The most recent White House announcement detailing the US National Cybersecurity Strategy puts forth some important priority objectives. With a focus on protecting our national critical infrastructure this plan advances several themes that will help the cause: increased focus on public-private partnerships, the shifting of security responsibility to organizations that can handle the burden of cyber – chief among them government agencies and large device manufacturers, planning for security resilience in the future, and leveraging the expertise of our key allies.
The message this sends is 1) we have to do something to protect our assets from bad actors, and 2) the government can’t and shouldn’t do it alone. In fact, the plan uses some very specific language to focus our collective efforts on “what” our approach to cybersecurity should be, stating;
“we must complement human-to-human collaboration efforts with machine-to-machine data sharing and security orchestration. Realizing this model will enable real-time, actionable, and multi-directional sharing to drive threat response at machine speed.”
In other words applying automation to the security of connected devices is paramount to achieving our collective goals.
We’ve been fortunate to see some of this activity firsthand through our ongoing work with the Virginia Innovation Partnership Corporation (VIPC), the non-profit execution arm of the Virginia Innovation Partnership Authority (VIPA). Working with other private enterprise participants in VIPC’s Stafford Testbed environment, we’ve modeled how both government and private-sector operators of critical infrastructure can deploy existing technologies to protect not only the next generation of devices, but also existing assets currently in the field.
In fact, the problem of existing, or brownfield devices highlights one of the chief challenges in protecting today’s IoT infrastructure. While focusing on secure by design – or better yet resilience by design– is the right approach for new device introductions, the fact remains that all critical infrastructure sectors have a substantial IoT footprint already deployed in the form of sensors, vehicles, robots, etc. that represent a huge attack surface. The government also recognizes this fact in its plan asserting;
“IoT devices, including both consumer goods like fitness trackers and baby monitors, as well as Industrial control systems and sensors, introduce new sources of connectivity in our homes and businesses. However, many of the IoT devices deployed today are not sufficiently protected against cybersecurity threats. Too often they have been deployed with inadequate default settings, can be difficult or impossible to patch or upgrade, or come equipped with advanced – and sometimes unnecessary – capabilities that enable malicious cyber activities on critical physical and digital systems. Recent IoT vulnerabilities have shown just how easily bad actors can exploit these devices to construct botnets and conduct surveillance.”
Looking ahead, The White House advocates IoT security labels for certain consumer products, but for enterprise, industrial, medical, automotive, or other high scale connected device environments, that won’t be enough. Too often large organizations deploying IoT have security teams that don’t understand devices, and device teams that don’t manage security. The result is lack of awareness and accountability. Technologies designed to manage the complexity of geographically distributed devices, outside of corporate firewalls, and in large volume has to be considered. Removing manual, human-dependent processes is a must to eliminate errors and quicken our response to attacks.
This National Cybersecurity Plan is a great step forward in protecting our connected environment and that of our allies. Device Authority remains committed to working with our industry partners to advance this discussion and be a part of the overall solution.