The White House recently issued a memo entitled Fact Sheet: Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity. The communique offers a checklist of policies, executive orders, and other steps the Biden-Harris Administration has taken to demonstrate its “relentless focus to improving the United States’ cyber defenses, building a comprehensive approach to ‘lock our digital doors’ and take aggressive action to strengthen and safeguard our nation’s cybersecurity.” It’s worth looking at the items outlined as it offers insight into the federal government’s position on the state of the nation’s cybersecurity posture.
The Fact Sheet on Strengthening America’s Cybersecurity addresses different areas of concern focused on protecting national economic interests, addressing security by design, countering ransomware threat, raising threat awareness, training more cybersecurity professionals, and preparing for a post-quantum world. The Fact Sheet’s focus policies include:
- Improving the cybersecurity of our critical infrastructure.
- Ensuring new infrastructure is smart and secure.
- Strengthening the Federal Government’s cybersecurity requirements, and raising the bar through the purchasing power of government.
- Countering ransomware attacks to protect Americans online.
- Working with allies and partners to deliver a more secure cyberspace.
- Imposing costs on and strengthening our security against malicious actors.
- Implementing internationally accepted cyber norms.
- Developing a new label to help Americans know their devices are secure.
- Building the Nation’s cyber workforce and strengthening cyber education.
- Protecting the future – from online commerce to national secrets — by developing quantum-resistant encryption.
- Developing our technological edge through the National Quantum Initiative and issuance of National Security Memorandum-10 (NSM-10) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.
While the eighth policy on the list addresses a need to help make consumers more aware of the cyber-risks associated with their purchase and use of Internet of Things (IoT) devices, we note the lack of a reference to IoT security within enterprises. Here’s the full text from the Fact Sheet:
Consumer and Commercial/Industrial IoT are Vulnerable
First, let me be clear that Ordr supports the efforts to help make people more aware of the risk associated with the connected devices they purchase for personal and in-home use. Often these devices collect sensitive information, or they may be a gateway for threat actors to gain access to a personal network that is relatively unprotected. Very few homes run industrial-grade security products, and are vulnerable to the tools and techniques available to most criminal hackers and hacker groups. But the same threats that put personal IoT devices at risk are present in many of the devices that populate enterprise networks.
Medical devices, industrial controls, sensors, point-of-sale systems, communications equipment, and many more Internet of Medical Things (IoMT), operational technologies (OT), IoT, and other connected devices are notoriously vulnerable to attack. Many of these devices are not built with security as a priority of their design. They operate with obsolete operating systems, rely on default (if any) passwords, and are released to market with security weaknesses. Some industry studies have found that three-quarters of all IoMT devices deployed today have at least one security vulnerability, and that half may have multiple vulnerabilities.
What’s more, the same devices that the White House wants to warn consumers about may also end up connecting to enterprise, industrial, and healthcare networks. Within minutes of deploying Ordr in these environments, our platform automatically discovers and classifies all of the devices operating on the network, and the results have been eye-opening for our customers. Vending machines, smart assistants, and gaming systems are not uncommon; but we’ve also found stranger things like parking gates, Kegerators, Pelotons, and Tesla automobiles.
The same devices that the White House wants to warn consumers about may also end up connecting to enterprise, industrial, and healthcare networks.
Many times, these devices have a legitimate reason to be operating where they are, but if IT and security operations don’t know about them, they present an unrealized risk. That is where Ordr comes in handy. By discovering and classifying every device, then drawing on the deep Ordr Data Lake to gather context and monitor its activity with a granular understanding of its purpose and normal operational patterns, Ordr can uncover vulnerabilities and detect behavioral deviations that are indicators of compromise. When that happens, Order automates policy enforcement to respond immediately to prevent or stop the spread of an attack, while maximizing operational resilience.
IoT Security for Economic Security
Some devices and systems must keep operating even while at risk, and Ordr’s enforcement of segmentation and isolation policies can ensure continued functioning even as the security team takes action to mitigate the present risk. That’s an option that is better than a “code dark” event during which non-technical staff are instructed to disconnect machines from the network altogether.
We applaud the White House’s efforts to use its bully pulpit to advance the cause of cybersecurity. We also urge the administration to continue to use its influence to help make our entire economy safer by recognizing the need to build security-by-design into every connected IoT, IoMT, and OT device. Building on the momentum of the IoT Security Improvement Act of 2020 as well as FDA guidance for IoMT security, bills like the PATCH Act and other requirements are needed to ensure connected devices are built and delivered to be secure. If labeling consumer devices is important, it must also be a priority for commercial devices as well.