We sat down with Bud Broomhead, CEO of Viakoo, to discuss the importance of IoT/OT security in 2023 and the elements of a strong security strategy for enterprises. Since Viakoo was founded in 2013, the company has produced industry-leading innovations in IoT security while growing the customer base to include numerous F1000 companies.
Why is IoT/OT security particularly important going into 2023?
DDoS attacks, ransomware, data exfiltration, deepfakes, and other threats are rooted in IoT/OT systems. IoT/OT devices are the largest and fastest growing attack surface formed out of existing vulnerabilities. Often, IoT and OT devices exist outside the traditional framework defended by cybersecurity teams, falling, for example, under the purview of non-IT organizations like physical security and manufacturing. Further, many IoT devices were not designed with security in mind, making them difficult to secure, update, and monitor remotely, resulting in severely out-of-date software or default passwords running on a huge volume of devices, expanding the attack surface even more. As cyberattackers have grown more sophisticated, leveraging highly specific attack vectors based on the most neglected parts of the network, IoT and OT systems have become a favorite access point for malicious actors. Defending against this must be a priority moving into 2023, as we know it will be a priority access point for attackers.
Why should enterprises invest in IoT/OT security compared to other business priorities?
IoT and OT security must be considered an essential part of a holistic cybersecurity program and receive the corresponding level of investment. Many organizations rely on IoT/OT devices for achieving revenue and profit goals, making their security an existential threat to achieving business priorities. With more breaches and exploits being performed through IoT/OT systems, all the other reasons to invest in cybersecurity (brand damage, data loss, etc) are part of deciding to invest. And unlike traditional IT systems, IoT/OT systems often have a physical presence that can be exploited to cause physical damage and terror (e.g. causing a factory to explode). Cybersecurity generally must be defined as a priority for senior leadership, and IoT/OT security should be identified as a key part of the attendant strategy. The specific level of investment will depend on each organization’s exposure determined by the scale of their IoT network.
How should organizations balance their IoT/OT security objectives with more traditional cybersecurity?
IoT and OT security must be defined clearly as an essential part of the overall cybersecurity strategy by senior leadership. Every effective cybersecurity strategy will include rigorous analysis of the company’s IoT/OT threat posture at a minimum, and those organizations with greater IoT attack surfaces must invest at a corresponding rate. It’s not an issue of creating new security strategies; IoT/OT security is often a process of extending IT security strategies (such as identity management, zero trust, patch management) to a new class of devices.
How can companies measure their IoT/OT security posture?
Measuring the effectiveness of a security program comes from having established some fundamentals: knowing all the IoT/OT assets, being able to apply threat assessment on them, and having processes to update and manage their security. Measuring just on how many breaches or exploits would not provide a picture of the overall security posture. With these fundamentals an organization can them establish metrics on their security posture, such as what percent of devices have unpatched exploitable vulnerabilities. The concept of the “security journey” is another way to assess security posture; for example, if an organization is not using an asset discovery solution it is early in its security journey. Mapping out and planning stages in that journey can provide an organization with a high-level assessment of their security posture.
What are the key elements to a good IoT/OT security strategy?
Four key elements are identification, prioritization, communication, and automation. Patching IoT vulnerabilities is already an uphill battle for security teams, which often don’t have the visibility or resources to contend efficiently with an ever-growing IoT attack surface. There are a variety of good scanners that can give these teams visibility into these threats, however, the scale of vulnerabilities requires the team then to prioritize. Teams must determine which threats represent the most risk to their specific business, rather than technical severity divorced from business context, a dynamic vulnerability severity scores aren’t always able to capture. Communications are also critical – the worst time for the team managing IoT/OT devices to open lines of communication with the IT security team is after a breach occurs.
Forming internal security committees that bring together the lines of business managing devices, the IT security team, CISO organization, and potentially others is an important part of becoming resilient to an attack. The most important part of an effective IoT/OT security strategy in 2023 is automation. The scale of the attack surface is massive and always growing, and every business with IoT/OT exposure must leverage automation to contend with that scale, no matter if their organization is a small shop managing a dozen devices or a large enterprise managing tens of thousands. Once threats are identified, business-focused prioritization policies and powerful automation tools supporting the security team enable any organization to defend against the large and growing IoT/OT attack surface. ###