As we wrap up Cybersecurity Awareness Month, it’s worth noting that the final week’s theme is “The Future of Connected Devices”.
The theme seems timely as this is also the same week that CISA issued an advisory on an imminent ransomware attack against healthcare organizations. In the advisory, CISA, FBI, and HHS said they had credible information that malicious cyber actors were targeting the healthcare vertical with Trickbot malware, “often leading to ransomware attacks, data theft, and the disruption of healthcare services.”
Cyber attackers thrive on confusion and chaos, and it is clear that they are taking advantage of the current rise in COVID-19 cases. As hospitals scramble to respond to the increase in cases, they are deploying more medical and IoT devices that are potentially vulnerable to cyberattacks. We now know that attacks not only impact the bottom line (example ransomware payments) but can disrupt facilities in ways that may be fatal to patients.
Which brings us back to this week’s theme; it's clear the future of connected devices is a critical problem that needs to be addressed. While this week’s headlines are about vulnerable healthcare organizations, IoT devices are so pervasive that securing them is a challenge that needs to be addressed in all industries. The future of connected devices requires collaboration among three entities – manufacturers of these devices, IT and cybersecurity teams, and IoT security vendors (like Ordr).
IoT Device Manufacturers
IoT device manufacturers play a key role in the future of connected devices. If more devices are built with security in mind, we can eliminate some fundamental issues such as insecure software stacks (that led to Ripple20 vulnerabilities), generic default passwords, or unsecured backdoors on devices.
Requirements are being built into government and industry standards. NIST has been working on a draft of foundational security functionality that needs to be built into products. The FDA now has oversight of medical device security. And, on September 14th, the House of Representatives voted in favor of the IoT Cybersecurity Improvement Act of 2020, that will establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government.
Additionally, there are several IoT industry standards being worked on by the IoT Security Foundation, the IEEE, the Trusted Computing Group, the IoT World Alliance and the Industrial Internet Consortium Security Working Group.
IT and Cybersecurity Teams
IT and cybersecurity teams need to prioritize the security of connected devices in their network for two reasons. First, these devices are typically critical to their business and any issues will impact operations. Second, the massive volume of these devices, compared to managed endpoints such as laptops and servers, means that there is a massive attack surface that is new.
In order to successfully implement an IoT security program, IT and cybersecurity teams need to work with connected device owners that can range from biomedical and HTM teams, and physical security teams, to facilities or IT Operations teams. They also need to consider a comprehensive device security lifecycle for every device their bring into their environment, and demand the highest levels of security from manufacturers.
IoT Security Vendors
IoT security vendors need to continue to innovate because IoT devices will continue to have security shortcomings. Even if security standards forced device manufacturers to adhere to security standards today, many legacy devices will continue to exist.
Ordr is playing our role in making sure that our platform is easy to deploy, supports visibility and security of all devices – IoT, IoMT, OT, and can deliver value to all stakeholders. We’re also innovating with AI -- the Ordr platform was built to have the resiliency to respond at the speed and scale necessary to deal with the massive volume of IoT devices. Our machine learning technology enables us to classify devices in a way that does not require manual intervention, allows us to baseline "normal” device behavior and automate action.
In summary, the future of connected devices holds tremendous promise for many industries. However, in order to truly realize the promise of these devices requires security. This is where multiple factors are required for success -- collaboration across government and industry on regulation and standards, commitment from device manufacturers to build security into design, prioritization by IT, security and device owners security teams on IoT security projects , as well as continued innovation by IoT security vendors. The future of connected devices requires that we do this on an accelerated timetable to cope with the massive growth of IoT devices expected in the next 5 years.