturing to 3D printers. The major risks stem from inadequate supply chain protection and theft of intellectual property.

The strategy will require at least: (a) securing the computer aided design (CAD) file delivery with authentication of source and authorization by the publisher; (b) embedding protection to prevent theft of intellectual property (CAD files); (c) extending tamper-resistant protection across the supply chain from the developer to the publisher; (d) protecting containerized applications for workload isolation and key protection in additive manufacturing; and (e) securing the integrity of lateral data transport for interoperability — to deliver technical data in connected digital manufacturing equipment.

Telecommunications and networking

The wide area network (WAN) and broadband providers will be required to provide IoT connectivity to onboard and service millions of IoT devices and end-point platforms. The device-to-cloud, multi-access edge compute, and cloud-at-the-edge architectures will require trusted connectivity through big data pipelines (secure encrypted tunnels). The emerging 5G network and edge gateways will further increase demand for WAN bandwidth. The incumbent networking equipment vendors will face compliance challenges in the fabric of the edge cloud to meet data privacy and protection requirements.

The strategy will require at least: (a) tamper-resistant edge protection; (b) secure encrypted data transport; (c) key protection and rotation with a hardware-based root-of-trust anchor (e.g. TPM, SIM); and (d) protective countermeasures in the perimeter-less ecosystem against nation-state attacks on mission-critical public and national security infrastructures.

Energy

The energy infrastructure, in need of grid modernization, is a high-value target for cyber warfare. The major risks to the energy grid stem from five factors. The first factor is physical access to heavily instrumented systems with no protection points on the board at manufacture, and the large attack surface due to the number of access points. The second factor is the manipulation of demand attacks from appliances that can leverage botnets to manipulate the power demand in the grid, to trigger local power outages and potentially large-scale blackouts. The third factor is the targeting of unprotected supervisory control and data acquisition (SCADA) systems and other industrial control system (ICS) software. The fourth factor is that intrusion detection systems are tuned down to reduce the number of false positive alerts, to the point that it becomes useless. The fifth factor is that unlike the IT approach of quarantining infected user workstations (endpoints) with VLAN-based network segmentation, power generation and distribution systems in OT are live and quarantining devices in an interconnected system disrupts service and causes undesirable outage. Reactive approaches based on network-based anomaly detection and deep-packet inspection of application protocols will be challenged eventually by the onset of encrypted network traffic (without application reengineering) in the years ahead.

The strategy will require at least: (a) securing the integrity of signaling between systems; (b) managing the digital secrets that offer such security countermeasures –—passwords and keys; (c) rotating the digital secrets using X.509 certificates for trusted delivery as a mitigation strategy for recovery on compromise; (d) tamper-resistant content delivery through the supply chain; (e) remote device recovery on compromise with trusted software and configuration updates, and automated key renewal; (f) embedded network access controls for perimeter-less defense; and (g) auditability for visibility and measurement of compliance posture — to avoid punitive fines for violations (e.g. NERC-CIP).

Who benefits?

When the story ends, the device owner and operator live happily ever after. However, this needs to be a win-win for a collaborative strategy to manage cyber risks across the IoT industry. This supply chain begins in the fabrication lab of the semiconductor (chipset) vendor with a root-of-trust anchor (the secure element).

The original equipment manufacturer (OEM) or original device manufacturer (ODM) must then integrate a root-of-trust anchor on the equipment (mezzanine board) as a contract manufacturer for the device vendors. The system integrator may then assemble hardened subsystem components from a plurality of device vendors for the specialized IoT industry. Finally, a device operator manages the operations, administration, maintenance and provisioning services.

With the advent of software-as-a- service (SaaS) utility models for capital and operational expense reduction, cybersecurity services for IoT devices will inevitably migrate to public, private or community cloud-based IoT platforms. The passage from on-premise to on-cloud, and the adoption gap between the mainstream device vendors and the managed security service providers, needs to be bridged with a holistic cyber risk management platform that enables digital transformation in the IoT industry.

What vendors & providers can do

Semiconductor vendor

• Adopt hardware-based root-of-trust anchors (e.g. TPM, EPID, SIM)
• Enable root-of-trust service with a trust abstraction platform to build ubiquitous device drivers
• Drive device identification and authentication based on an endorsement key and certificate for the root-of-trust anchor

Device manufacturer

• Born tough devices
• Contract manufacturing of factory hardened devices for tamper-proofing and anti-cloning
• Bolt-on hardware-based discrete root-of-trust anchor
• No factory-default passwords (protected device configuration)

Device vendor

• Contract manufacturer configures and hardens devices at factory, as per protection profile
• Activate and provision the hardware-based root-of-trust
• Issue birth certificate to license device
• Track and count on-shelf and licensed inventory
• Revoke device certificate to cancel license
• Provision services and application post device onboarding and transfer of ownership for intellectual property protection
  
  

Device owner/operator

• No cloud platform or service provider lock-in
• Buy protection instead of build-it-yourself with engineering and certification cycles
• Protect brownfield silos without application reengineering
• Ensure interoperability of greenfield and brownfield connected devices for digital transformation of infrastructure
• Eliminate the steep costs and operational complexity of PKI build-out
• Data privacy and protection for mission critical applications with cryptographic key management
• Increase operational efficiency and integrity

IoT service provider

• Offer cyber protection as a service to device operators as a utility model
• Drive revenues in the emerging 5G network and edge cloud (smart cities, smart factories, smart factories, smart energy, smart transportation)
• Authenticated device onboarding, updates with supply chain protection, risk monitoring and reports
• Usage based billing with subscription-based level of protection

IoT cloud platform

• Offer a high availability platform for IoT service providers
• Marketplace for cyber protection services
• Drive revenues with usage-based billing for compute, network and storage resources

Conclusion

The elixir to cure cybersecurity risks in IoT will require a prolonged and tenacious commitment to change. The rebirth of the internet needs to be protection centric and must not relegate security initiatives to an IoT cottage industry in the wild that must defend against sophisticated cyber criminals and nation-state actors with reactive tactics.

The transformative and economic potential of IoT requires both a microscopic and telescopic vision of cybersecurity. This has serious implications for cyber insurance companies as well. The willingness of the insurer to pay-off cyber criminals as a mitigation process for recovery of services and compromised devices will only encourage cyber-attackers, not discourage the cybercrime syndicate.

If government regulators fail rise to the occasion and protect cyber commerce and data, the insurance companies will have to step up with guidelines for cyber resilience or suffer from the consequences of attacks on cyber infrastructure.

Staying in the infinite game of cybersecurity, against a determined cyber adversary, requires the will and resources of all players in the supply chain. At DigiCert, we always aim to do our part to reduce cybersecurity risks in the IoT. Stay tuned to our blog for the latest on what’s happening in the industry and DigiCert updates.