teissTalk: Securing your industrial IoT

On 9 November, teissTalk host Tom Langford was joined by Grant Geyer, Chief Product Officer, Claroty.

 

Views on news
Findings showed IoT device traffic increased by 18% since 2022 as consumer and industry users increasingly deploy connected devices. As a result, IoT malware attacks have grown 400% since 2022. Businesses in Mexico and the United States were found to be the most targeted, making up 69.3% of IoT cyberattacks affecting both consumer and enterprise IoT systems. 

 

Cyber-security by design
There is now ransomware targeted at OT equipment, as well as malware that pretends to be an engineer’s workstation and connects to controllers with hard-coded authentication credentials, but the majority of cybercriminals look for easy ways of breaching systems.

 

OEMs should probably up their game to make their products more secure by removing hard-coded credentials and default passwords. However, the prevailing trend in the medium term must be security by design. Recently, a paper came out in the US published CISA calling for building cybersecurity into the design and manufacture of technology products, which was signed by a number of other countries as well.

 

NIST is also in the process of designing a “cybersecurity hygiene” rating system. In the future, OEMs can also be held liable for vulnerabilities their products have and which criminals can take advantage of. When it’s not just run-of-the-mill software but cyber-physical equipment, vulnerabilities can pose national cybersecurity risks. The most common protocol, BACnet, is one of the most insecure ones too. Despite warnings about how insulin pumps and pacemakers are susceptible to hacking from about 50 feet away, no major security upgrading has been made in the industry for the past decade. The lack of regulation can be explained by a free market ethos, which advocates that non-compliant companies get penalised for reputational damage.

 

Also, software developers use so many other vendors, as well as open-source products that they only realise how complex their supply chain is when a breach like Log 4G happens.  According to the “Patch Act”, the US Food and Drug Administration now requires a medical device manufacturer to share what a product’s software bill of materials looks like before launching it, which, being machine readable, can be easily imported into cybersecurity systems.

 

OT systems have very long depreciation periods, and therefore, manufacturers aim to lock down these systems as changes can compromise safety. The key here could be compensating controls, as well as moving them from the internet to safe internal networks where anomalies by SOC teams are easier to detect. 

The panel’s advice
One of the biggest mistakes in defense is the failure to imagine new risks. 

 

Governments have so far failed to assess the cascading implications of a cyberattack on a critical IoT system. 

 

Anomaly detection and segmentation are key to building secure systems. 

 

It may take 10-15 years to create a safe environment for IoT devices. Until then, they need to operate securely in an unsafe setting. 

 

Out of the 250,000 vulnerabilities only a few thousand get exploited. To save resources, take all the vulnerabilities in your network and filter them by the known exploits (KEV catalog) and EPSS (Exploit Predictability Security Score