In the Fireside Chat: Addressing IoT Security Risks with Nexteer Automotive webinar, I discussed best practices for organizations building IoT security programs with Ron Temske, VP Security at Logicalis, and Jeff Horne, CISO at Ordr.
The winds of change are blowing through the world of work today. Macro trends such as Industry 4.0 require that companies enact and accelerate their digital transformation. Technologies such as artificial intelligence, blockchain, cloud computing, autonomous vehicles, robotic process automation, edge computing, and the Internet of Things (IoT) are helping foster innovation and competitive advantage.
As companies embrace digital manufacturing to increase efficiency and optimize operating costs, there is an explosion of IoT devices on the plant floor. Further, more and more of our home devices are becoming internet connected. The exponential proliferation of IoT devices and immature security practices make them targets for attack.
Addressing IoT Security Risks
IoT devices play critical roles across many business functions across enterprises, making building IoT security programs crucial. Here are my tips for tackling IoT security, the “Magnificent 7 IoT Security Guiding Principles”:
- Characterize: Identify and classify assets and stratify them by business value and risk
- Demarcate: Implement network zones with a clear demarcation between IT and OT networks
- Understand: Visualize and identify threats and vulnerabilities across networks inclusive of devices, traffic, etc.
- Unify: Control access by users and devices across both secure wireless and wired access
- Adapt: Leverage Zero Trust to enact adaptive control schemes in real time
- Converge: Develop explicit third-party access and risk management protocols including Privileged Remote Access, which are particularly relevant to OT networks to strengthen the security architecture
- Beware: The following root causes have led to IoT device security issues in the past
- Static credentials embedded in the device
- Lack of encryption
- No software updates
- API security gaps
How Ordr Can Help
Besides sharing tips on creating an IoT security plan, I also shared the reasons why Nexteer chose Ordr over other IoT security solutions.
One of the key principles of our InfoSec & Privacy program, NEXTINTRUST is to leverage the trifecta of: IDENTITY, INTEGRATION & INSIGHTS across a layered security architecture for enacting adaptive, proactive control strategies.
Consequently, key dimensions needed to enact this strategy across the OT & IoT arena are:
- Device Visibility
- Policy Definition
- Behavior & Risk Analysis
- Enforcement of Policies & Standards
Ordr mapped well to Nexteer’s key security dimensions and the NIST cybersecurity framework principles of Identify, Detect & Protect. It can help us transform our security operations across the plant floor and IOT device arena.
Ordr offers a realtime dashboard and key insights such as automatic device inventory, device communication, and device risk analysis. Ordr’s ease of deployment, FIPS certification, and all-inclusive licensing model were also differentiators.
Ready to try Ordr for yourself? Try the Hands-On Lab to see how Ordr will discover and classify all connected devices, profile device behavior, and automate segmentation policies.
Arun DeSouza is currently Chief Information Security & Privacy Officer at Nexteer Automotive Corporation. He has extensive global IT and security leadership and organizational transformation experience including as CISO and CIO. Arun’s areas of expertise include strategic planning, risk management, identity management, cloud computing and privacy. His current interests include the Internet of Things (IoT), Blockchain, Zero Trust, Software Defined Perimeter & Self-Sovereign Identity. Arun earned Master’s and PhD degrees from Vanderbilt University. He is a Certified Information Systems Security professional (CISSP) and has earned the Certificate of Cloud Security Knowledge (CCSK) certification. He was honored by the 1st Global Cyber Observatory by induction into the CISO Hall of Fame in September 2019. He has won multiple other industry honors including CISO of the Week, CSO50 Award, Computerworld Premier 100 IT Leaders Award, CIO Ones to Watch Award and the Network World Enterprise All Star Award. He is a member of the Society for Information Management and the International Association of Privacy Professionals.