Greetings, and welcome. This week, the US federal government trots out a new cybersecurity strategy – and eliminates a cybersecurity coordinator. Meanwhile, a survey reveals how little IT leaders know about unauthorized IoT devices on their networks. As always, your thoughts, reactions, and suggestions welcome – just send a quick email to firstname.lastname@example.org. And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.
US Department of Homeland Security Debuts New Cybersecurity Strategy, While White House Eliminates Cybersecurity Coordinator
What Happened: The US Department of Homeland Security (DHS) released a new cybersecurity strategy, which offers little substance where the IoT and IIoT are concerned. Meanwhile, the White House eliminated a high-profile cybersecurity role.
- The 33-page document and appendix describe five “pillars” supporting the strategy: “Risk Identification;” “Vulnerability Reduction;” “Threat Reduction;” “Consequence Mitigation;” and “Enable Cybersecurity Outcomes.” Seven goals make up the five pillars. Goals include “Protect Federal Government Information Systems,” “Protect Critical Infrastructure,” and “Strengthen the Security and Reliability of the Cyber Ecosystem.”
- For IoT and IIoT stakeholders, how these pillars and goals play out in real life may provide less protection than they appear to promise on paper. The document mentions “internet-of-things” only three times, almost exclusively in the context of consumer devices. It mentions “industrial control systems” only once.
- It does mention “critical infrastructure” 42 times. However, as Reuters reported, “In March, Nielsen said the department [DHS]was prioritizing election cyber security above all other critical infrastructure it protects, such as the financial, energy and communications systems.”
- Ironically, the DHS strategy was released the same week the White House eliminated the position of cybersecurity coordinator. As CBS News reported, the position “was left open when Rob Joyce, President Trump’s first coordinator, announced last month he was leaving the White House to return to the National Security Agency.”
- President Obama created the role in 2009. Its elimination is part of a larger effort to “improve efficiency, reduce bureaucracy and increase accountability,” according to a National Security Council spokesperson.
What It Means: Taken together, this strategy document and “streamlining” the national cybersecurity leadership team are troubling at best. They seem to indicate that DHS – and perhaps White House – priorities may need closer alignment with current realities. This is especially true regarding IIoT systems. These increasingly control multiple elements of “critical infrastructure,” from manufacturing to delivery of electricity, food, fuel, and water.
What You Should Do: Watch this space. Closely. Pay particular attention to how the U.S. government acts to defend and protect critical IT, IoT, and IIoT infrastructure elements. Actions and investments in these areas will have real and significant effects on citizens and businesses within and beyond U.S. borders. Work with your fellow IoT and IIoT stakeholders to demand and get accurate, timely information about actual and planned protections, defenses, and remediation alternatives. And use these to guide complementary efforts in your own community, business, and other value chains.
How Many Shadow IoT Devices are Connected to Your Network? Survey Says: You Have No Idea
What Happened: A recent survey indicates the connection of “shadow IoT” devices to business networks is more pervasive – and threatening to those networks – than many IT decision makers know or suspect.
- As DarkReading reported, Infoblox, a network security and network intelligence solution provider, commissioned the survey. Some 1,000 IT directors in Germany, the UAE, the UK, and the US. were asked about “the security implications of shadow devices on organizational networks.”
- “Thirty-five percent of the respondents from [the US, the UK, and Germany] reported more than 5,000 non-business devices connected to their enterprise network every single day. One-third of the respondents from [those three countries] reported more than 1,000 shadow-IoT devices connected to their network on a typical day.”
- Many survey respondents were contributors to these results. “Thirty-nine percent of the respondents from the US and UK said they used personal devices while connected to the enterprise network to access social media; 24% reported using the devices to download apps, while 13% did so to access games.” Popular devices include fitness trackers, digital assistants, smart TVs and speakers, and “smart kitchen devices.” Most of these have weak or no passwords or other effective security features.
- The people and teams trying to protect their networks from IoT and IIoT device threats are already pretty busy security authorized connected devices. “Over 75% of the organizations in the Infoblox survey, for instance, reported having more than 1,000 company-supplied devices, including laptops and tablets on the network.”
- IoT devices connected to organizational networks are as easy for malefactors to find as they are to hack. “In March 2018, a search that Infoblox conducted showed there were nearly 6,000 identifiable webcams openly accessible via the Web in the UK, some 2,350 smart TVs in Germany, and 1,571 Google Home devices in the US.”
- Survey results indicate user education is little or no better than IoT device protections. “Eighty-eight percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24% of employees represented in the survey said they did not even know such policies existed, while a bare 20% of the people who professed knowledge of these policies actually abided by them.”
What It Means: The IoT and the IIoT are poised to create even more high-profile exposures of business networks to easily avoidable vulnerabilities and threats than current and previous threats and vulnerabilities. IoT and IIoT devices are proliferating rapidly, and IoT and IIoT devices and systems connect to networks running businesses, manufacturing facilities, and entire utilities.
What You Should Do: Cybersecurity begins at home. Whether your network supports a business, an industrial facility, or both, you must ensure your device discovery, patch management, and user education efforts are continuous and effective. This is especially true if your organization is an active IoT or IIoT participant, intentionally or without your IT or cybersecurity team’s knowledge. (See “Microsoft’s IoT R&D Commitment: The $5-Billion Tip of a Multi-Billion-Dollar Iceberg.”)