It’s Week 3 of National Cyber Security Awareness Month (NCSAM), which will take a look into the future through the lens of the connected internet and identify strategies for security, safety and privacy while leveraging the latest technology. Our world is becoming increasingly connected, and smart cities, health devices, cars and homes are our new reality. With billions of connected devices – and disparate security methods from multiple vendors – the Internet of Things (IoT) has created complex security demands. It’s critical for everyone to consider our shared responsibility to protect our cyber ecosystem – from manufacturers to consumers to developers and even venture capitalists, success in the future of the IoT calls for everyone to play a role.
I recently sat down with Anthony Grieco, trust strategy officer at Cisco and member of the NCSA Board of Directors, to discuss the way forward for the IoT, including the need for industry-wide standards for securing it and how getting it right will promote global business growth and innovation. Anthony leads the Trust Strategy Office and is responsible for ensuring Cisco and its customers embed security, trust, data protection and privacy in to future strategies, products and business models; his organization is also responsible for Cisco’s security and trust efforts related to the IoT.
MICHAEL KAISER: How important will the IoT be for consumers and businesses over the next decade?
ANTHONY GRIECO: The IoT has created – and will continue to create – a wealth of new opportunities for both businesses and consumers. The ability to use data, collected from a variety of locations and sources, to drive decision making is a key asset of the IoT and one that will have financial and societal benefits. From pulling information from sensors on an oil rig in the middle of the ocean to extremely time-sensitive data created by a heart monitor in a hospital, it’s the ability to respond quickly and strategically, supported by data-driven decisions in the moment.
MK: What are your cybersecurity concerns about the way the IoT ecosystem is developing today?
AG: It’s more than securing individual ‘things’ within the IoT – it’s about building cyber resilience for the whole system. The challenge is that organizations deploying connected things or extensive IoT projects are faced with multiple component vendors using disparate security methods. These inconsistent approaches are creating risks about which organizations are unaware and ultimately giving cybercriminals more opportunities to compromise networks and systems and steal valuable data.
MK: You mentioned having a plan for IoT cyber resilience. What do you mean by this concept, and what kind of plan should we have?
AG: The concept of cyber resilience is about managing risk – identifying potential risks, evaluating the likelihood of them occurring and their negative impact and deciding the appropriate actions to take, including being prepared to recover if necessary.
Simply put, a cyber resilience plan requires a roadmap of how security is built in to every aspect of business – not only of the technical investments that will advance business performance, but also of the tools, policies and processes that will protect, monitor and recover your investments. These capabilities will not entirely eliminate cyber risk, but they create awareness to the risks and will build a formidable defensive posture to significantly reduce the impact of threats.
MK: What roles do product and software developers play in system and IoT security?
AG: Developers specifically should be trained to design with security and privacy in mind. Everything from building software that is securely updateable to ensuring data integrity is protected – ultimately the individual components of systems play a significant role in its overall security. But we need to think bigger than just the people who are creating IoT products and solutions. Everyone has a role to play. Customers must demand more of their technology vendors. Manufacturers should establish and adhere to baseline security requirements. Even venture capitalists should play a role by asking hard questions about security, privacy and data protection before funding start up projects. As an industry, we need to form a common vocabulary that will enable buyers to compare products side by side from a security point of view. Like comparing nutritional labels for food, without common terms, making security comparisons is extremely difficult.
MK: What emerging standards do you see – or what areas are there in which standards still need to be developed – to create a more holistic approach to IoT device security?
AG: Collectively, we need to set the bar for a core set of requirements that address critical security, data protection and privacy needs in IoT devices, such as a mandatory secure development lifecycle (SDL) to ensure these features are built in from the beginning of design and development, rather than an afterthought. A SDL should be considered irrespective of IoT; it is the start of good security posture.
Additionally, we see and are leading the creation and adoption of critical standards that will enable IoT devices to be used securely and at scale, lowering operational expense and increasing the security of the overall system.
MK: While everyone sees this incredible potential for growth when it comes to the IoT, this growth can only happen if devices are safe, secure and trusted. How do we enable the growth of IoT devices based on a trusted platform?
AG: We must understand that increasing security on the devices is only a portion of the solution. Those increases are necessary to bring security capabilities to the things and enable the network to provide much richer defense, monitoring and protection of those things at scale.
Even when we dramatically upgrade the security capabilities of future devices moving forward, that does not help the billions of devices currently on the market protect themselves against attack or being used as a vector of attack. To help compensate for the lack of device security, we can leverage the network as a sensor and a tool to identify malicious traffic and enforce access policy.
Network visibility – or telemetry – helps us understand the day-to-day behavior of the network. It’s crucial to have an understanding of the baseline traffic on your network to help pinpoint when traffic is out of the ordinary. And, when things are out of the ordinary, the network can enforce security policies to allow the right users and devices to get the right access and contain the impact of a potential attack.
MK: It sounds like we have a lot to do to secure the IoT. If you could name three top things we should be doing right now, what would they be?
AG: View security as a growth enabler of the IoT and more than risk mitigation; it will help scale the IoT from both the consumer and business perspectives. Businesses will have the agility to go where they need to, quickly, if they think about and build in security from the beginning.
This challenge is everyone’s challenge. This is not just an IT security conversation anymore. Multiple stakeholders are making decisions about IoT projects, which means everyone needs to be thinking about security.
Lastly, businesses need to leverage their network infrastructures as key points of visibility and control to enable rapid IoT deployment. Accordingly, they need to keep their network infrastructures up to date. Until the industry sets a bar for a core set of requirements that address critical security, data protection and privacy needs in IoT devices, the network must pick up the slack.
Check out Cisco’s security blog for more insights from Anthony and other members of the Cisco team on promoting a safer, more secure internet. And follow the #CyberAware hashtag on social media for the latest insights, tips and resources to use this NCSAM and to join the conversation. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.