IoT offers exciting possibilities, but recently, the focus has been on the problems associated with this technology. Security is the biggest issue, but other challenges include interoperability and connectivity. Marc Blackmer is a contributor to the recently published Industrial Internet Security (IIC) framework, a cybersecurity professional, and a veteran in the IoT space.
Cisco’s Marc Blackmer Talks About the Evolution of IoT
The idea behind the IIC framework was how to make it relevant by making it guidance that everybody can use, said Blackmer. Most people in the industry are also trying to figure out the same thing and we looked at the work other people were doing. While working on the framework, we didn’t want to create something that would be redundant, but something that could be useful, applicable, and complementary to some of the things already out there. The IIC framework is focused more on industrial networks, and a part of my background is on industrial systems.
The IoT is a very large topic and from our perspective, it has three different elements. You have your traditional IT, such as data centers, cloud and other terms you would associate with that. Operations Technology (OT) represents the industrial aspect, and is the term often used with industrial devices and industrial networks. We also have what we refer to as Consumer Technology (CT), which encompasses things like the wearables and connected home devices. IoT is still in its early stages right now, and it’s hard to standardize something that’s evolving almost daily.
Industrial IoT Security vs. Consumer IoT Security
When you look at what’s at stake, you start to get the total picture. A connected fridge sending spam emails is annoying, but the stakes are much higher when it comes to industrial systems. These systems are running power grids, refineries, and other major systems. When so many people think of IoT, they think more of the consumer aspect of it.
The Internet of Connected Everything, But Why?
The question here is should we connect everything just because we can? Jurassic Park comes to mind—just because it’s possible doesn’t mean it’s necessary. Just because your airplane seat reclines backwards doesn’t mean you’re going to use the feature to its full extent. It’s an academic exercise and nobody really cares. Recently, I read about a Wi-Fi-enabled malware-infected clothes iron. Why anyone would connect a clothes iron is something that boggles the mind. There’s no reason to put a coffee pot on a network, but the fact is that it will happen. The unfortunate reality is that people are going to connect whatever they can, just because they can, and we have to react accordingly.
Security Patches for IoT Devices
It’s somewhat complicated. For instance, when you look at connected vehicles, the number of vendors supplying the equipment that goes into a connected car makes for many moving parts. The manufacturer of an IoT device could buy parts from a third-party manufacturer, and this goes into whatever they build. They might purchase or license open source code as part of their code, and it becomes a question of which part of the device went wrong. Who is responsible? Is it the manufacturer, the developer who wrote the code, or the quality assurance department?
Determining who’s actually responsible for providing security patches, determining what constitutes privacy and protecting privacy – these are all things that are still being hotly debated, and it’s easy to understand why. One proposal suggests that if something comes to the end of its life, such as old devices or equipment, they should be made open source at that point, so that they can be protected. Security patches have to be kept up to date, but do we make the users responsible when they don’t apply the patches? There are a lot of fingers in that pie, especially since you don’t have the equivalent of an IT department guy running after everyone, making sure everything is up to date.
Keeping up With the Bad Actors
We live in a new reality and the fact is that security is often an afterthought, or something that people see as an impediment to doing their jobs. I recently took my car for servicing and all of the printers they had in the service department had the IP address and name labeled on the front of the printers. That could help me break into their network, but they had no idea. When these kinds of things are so commonplace, then it’s easy to take advantage of the situation. I’m not saying that things are hopeless, or that we should just give up, but we should frame the conversation in a way that we have a frame of reference. If we are going to make any progress, we have to be mindful of the fact that this is the way the world is today. If we choose to ignore the reality, then we are really in trouble.
Questions to Ask Security Vendors
It is important to ask vendors about their partnerships, and to identify, not only what they do, but also what they don’t do. I’ve always been suspicious of vendors who claim to do everything, since nobody can do everything well. Security is such a big field that no vendor can claim that they can do everything well. Those areas of weaknesses are where you are likely to have security gaps, and if a vendor is not willing to tell you about their weak points, that should be a security flag.
Cisco Offers IoT Security
We look at it from the perspective of our services, products and partnerships. From the services viewpoint, what we often find is that a lot of customers don’t even know what’s on their network. They often think they do, but they really don’t. The first step would be to try and perform that discovery. We are also asked about their own processes and procedures – customers want to know what others are doing, and what their best practices are. Our consultants work with a wide variety of companies, so they have a good idea of that. You could have the best technology in the world, but if you don’t know how to use it, it won’t solve the problems it should. From the product side, and looking at mobility, the question is how to protect mobile devices. The main idea is profiling and segmentation on the network, and we also provide visibility into the cloud. Our partners help extend our capabilities. We have interfaces into our technology that allows us to integrate and share information with our partners.
Speaker:Marc Blackmer
Marc Blackmer, Product Marketing Manager, Industry Solutions, Security Business, Cisco. Marc Blackmer is responsible for understanding the cybersecurity needs of Cisco’s industrial and IoT customers and helping to develop the company’s go-to-market security strategy to meet those needs. Marc is a technologist, blogger, and cybersecurity professional. He has spent more than 15 years assisting some of the world’s top energy producers, financial institutions, and governments worldwide in defending their critical assets from cyber threats. His technical background in information technology engineering, ICS cybersecurity, and IT governance, risk, and compliance, brings a unique perspective to addressing the threats facing critical infrastructure today and the coming Internet of Things.
About Cisco
Cisco (NASDAQ: CSCO) enables people to make powerful connections–whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible–providing easy access to information anywhere, at any time. Cisco was founded in 1984 by a small group of computer scientists from Stanford University. Since the company’s inception, Cisco engineers have been leaders in the development of Internet Protocol (IP)-based networking technologies. Today, with more than 71,000 employees worldwide, this tradition of innovation continues with industry-leading products and solutions in the company’s core development areas of routing and switching, as well as in advanced technologies such as home networking, IP telephony, optical networking, security, storage area networking, and wireless technology. In addition to its products, Cisco provides a broad range of service offerings, including technical support and advanced services. Cisco sells its products and services, both directly through its own sales force as well as through its channel partners, to large enterprises, commercial businesses, service providers, and consumers.