IoT security isn’t an IT issue, it’s a business issue
By STACEY HIGGINBOTHAM
The internet of things is expanding the attack surface for hackers and malware, while also placing more business operations online. It’s no longer your computer network at risk of an attack, but production centrifuges or hospital MRI machines. This shift is inexorable, and cybersecurity has become a mainstay in any conversation about IoT. But Nathan Wenzler, chief security strategist at Tenable believes that the conversation is happening in the wrong place.
Security is no longer an IT issue, but an issue that the entire executive suite needs to tackle. There’s no way a company can implement perfect security and no way they can afford to implement almost perfect security, so businesses need to assess the risks and allocate staff and budgets where they matter most. “IT security as a practice is not a tech discipline, it’s a risk management discipline,” he says. “Conceptually, security really needs to be involved in risk management, but you need to align risk management to the business so you need the lawyers, the executive team, and others involved.”
Tenable recently issued research conducted on its behalf by Forrester that interviewed roughly 800 business executives and security personnel, and only a third said they thought about security this way. This is unfortunate because different organizations will have different priorities and resources, which means cyberattacks will have different effects on their bottom line or operations. For example, in a hospital setting, the biggest risk is not shutting down operations after a ransomware attack, but rather that a patient monitoring machine or an IV gets hacked and the patient dies.
That’s the worst outcome for a hospital, but it’s not the most likely (unless your patient is at risk of an assassination attempt). Ransomware is the most likely attack and it does have a crushing financial and logistical impact on the business. It can even affect patient care through delayed surgery or postponed tests. So to align the security expense and response to the business might mean that the hospital focuses on preventing ransomware with most of its staff and budget. But if they find out about a vulnerability that affects a machine that directly attaches to a patient, they immediately remove the machine from the rotation and patch it. Or in the case of one hospital that had a patient hooked up to a potentially vulnerable machine, they have a nurse watch the patient 24-7 until they could safely remove the offending machine.
In another example, this time from the manufacturing sector, a local cyberattack on production equipment that’s on an air-gapped network might shut down operations, but because those operations are duplicated elsewhere in the world and the production equipment is not connected to the internet or other operations, the company might not prioritize stopping those attacks. Instead, it might focus on stopping attacks on its IT network that has proprietary data. In this example, OT security is trumped by IT security based on business priorities.
Establishing security priorities and assessing risk starts with understanding what’s connected to the internet or what’s on vulnerable networks, says Wenzler. For example, hackers can target air-gapped operational technology networks through malware located on USB sticks. (These attacks are on the rise, by the way.) So when looking at your network, consider IT devices and networks, OT networks and devices, and your people.
Once the security team understands the potential points of entry, it’s time to get business leaders, legal teams, marketing and the IT and OT folks into a room to talk about what matters most. These are not going to be easy conversations, but they will help guide the overall security strategy and spending. It also helps provide a plan in case of an attack.