“because vehicle manufacturers are working with several different hardware and software companies, it has emerged that no one is technically responsible for the vehicles' central computer systems of many smart cars”

One of the biggest security challenges, however, might be IT/OT convergence -- the merging of information technology with operational technology. IT teams are no strangers to infosec, but their OT counterparts working among industrial control systems (ICSes) have generally never worked in internet-connected networks. Yet, as the benefits of IoT and industrial IoT (IIoT) become apparent, more ICSes and OT environments are becoming connected -- bringing multiple benefits but also creating multiple security threats. Compounding the risk is that IT teams don't know how to handle threats in such environments, leaving many IT and OT teams unsure exactly where the security responsibility lies.

Here, Institute of Electrical and Electronics Engineers Inc. (IEEE) member Kayne McGladrey outlines the challenges of ICS security and explains how OT environments can counter such threats while still reaping the benefits of IoT.

The Internet of Things is a dumpster fire and upcoming regulatory controls aren’t going to put it out. Putting a sticker on a box with a username and random password and providing an updated privacy policy that consumers ignore isn’t adequate, although it is compliant. Manufacturers need to invest in user behavior analysis, require multi factor authentication, and to force patching of IoT devices. Otherwise, threat actors will continue to violate the privacy of people’s homes and nation states will built botnets as part of battlespace preparations.

For smart cities, investing in cyber defense means being able to support a cyber workforce capable of supporting their IoT initiatives. “We’ve seen many failures with widespread deployment of IoT devices, whether due to insecure authentication methods, static passwords, or a lack of centralized and automated patch distribution. As city governments look to the future, they need to consider how they’ll attract a workforce capable of managing, securing, and monitoring millions of always-on devices,” said Kayne McGladrey, IEEE member and director of security and IT at Pensar Development. “This will be a hard sell for many cities, both due to the compensation requirements of the cybersecurity workforce and the perception that municipal jobs are rife with bureaucracy. Cities that succeed will have a vibrant and diverse workforce and realize the cost savings associated with the smart management of cities.”

As Kayne McGladrey, the Director of Information Security Services at Integral Partners, the cyber security, access and identity management specialist company headquartered in Boulder, Colorado, says, “IoT security remains one of the most challenging security vulnerabilities to businesses and consumers. The Mirai and Reaper botnets are results of threat actors leveraging poor security controls on IoT devices, building attack infrastructure out of those devices, and using that stolen infrastructure to attack organinations. Companies and organisations purchasing IoT/IIoT devices should treat them the same as any other endpoint device connecting to the corporate network.”

“Consumers should use the ‘guest’ network of their home Wi-Fi routers as a dedicated network for IoT devices, so if one of those devices were compromised, the threat actor can’t easily pivot to more valuable data.” That’s the case for newer devices, he says. “For older, cheap, IP-based security cameras and digital video recorders (DVRs), the easiest way to secure them is to recycle them responsibly as there often are no security updates available.” The ability to update devices over their lifetime is essential to security, and should factor into buying decisions, he says.

As the clock ticks towards a massive and preventable cyberattack on IIoT devices, manufacturers and companies deploying them must address three challenges.

"Patching is a reactive strategy, and there are a couple of challenges that have led us to the current situation. One of those challenges is that the market has rewarded companies that develop and produce products rapidly, and the market has shown a willingness to accept post-release patching as an acceptable trade-off. As a result, developers and architects are rewarded by their employers for producing code and architecture very quickly with less thought given to cybersecurity.

"The other significant challenge is that the cybersecurity community is generally homogenous. We have a diversity problem when just 11% of women work in cybersecurity. This lack of diversity in backgrounds and life experiences has influenced the analytic methodologies that are used to evaluate potential security issues with products. This lack of diversity of thought has led to the unfortunate set of expectations that breaches are inevitable, and this situation will continue until the cybersecurity industry does a better job of including diverse voices and opinions in the global conversation about security."

The team at Smartphone Evolution had a long-form interview with me to discuss mobile device security, multi-factor authentication, and the IoT.

Kayne McGladrey (@kaynemcgladrey), director of information security services at Integral Partners, notes that, for several years, we’ve been hearing predictions about millions of Internet of Things (IoT) devices with poor security joining networks and providing an easy attack vector for third parties.

“Printers are a culturally trusted technology because they’re perceived as not being new,” he says. “However, this doesn’t mean that modern organizations should not consider printers separately from a comprehensive strategy for the IoT.”