Project Management Office for General Dynamics Information Technology (GDIT) Description: Exploited Internet of Things (IoT) cyber vulnerabilities expose trending and alarming design, policy, and system lifecycle management deficiencies. These flaws pose significant business and societal risk as technology adoption accelerates. Hackers have penetrated enterprise networks through unsecure IoT networks to gather sensitive financial data, disrupt critical infrastructure, and install ransomware. During the COVID-19 pandemic, unprotected medical devices have been exploited to gather sensitive personal data on healthcare networks and potentially endanger human life. Despite significant risk, many businesses have adopted IoT to pivot to new markets, improve services, and lower costs. As more businesses adopt IoT, cyber vulnerabilities will exponentially grow. Without enhanced security intervention, this unrestrained growth may become uncontrollable. Recent surveys and independent security audits have uncovered underlying trends across many sectors that increase IoT cyber risk.
Christopher Magnan manages a Project Management Office for General Dynamics Information Technology (GDIT). During his tenure at GDIT, he has led a team that has implemented cyber-security technology and best practices, integrated telecommunications, and implemented Bring Your Own Device (BYOD) to a diverse global enterprise. Prior to GDIT, he managed the design and deployment of Smart City technology across Naval District Washington. He received his MBA and Master’s in Electrical Engineering from the University of Maryland – College Park.
Internet of Things (IoT) Cybersecurity
I’m Cristopher Magnan. I’m program manager at GDIC and work for different government agencies. The focus of this talk is the Internet of Things (IoT) Cybersecurity, and this is a hot area being that IoT is transforming how business is conducted. Furthermore, the explosion of sensors that help automate many of daily processes throughout the home and throughout work. Municipal agencies are implementing IoT for such applications as smart cities as well as other data mining capabilities.
Here is the agenda for today. I’ll just give a brief introduction on IoT. Growth Trends and Projections, why are we interested in cybersecurity, the current state of cyber posture, Prominent IoT breaches, some are pretty humorous from my perspective. Some hardening strategies that include technology and lifecycle management as well as implementing best practices and the key takeaways that I hope you will take away from this presentation.
As I mentioned before, Internet of Things is a very hot area. It’s a network of sensors designed to collect and process data to automate operations. Event detection, many organizations are using datamining for their business practices and also to pivot to new capabilities. For example, hotels are adding apps to control your room’s temperature as well as app reminders in other devices in the hotel room.
As I mentioned before, smart cities are an exciting and growing application of IoT, also self-driving cars. I’ve already heard a lot of activity with Google and Apple on implementing on their capabilities in industrial automation, helping firms optimize their processes to make manufacturing cheaper, faster and better.
The backbone of IoT is being driven by cloud-computing, your AWS, your Azure and your Google cloud making the computation, the IT infrastructure overhead is driving the costs down. With 5G your expanding your network backbone across the nation which allows you to increase the data capacity of the communication channel. You’re able to use adaptive antennae arrays to significantly pinpoint in the beam storage (4:12) for high data rate applications and other tactical advances. Processing power is getting cheaper and memory is getting cheaper, and these are all catalyzing the IoT adoption.
As I mentioned before, the business case from an executive point of view is that it lowers costs. Your automation and your datamining. It enables new service capabilities. It allows firms to pivot to new services and it helps drive a wedge between leaders in different business sectors. However, I’d like to stress is that the cybersecurity, the hardening and the protection has not kept pace with adoption of the technology.
I will send these slide out if you have any questions you can reach out to me or speak to me after this presentation.
Growth Trends and Projections
Why are we interested? There is to be approximately 4.5 trillion SAR in accepted commerce in 2022 with a 13.6% Compound Annual Growth Rate (CAGR) between 2017 and 2022. This was taken from a report based on past data and right now we’re approaching 2021 and I haven’t seen an update on this forecast. Ericsson expects 3.5 Billion cellular IoT connections in 2023. KPMG, a management consulting firm expects IoT will drive the greatest business transformation over the next three years. Another key point I’d like to acknowledge is that 90%, a very high percentage, of business executives expect IoT to become critical to a portion of their business capabilities and operations.
As I mentioned before the pace of cybersecurity has not kept pace with the IoT adoption. I’d like to point everyone to the vulnerability gap which is the number of unsecured devices to secured devices. Just using the 30% YoY (year over year) growth that was mentioned in many articles, the vulnerability gap widens as more firms adopt the technology.
Now some common deficiencies are as follows. Passwords are not update from the default setting and those are exploited by hackers. Firmware and patches are not periodically updated, especially, when the sensors are outside the secure perimeter. For example, you have cameras that are external to a data center such as your local law enforcement, and those are outside the secure perimeter which makes them more vulnerable. And it makes it much harder to update any patches or firmware. That gets into the next point. Wireless nodes are often placed outside the physical security boundary.
Surveys of these same executives show that the organizations don’t know how to manage the IoT devices. They deploy them and don’t periodically assess their cyber readiness or their vulnerability. As I mentioned before, best practices are not properly implemented, monitored and managed. This is through the system security lifecycle. I’ll get more into this later in this slide.
A majority of IoT devices deployed are not cyber ready. Many firms, they manufacture sensors; however, there is not really a demand to implement cyber readiness. Many devices are passive without any password protection or any patches, or the firms don’t update any security vulnerabilities. It’s not in their best interest and there are some strategies readily available that can help partition these devices from the core network and help reduce cyber vulnerability. Anyone that has taken a CISSP (Certified Information Systems Security Professional) course of has passed the certification knows that there are three segments to cybersecurity: the technology, the policy and the training or the people.
Many organizations do not properly train their staff. You have heard many times of the fishing schemes implemented by hackers where they’ll send a fake email which downloads any worms or viruses to the local machine and staff. Right now, we’re facing a deficit of cyber security staff because people don’t pursue the training and many people are not entering college, vocational schools, or any technical training to improve their cyber readiness and the technology. As I mentioned before, it’s not properly maintained, the technology is not lifecycle refreshed out and sensors are deployed but never managed. That is the state of cyber readiness for many organizations that deploy IoT.
Prominent IoT Security Breaches
Here are some prominent IoT security breaches. Mirai – Malware that penetrated IoT through default or common username and password which cause a distributed denial of service. One breach that is very ironic is the Casino data leak. Hackers accessed customer records through a WiFi enabled temperature sensor in an aquarium. Whoever designed that system didn’t properly address any cybersecurity best practices, and from what it looks like, the core IT group did not even know about it. The Jeep Cherokee hack where hackers can access vehicles to remotely control them. As someone mentioned, “IoT is a bridge into the enterprise network and hackers constantly exploit its vulnerabilities.”
You can add any recent security breaches in the chat window. As Eric mentioned before, I’ll address any questions at the end of this presentation. And one thing that I didn’t add to the slide is that with Covid and the medical system, remote monitoring of patients also increases the number of opportunities for hackers to exploit vulnerabilities.
For those who are unaware of what cybersecurity is. Cybersecurity is the defense against criminal or unauthorized use of data or networks. It’s just keeping people who could compromise your technology, your operations or sell any critical business information to unwanted sources. Cybersecurity integrates technology, policies and training. There is a common theme called the CIA triad, and that is how a cybersecurity solution is measured. It is Confidentiality, Integrity and Availability. Confidentiality, how secure is the data. Integrity, is the data corrupted by the process or if it has been altered. Availability, how readily you can access the data if you don’t have to address multiple passwords or key cards, etc. As IoT technology evolves so do the threats. Through new technology, methodologies, practices and detecting new vulnerabilities. As mentioned before, the IoT is seen as a bridge into the enterprise network because it’s not properly managed, and that’s how many hackers access the enterprise through these centers.
Cyber Hardening Strategies
I already alluded to the system lifecycle management. Zero Trust is an application of identity and access management which implements a lease privilege policy. Certificate Authorities uses a proxy to vouch for the authenticity of the device or the user. Post-connect access such as your patching, your firmware and your management of the hardware. Security event monitoring, training your employees how to detect any breaches and how to respond to them. For example, if you have someone trying to access your network. What are the next steps? Do you shut down that network segment? Do you notify the authorities? That just part of the entire security event monitoring. Finally, there is continuous training. People are also seen as vulnerabilities; the email is the common thread to access the enterprise network by downloading malware.
System Lifecycle Management
It is just a lifecycle that we use in many industries to plan the system use and maintenance from cradle to grave. That also includes system design, system maintenance and system demolition. Unfortunately, many corporations implement Internet of Things through third-parties where security is ignored, or the corporations don’t understand the importance of cybersecurity and they’re not willing to pay it. And expand the design team. I have implemented this many times in my practice. When we expand the design team to cybersecurity we develop the response plan, cyber training plan and we integrate best practices as well as evaluate technology or its cyber readiness. We also implement basic security protection.
Increase cyber hygiene accountability. You identify who is responsible for what in the event of a breach and identify who is responsible for what during routine maintenance. Your patch cycles, firmware upgrades, etc. Incorporate a crisis response team. Asset management through the lifecycle. To monitor your success or your failures, develop a cyber scorecard in response to event management and any anomalies that occur as well as your training and address any gaps in the lifecycle management. Just for frame of reference. The common framework includes Information Technology Infrastructure Library (ITIL). That lifecycle goes from service strategy all the way through service improvement and that is one of the benefits of having card. You can see what you’ve done well, what you’ve done wrong and how you can improve.
System Lifecycle Management Framework
This is the lifecycle that many corporations use to plan the use, design and disposal of systems. Throughout this lifecycle, I have added where the cyber team can get involved. If you review the slide, I have the cyber team getting involved in the first stage. Usually in analysis the cyber team is not involved because that’s just the overall strategy from a business level, executive perspective.
With planning and design you incorporate all the cyber tools to harden your system. Your ACAS (Assured Compliance Assessment Solution), your HBSS (Host Based Security System), your certificate authority and your 802.1x. Just to keep all the cyber professionals in the loop. As you progress through the system of design, development and testing, you include your cyber team for readiness. Many government organizations have authorization and accountability teams to ensure that the system is hardy enough cyber-wise.
Continuous monitoring and training are the maintenance and operations. As I mentioned before, event management. The who does what, who to contact, etc. The cyber scorecard, as previously mentioned, is a tool to help improve the posture.
Here is an example of a cyber security scorecard. As you can tell there are some key metrics identified and this leads to a cyber vulnerability analysis and is broken down into different parameters. Parameters such as your patch management, your email security. This is a generic card, it is not related to an actual firm so no firm will have any vulnerabilities exposed by this slide. You can also add corrective actions to this slide as well and what your success criteria is when you implement this correction. [22:12]