IoT and IIoT Security: Some Tech Truths are Evergreen

Last year, I was asked to start a book club to help our team at Microsoft constructively process and cope with the confusion and fear many of us felt during the early weeks of the pandemic. Of course, since we were a cybersecurity-focused team, I put cybersecurity-focused books on the reading list. A colleague of mine picked Cliff Stoll’s classic, The Cuckoo’s Egg and, when it was my turn, I went with Simon Singh’s The Code Book. What’s wonderful about both of these books is how they illustrate core and underlying principles of cybersecurity that impact threat models today.

Stoll’s book tells the story of a real-world attack by a German threat actor who infiltrated a computer at the Lawrence Berkeley National Laboratory (LBNL) by exploiting a vulnerability at MITRE. Stoll was alerted to the attack due to a discrepancy in the billing system. If you haven’t read Stoll’s book, you may be surprised that the attack occurred in 1986. You read that right: it happened 35 years ago.

Singh’s book, also non-fiction, is a historical review of cryptography and the underlying principles of cryptanalysis. Singh explains how modern-day code-breaking rests on the same established practices and techniques that have been used for centuries; even when those techniques have been updated to meet current technology, as is the case with quantum computing and quantum resistant-cryptography.

While doing that book club, I noticed a couple of people left the discussions early on. Wanting to make the book club enjoyable for all, I followed up and asked why. The answer: “those old books have nothing to do with today’s modern cloud enterprise.”

While it’s true that technology is moving rapidly in many ways, it’s also true that today’s cloud-based networks have been built on technology from the past. Access control and identity-based authorization is the touchstone of Zero-Trust Architecture (ZTA); it’s also the foundation of the Resource Access Control Facility or RACF, introduced by IBM back in 1976. And an attacker from another country getting through to US government systems sounds pretty current, if you pay attention to recent headlines.

If we don’t learn the lessons of the past, we’re doomed to repeat the same mistakes. This holds true for newer technologies like IoT and IIoT (industrial Internet of things).

Every day, users interact with consumer IoT, like connected cars, televisions, and lights. On the industrial IoT side, IIoT includes building automation systems, shop floor automation devices, and smart energy grid sensors, which may be components of operational technology (OT) environments. While a thorough risk analysis requires understanding context and a drill down into the different environments and use cases - it’s also helpful to build a baseline understanding of common risks that apply to all devices in the IoT/IIoT ecosystem.

A robust foundation of persistent risks and threats provides defenders with a strong platform on top of which they can build customized threat models. This is why, a few years ago when I was working at IBM, I collaborated with other IoT experts to enumerate Five Indisputable Facts of IOT Security. By addressing these evergreen facts first, experts tasked with building or deploying secure IoT and IIoT can get a leg up on the design process.

The five indisputable facts are:

Devices will operate in hostile environments
Software security will degrade over time
Shared secrets do not remain secret
Weak configurations will persist
As data accumulates, exposure issues will increase

To hear more about the five facts and to learn how to mitigate these risks to build secure, resilient I/IIOT please check out my upcoming August 10th webinar: 5 Indisputable Facts of I/IOT Security