directors and officers.
Organizations all over the world rely on Palo Alto Networks to detect and prevent advanced cyberattacks while safely enabling applications. To protect your organisation, visit www.paloaltonetworks.com.
Navigating the Digital Age is a cybersecurity guide for company directors and decision makers. This introduction highlights the importance of cybersecurity and why companies need to urgently think about putting preventative measures in place.
We are moving quickly to a world where everything with a circuit board and power supply will connect to the network.
Some estimates suggest there will be as many as 200 billion connected devices by 20201, with the goal of creating new services, economic structures, and operational efficiencies.
The Internet of Things (IoT) is a term used to describe previously non-connected devices – such as fuel gauges and elevator control systems – being fitted with data transmitters, to enable control from anywhere on the local network or even the global Internet.
IoT is here today and is being used to create sustained competitive advantage as its economic impact begins to take shape. The so-called ‘fourth industrial revolution’ will place information systems and automation at the centre of productive output—from driverless cars to robotic process automation.
For individual corporations, new avenues for growth are at stake with IoT, but along with this opportunity comes new risks and responsibilities—and new security challenges.
The IoT security imperative
According to a recent report published by the World Economic Forum (WEF)2, executives list cybersecurity breaches as their primary IoT concern, followed by personal data breaches.
Security considerations for IoT systems are very different than for other IT systems. Where IT refers to information technology systems, IoT systems are supported by OT, or ‘operations technology’.
IT systems are composed of servers, storage, and software, which run business information processes. OT systems are industrial components designed for managing operational processes like temperature and pressure settings and material production flow.
Enormous value can be created through connectivity, but it has to be done with the understanding that no connected systems are completely secure today.
Due to the scale of IoT deployments, to realise the benefits of connectivity, automation is fundamental. And automation cannot occur if the underlying data can’t be trusted—cybersecurity now underpins the ability to automate.
In this sense security is not an IT or OT issue, it is a business continuity issue. In an industrial context, cybersecurity also translates to safety issues. If a function of a device is compromised, it has the potential to malfunction.
Key IoT security considerations for company boards
Below is a checklist of considerations and questions for company boards to help members capitalise on the massive emerging opportunities around IoT while minimising the risk of cybersecurity breaches.
Recognise there is a real and present threat
Company boards need to recognize that the threats are real and they are present today. Business drivers will mean more connected devices, but there are already documented cases of breaches causing physical damage, in addition to economic and reputational damage.
And just because there is no evidence of a breach, that does not mean your systems are secure. The threat landscape is evolving exponentially, and it is important to understand the motives of external actors and recognise that the majority of incidents still come from errors by internal teams.
The full spectrum of threats and disruptions include: unauthorized access; technology failure; malicious attacks; espionage; sabotage; criminal activity; natural disasters; and human error.
Any connected device has potential to be an attack vector—including seemingly innocuous devices like printers.
Elevate the discussion to the board level
IoT security should be discussed with the board. While the technologies might be complex, the principles are not—in a network, the whole system is only as strong as the weakest link. This could be the people, the network, or the individual devices.
Discuss corporate cybersecurity communications methodologies and cadence with the board, and stay on top of current IT security trends.
One way to look at this is by redefining the chief information security officer (CISO) role. Create a reporting structure whereby the CISO oversees both IT and OT security.
Take a holistic approach
While IT and OT are very separate functions today, they will converge. Emphasis needs to be placed not just on trying to prevent breaches with cyber hygiene, but also on risk management and resilience.
Review the device topology of the corporation; the risk profile and the context of the connected equipment; the networks devices connect to; the people who use them; and the value of the data collected and systems that protect it.
Then there will be a more unified approach to security and less finger-pointing in the event of a problem.
Communicate a business continuity plan
Breaches will happen, so be prepared for them, both internally and across your value chain. Be clear on disclosure policies and practices, and have a communication plan prepared now.
Also, have a business continuity plan for employees, partners, and customers to minimise the impact of a breach.
Understand business context and risk tolerance
Discuss and agree on the risk profile and tolerances of the organisation as it relates to both IT and OT relative to the wider business requirements.
Openly discuss the type of devices connected to the network and the data being collected and shared, including who has access to what data.
This should be an ongoing process resulting in identification of the risks and the steps to mitigate them.
Create a strong security model for connected devices
Ensure that all IT and OT systems are properly patched. In the world of IoT, patching tends to be spotty at best.
There can be underlying concerns that patches might disrupt the operation of the connected device or system; however, this is short-sighted.
Ensure connected devices have hardware based roots of trust wherever possible and certificate-based authentication for device identity. Some devices still ship with the same hard-coded crypto keys or passwords, introducing a known vulnerability.
In addition, ensure the remote management interface to devices is secure, and access to the devices and associated data is controlled.
Monitoring for rapid response and recovery
Ensure the mechanisms are in place for ongoing monitoring of OT environments for rapid response when breaches occur.
It is best to assume there will be breaches, and that these can be difficult to detect, given some IoT devices don’t have visual displays and are not designed for direct human interaction.
Don’t underinvest in response systems. Participate in government and community cybersecurity auditing programs like the ASIC cyber resilience check program in Australia.
Focus on data protection and privacy
With IT systems, data confidentiality, integrity, and availability are most important—in that order. With IoT systems, the importance is reversed to be availability, integrity, and confidentiality.
There will also be an increased emphasis on data authentication and integrity, as it is fundamental to automation. There will also be a move to allow more granular access controls to device data. Understand how data is collected and where it is stored, either locally or in the cloud.
If data is stored in the cloud, ensure it is compliant with regional requirements for in-country data storage where applicable. Instil a privacy-first culture to become a strong custodian of the data you collect and not overreach with dataaccess policies.
Supply-chain integrity, information, and risk sharing
Global supply and value chains are increasingly demanding that participants be secure. Many multinationals are already forcing security audits of partners in order to collaborate, transact, and share data.
For connected equipment, understanding the provenance of the hardware and software is important.
It is also important to understand—and have common mechanisms for—reporting on the protective provisions in the license agreements for cybersecurity products and services that connect to your network, as well as for the components that are licensed into the connected products and services that you sell.
Be aware that these protective provisions are often not as robust as expected; you may have large exposures that you are currently unaware of.
Join government collaboration networks
The Australian government recently announced the creation of a Cyber Security Growth Centre, a new program that will be Australia’s peak industry-led cybersecurity body. It will take the form of a national network and drive alignment among industry, government, and academia to help create a vibrant domestic cybersecurity sector.
All Australian companies who are concerned about cybersecurity should consider participating in this network. It will include programs like the development of a cybersecurity curriculum for company directors.
1. Intel: http://www.intel.com/content/ www/us/en/internet-of-things/ infographics/guide-to-iot.html
2. WEF: Unleashing the Internet of Things Report