Many companies don’t know the depth of their IoT-related risk exposure

In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work. Organizations should better understand how to manage the risks created by known and unknown Internet of Things (IoT) and Industrial IoT (IIoT) devices.

IoT-related risk exposure

According to a recent Deloitte poll, nearly half of IT security professionals (48%) realized it is imperative, when developing or deploying secure-by-design connected products and/or devices, that both of these conditions exist:

  • DevSecOps embedded throughout the design/acquisition, implementation, and deployment lifecycle.
  • Cross-functional technology that includes teaming with legal, procurement and compliance across pre- and post-market deployments.

Why it matters?

The number of cyberattacks, data breaches and overall business disruption caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies.

IoT and IIoT are a set of business and technology innovations that offers many compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.

Why is security-by-design important?

Deloitte and Dragos are teaming on a number of client initiatives to help organizations embed a security-by-design approach and to manage the risk of industrial control systems (ICS) and operational technology (OT) environments by enabling them to better monitor and assess threats.

Organizations can benefit from a better understanding of threats in this environment, which can then be used to develop and embed cybersecurity strategies into organizational and technology strategy.

Security-by-design (for designing an IoT/IIoT product) is about incorporating cybersecurity practices by default into the product’s design as well as (for onboarding an acquired IoT/IIoT product) incorporating cybersecurity practices by default into the environment in which the IoT product is implemented.

Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.

The following top risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and Dragos:

  • Not having a security and privacy program
  • Lack of ownership/governance to drive security and privacy
  • Security not being incorporated into the design of products and ecosystems
  • Insufficient security awareness and training for engineers and architects
  • Lack of IoT/IIoT and product security and privacy resources
  • Insufficient monitoring of devices and systems to detect security events
  • Lack of post-market/ implementation security and privacy risk management
  • Lack of visibility of products or not having a full product inventory
  • Identifying and treating risks of fielded and legacy products
  • Inexperienced/immature incident response processes

“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars.

“Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority,” said Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP.

“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing.

“There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem.

“Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable,” said Robert M. Lee, CEO at Dragos Inc.

About the online poll

More than 4,200 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, “The Internet of Things and cybersecurity: A secure-by-design approach”. Answer rates differed by question.

A majority (81%) of respondents indicated that information security is accountable for the securing of connected products in their organization. The information security team is still primarily where boards look to drive their cyber agenda but as the 2019 Future of Cyber survey indicates, cyber is becoming everyone’s responsibility.

It is critical to understand that if you are the plant manager you likely have the responsibility to the safety and liability of the operation. But the challenge is that everyone does have a role to play. Ultimately, the CEO is going to be held accountable.

Organizational confidence in security

How confident are respondents that their organizations’ connected products, devices, or other “things” are secure today? Not very.

More than half of respondents (51%) were somewhat confident, while 23% were uncertain or somewhat not confident, with only 18% feeling very confident in their organizations’ ability to secure connected products and devices.

This may be as a result of there being an overall lack of standardization across industries for security and awareness of cyber risks and connected devices.

Guidance for security-by-design

A positive revelation in the results was when 41% of respondents indicated that they look to industry and professional organizations for guidance in driving security- by-design within their organizations.

Another 28% said that they look first to regulatory bodies and agencies that set the standards; and 22% indicated their leading practices were developed internally for providing that guidance in driving security-by-design.

According to Peasley and Lee, it is a favorable strategy for organizations to understand leading practices and standards of peer organizations first, and then look to the regulatory bodies that are starting to shape standards and regulations and help inform the standards and regulations that are to come.

These results conflict with another question regarding whether their product teams use a defined set of product cybersecurity requirements as input for requirements selection.

Twenty-eight percent use an industry defined framework, and 41% indicated a custom framework, while 30% of respondents indicated “No” that they didn’t use a defined set of requirements. The results of this question indicate there is still much work to do across the industry to influence and inform on standards for cybersecurity.

Considerations for organizations

Understand the current state of product security and develop a cyber strategy: Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected and develop a cyber strategy to drive improvement.

Establish security-by-design practices: Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modeling and security testing.

Set the tone from the top: Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.

Have a dedicated team and provide them with ample resources: Don’t expect enterprise security teams to cover missions without adding new resources for them; build a dedicated team that has product-based experience and provide training as needed to increase knowledge.

Leverage industry-available resources: Rather than developing and providing unique questionnaires to your device vendors, use publicly- available industry resources.