You Got the Wrong Guy, Security Leaders Face Down Ransomware in IOT & OT – Part 3

Ransomware, Crypto & Blame – A Slow Tango

Ethereum and Dogecoin might have been trending after Elon Musk’s appearance on a recent late-night comedy show, but ransomware attackers already had their eyes trained on huge paydays when it came to attacks on critical U.S. infrastructures. The start of this week was met with fears of gas prices soaring after an east coast gas pipeline was met with a ransomware attack¹. While it’s too early to tell what went wrong here, if the past has taught us anything, in the days to come many may be tempted to focus their attention on everything security operations did wrong. As too many organizations are stuck in a never-ending tango of ransomware attacks, followed by crypto payouts, and then blaming their security and risk leadership for breaches.

You Got the Wrong Guy

If your incident post-mortem is filled with what security operations, CISO and the CIO did wrong, then double down on crypto because the bad actors will be back. Security and risk leaders make the perfect patsies, but the real owners of IIoT and OT disruption may lie with the OEM device manufacturers themselves. While digital device manufacturers can’t account for your aging infrastructure, bad cyber hygiene, end-of-life equipment, or your engineer’s reluctance to work with cybersecurity, OEM device manufacturers and software providers own a huge piece of this puzzle.  And they are getting a free pass.

The known causes of product security failures for industrial and critical infrastructure environments should come as no surprise (See Chart 1 below).

And sadly, burdening your security operation teams with securing these environments will only get you so far, as many of the known causes can be resolved with best practice product security measures, at a far lower cost.

So What About Product Security?

While it may be too early to dissect the recent U.S. pipeline incident, we can learn from past events. A recent chat with Netanel Davidi, Co-founder and CEO of Vdoo (an end-to-end product security platform provider), highlighted the importance of product device security. Davidi stated that it is necessary to “scan everything from zero-day threats to third-party risks” when it comes to product security.   Furthermore, it is imperative that product leaders “gain visibility into the security of code development practices and component risk across their supply chain.” Companies like Vdoo, and even larger providers like Microsoft’s Azure Sphere, can offer services and products that secure IIOT and OT devices for continuous monitoring. End-to-end protection, with a continuous improvement mindset, is required to offset the increasing risk landscape. With so many solutions emerging in IoT and OT product security, one might ask what are OEM providers doing to get it right, and harden their systems, equipment, devices, and supply chains.

Why Do So Many OEM Providers Get OT and IoT Device Security Wrong?

As many OEM providers pivot to becoming digital product providers, they have failed to do one thing: productize security. This failure is often driven by OEMs that still act like brick-and-mortar companies, not digital providers. This means organizationally, they make the following mistakes:

1. The wrong people are doing product security. When CISO and CIOs act as product security officers or product managers, this means core competencies that need to be effective, such as product roadmap, planning and lifecycle management, are not properly cultivated. Also, too many security product decisions are left to engineering or product development, meaning proactive thoughtful productization of security features, get water down to secure by design elements that hackers have already figured out.
2. Failing to see convergence. As ransomware on OT and IIOT environments increases security convergence of IT, operational technology and physical security must be addressed.
3. Supplier risk is going unchecked against new digital offerings. Traditionally, supplier risk has focused only on the data and IT infrastructure security of the supply chain and has missed crucial elements, product security, which needs to be factored in for a holistic view. More importantly, supply chain leaders are using old vendor risk policies with OEMs that have drastically changed their products and services to become digital.
4. Financial incentives are a two-way street. The bad actors are financially incentivized to attack OT and IIOT environments, while OEM providers have not been financially incentivized to protect them.
5. A static approach to security. As bad actors find new ways to attack these environments, too many take a static approach to security. OEMs are too slow to embrace and prioritize emerging security solutions.

Recommendations for Security and Risk Leaders

• Determine the OEM provider’s approach to secure product management from ideation to end of life.
• Evaluate physical security and cybersecurity mitigation steps taken by your provider.
• Close the supply chain gap and focus on an integrated digital security approach to the supply chain, which looks holistically across IT and data, product, and operations-related technology.
• Sharpen your terms and agreements with providers by adding clauses that spell out their financial obligations in the event of a breach.
• Proactively discuss emerging technology trends with the OEM provider and determine security mitigation measures at the device and authentication level prior to adoption.

Recommended Reading

Emerging Technologies and Trends Impact Radar: Security in Manufacturing

Tool: IoT Security Assessment for Enterprise and Commercial Devices

Establish Successful Executive Security Governance in an Integrated IT/OT Environment