One of the highlights of #teissLondon2018 was a presentation by Paul Hefferman, Group CISO for Unipart Group, in which he discussed the security risks that the IoT poses.
During the presentation, Heffernan explained that many businesses are embracing IoT for the opportunity to get work done faster, cheaper and to have a competitive advantage, there is increasing concern that it could introduce unknown risks to a business. Cyber security is already a very complex area for businesses so the introduction of IoT to the mix ends up adding another dimension to the risk.
The presentation further illustrated what has happened in the world of cyber security in the past year (Wannacry, Petya, NotPetya) and what it means for businesses going forward. The presentation also sought to find out how the status quo changes when IoT is added to the mix, and what types of attacks can be expected in the future.
Using tools available on the internet, Heffernan found mechanisms and entire systems that were open to exploitation due to a lack of proper security. This included wind turbines, manufacturing system and food production plants. Via his presentation, Heffernan illustrated the fact that more needs to be done about IoT security and that businesses need to be thinking about when they want to start putting security in the heart of IoT, as it will help them generate trust in their own their products.
The way that businesses can make sure that the right amount of importance is being placed on cyber security is by focusing on a few things:
1) People understand the importance of having basics in place and yet there is a tendency within the cyber security industry to sell complex solutions. Cutting edge technology is great for protecting businesses but the focus has to be readjusted so that organisations refocus on getting business basics in place.
2) Think about standards and the use of standardisation. If we look at other industries, like health and safety- that industry already knows what needs to be done to stop people from having accidents but it isn't the same in cyber security. Industry-wide standardisations like ISO-27001 can be applied to improve the basics that are in place.
3) Thinking about how we use standards and basics in things like machine learning, 3D printing and AI to create trust. It is trust then that can then lead a business to have competitive advantage, especially because today's customers are very savvy. In our everyday lives, we bank with companies, or buy from them not just because they are the cheapest but also based on how well they treat their customers and also how good they are at protecting our data!
IoT affords the cyber security industry a great opportunity to be pioneers with regards to innovation, trust and security. It is time for security to become part of infrastructure in a way that it is built from bottom up and is in the heart of what we do.
Heffernan was one of the first ethical hackers in the UK, and his presentation is perfect for those who wish to:
1) See real-world examples of what IoT security should be like and how it can be built;
2) get pragmatic tips that can help them and their organisations, in their bid to not suffer breaches.