Cybersecurity expert Joshua Belk makes a case for strong security protocols, proactive threat assessment, and organizational change.
As entire industries go digital, hackers have already shown that they can undermine critical systems. Just this year, security headlines included a cyberattack that caused a blackout in the Ukraine, the theft of Democratic National Committee emails, and the digital theft of $81 million from a Federal Reserve account held by the government of Bangladesh.
We asked cybersecurity expert Joshua Belk, who led security efforts at the FBI as well as Pacific Gas & Electric, about IoT security best practices.
1. Why has IoT security become such a large concern?
Imagine the idea of globalization 20 years ago — some far reaching concept that we could be connected financially to China or Switzerland or Argentina. … IoT security is in much the same position today as the term “globalization” was 20 years ago, but it won’t take as long for the world to see and feel the impacts. Security dependencies are growing at an exponential rate due to the rate of convergence among what used to be separate platforms and technologies, but are now more like clusters of technology. Cloud-driven resources are one of the best ways for people to relate to the risks that we all face, but few truly see the IoT security challenges that are already here. We are all connected and therefore, we all share security risk.
I believe that IoT security will evolve into something we don’t yet have a term for. Security professionals are at a disadvantage today because our society lacks the foresight of security innovation needed to address this problem.
2. What do you see as the most pressing IoT security concerns for industrial assets?
There are two main areas of concern which need to be addressed. The first is a common standard of security measures that would allow for a basic level of security integration into all types of technology. Certainly, such an idea would be unenforceable, but often industries have willingly accepted higher standards to protect their products and for the good of the consumer. The second concern is the area of privileged access. Someone has to have access, but how is it managed from one technology to another, and how do we establish the right controls to keep these accesses from being exploited? Protecting future technologies will require a new security paradigm.
3. In terms of organizational practices, what should enterprises be doing to enhance security?
Enterprises can focus their security teams on proactive measures such as network and host scanning for vulnerabilities, continuous threat analysis, and coordinated countermeasure deployment. Additionally, there has to be a security message to the workforce about cybersecurity trends and appropriate behaviors. All the security measures in the world mean zero without the support of the average user. Security culture is an IoT discussion and leaders need to ensure that their organization hears the message. Partnering with governments, businesses, universities, schools, and experts globally to share best practices is becoming a necessity for survival in the IoT and will best prepare us for cyberattacks.
4. What does a well-equipped IoT security division look like, and how does it behave?
Depending upon the size of the organization, there can be a group of five professionals or several teams of professionals. In the most optimal of settings I have seen, a Security Intelligence Operations Center might have a monitoring team dedicated to daily activities, triaging tickets and elevating security events; a response team that investigates incidents; a research team to provide intelligence about trending security risks; penetration testers; and a leadership team to enable the organization to make changes in a rapid manner. Above all, the quality of the staff is most important. Just filling chairs won’t do any good, but having professionals with a variety of backgrounds will create the dynamic to establish good security protocols. “Well equipped” also means having good sound use cases, which I cannot stress enough — too often my friends in other organizations have been pushed by budget, time or talent constraints and resorted to the default setting on their tools.
5. Often hackers design new means and methods to compromise security systems. How do enterprises stay ahead of the threats?
One word: innovation! Being smart about your organization’s IT footprint will help you determine what risks areas that your security teams should focus on. Make it difficult for hackers by covering the basics and maintaining good security practices (patching and updating systems). Perhaps the most important action: Work with vendors and customers alike to find and fix security vulnerabilities within your IoT domains. Security is a dialogue that needs feedback across the product chain. When we branch out and understand the technology dependencies that we have between hardware and software, then we can begin the conversation.
- Joshua Belk led the cyber security operations center for Pacific Gas and Electric, where he secured the power grid and critical infrastructure. He has over two decades of security experience internationally, including serving as chief security officer at the FBI. Belk will be speaking on “Security Risks Associated With Smart Meters and Smart Grids” at the IoT Security Summit this week in Boston.