March 28, 2022

It’s time to prioritise IoT devices as Biden urges the private sector to ‘lock their digital doors’.

By Tyler Gannon, Vice President of Strategic Alliances, North America

 

Last week, President Biden issued a White House Brief expressing the need for the private sector to “harden your cyber defenses immediately.” This statement was aimed at critical infrastructure sectors which most regard as transportation, water, and energy. But the Cybersecurity & Infrastructure Security Agency (CISA) considers 16 sectors as part of our critical infrastructure and includes Communications, Commercial Facilities (like malls and stadiums), Critical Manufacturing, Agriculture, Health, Emergency Services, Financial Services, and several others. As President Biden stated, “most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors.”

The White House also released a Fact Sheet detailing the immediate recommended steps these companies controlling our critical infrastructure should take, including:

  • Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
  • Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
  • Encrypt your data so it cannot be used if it is stolen;

And long-term:

  • Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
  • Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them.  There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.
  • Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source.  Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
  • Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed. We encourage you to follow those practices more broadly.

While companies like Microsoft and others have taken a leading stance on promoting Zero Trust Networking to help organizations meet the President’s Executive Order, most organizations will look first to implement Zero Trust security policies for their human users’ network identities when, in reality, the imperative applies equally, if not more urgently, to IoT devices and their machine identities.

IoT devices are deployed at greater scale than their human counterparts and usually have no associated “user” to pay attention to suspicious activity or take immediate action when an incident occurs. These devices are already present in great numbers across nearly all aspects of our critical infrastructure but are too numerous for traditional IT Security teams to effectively manage. As a result, they represent a significant threat target for “increasingly sophisticated malicious cyber campaigns.”

At Device Authority our entire focus is on helping organizations apply the same standards of security associated with Enterprise users to IoT devices.

Device Authority’s Keyscaler platform can help solve the problems noted above by fully automating the machine identity lifecycle for IoT devices (like rotating credentials based on policy addressing the issue of scale), and driving Zero Trust principles to the internet Edge where most of these devices operate. Further, to help our customers comply with the Biden Executive Order, Keyscaler’s capabilities include:

  • Software Bill of Materials (SBOM) validation and automation
  • End-to-end data encryption at the device level
  • Secure delivery of signed code to devices

We work directly with chip manufacturers, device OEM’s, and IoT platform providers to easily integrate device-based security throughout its lifecycle, ensuring that “secure by design” extends all the way to “secure end of life.”

 

Find out more about the state of cybersecurity and the role of regulations in accelerating adoption in our upcoming webinar – click here to register.

 

 

 

WRITTEN BY
Claire Tennant