Tag Archives: IIoT

Critical infrastructure at risk as attacks expose OT shortcomings

by Bharat Mistry

Critical national infrastructure (CNI) covers a wide variety of industries. But what most have in common is that they run industrial control systems (ICS) and other operational technology (OT). Increasingly, these are being enhanced by new investments in Internet of Things (IoT) systems, in a bid to improve efficiency. The problem is, as these legacy technologies are brought online and integrated with IT systems, they become exposed to new cyber risks, with potentially major repercussions.

A new global study reveals that 90% of CNI providers have suffered damage to their environment as a result of cyber-attacks over the past 24 months. To support business growth and minimise risk, CNI firms need to improve visibility and control in these OT environments. Continue reading

New European IoT Security Standard is a Great Start

By Ian Heritage

At Trend Micro we spend a great deal of time working on ways to secure the Internet of Things (IoT) more effectively. But one of the challenges facing us is that smart products are being produced on an ever-increasing scale with little care paid to security or privacy. In short, market forces have failed to improve standards as time-to-market and usability continues to trump security. That’s why it’s great to see the publication of a new globally applicable European standard this week designed to improve baseline security in the industry.

Now comes the hard part: getting manufacturers around the world to adopt it, and consumers to start seeking out compliant products.

A landmark proposal
The new standard comes from the European Telecommunications Standards Institute (ETSI), after a UK proposal based on its own code of conduct published in October 2018. The UK has also shown leadership in this space after a British Standards Institution (BSI) kitemark was announced back in May 2018.

ETSI TS 103 645 has been described as a “landmark specification for consumers and industry alike”. It features a whole host of requirements which will please security advocates no end. These include:

• No universal default passwords
• Software update mechanisms
• Vulnerability reporting mechanisms
• Secure storage of credentials and sensitive data
• Secure communications
• Minimised attack surfaces
• Easy installation and maintenance

In particular, removing the option for default passwords will help mitigate the threat of Mirai-like attacks which search for these exposed credentials on the internet before conscripting devices into botnets. Vulnerability and software update systems are also an important requirement as these are often lacking in IoT manufacturers — especially those that don’t hail from an IT-centric background.

Why it’s important
These may be consumer devices, but they still matter to corporate security, for several reasons:
1) In some cases, organisations may buy in consumer-grade devices like smart TVs for the boardroom, or smart kettles, fridges and toasters for staff kitchens. Yet these can unwittingly open the digital back door for hackers to sneak into the corporate network.
2) Unsecured smart home devices like routers, security cameras, and DVRs can be attacked and conscripted into botnets to launch DDoS and data stealing attacks on organisations, commit click fraud, mine crypto-currency and more. Trend Micro’s 2019 predictions report warned of a new “IoT worm war” using these techniques.
3) Smart home devices can also represent a serious threat to organisations via their home workers. Vulnerable smart speakers and other gadgets could be hacked to provide attackers with a stepping stone into corporate networks.

What next?
The standard offers a clear framework for manufacturers to improve the security of their products and in so doing appeal to increasingly security-minded consumers. But to be successful, it will need to get a critical mass of IoT producers on board, and to publicise itself effectively to customers.
Securing consumer-grade IoT kit is also only one of the broader security challenges facing the industry. Organisations are also exposed via the convergence of IT and OT systems in industries like manufacturing and construction. Legacy operating systems, problems with patching, insecure protocols, limited authentication and other issues present serious cyber risks to these firms.

That’s why Trend Micro is collaborating with telcos, IoT device makers, technology multi-nationals and other stakeholders to secure the connected world. Our offerings stretch from the datacentre (Deep Security) to the network (Tipping Point appliances and Deep Discovery) to carrier environments (Virtual Network Function Suite), and IIoT systems (Safe Lock). That’s why we welcome the new ETSI standard, but also caution that this is just the beginning in a long journey to improve IoT security.

 

By Design and by Default: Why Firms Must Include Security Teams in IoT Projects

by Bharat Mistry

As organisations build out their Internet of Things (IoT) infrastructure, cyber-risk must be properly managed. Unfortunately, the latest research from Trend Micro has found that security teams are still not being consulted in the majority of global enterprise projects. It’s a major mistake and one which could come back to bite firms if their IoT systems are not secured “by design and default” as required by the GDPR.

If there’s one thing attendees took away from the ever-popular Trend Micro CLOUDSEC conference this week, it’s that online threats are only going to continue escalating. Continue reading

IoT Security Still an Afterthought for Many IT Leaders — This Must Change

by Simon Edwards

IoT security is new frontline in the battle against enterprise cyber-threats. As more smart endpoints are connected to corporate networks, the potential for mass data theft, service outages, sabotage and more will only increase. Yet new Trend Micro research reveals that only half (53%) of IT and security decision makers regard IoT as a security risk. This is a major miscalculation that could cost their organisations dear in the long run.

You need to start planning now for ways to mitigate the new risks presented by IoT technologies. Our annual CLOUDSEC show in September will also provide some much-needed best practice advice in this area. Continue reading