Upgrading your cyber resilience strategy
The digital era has brought us so much; streamlined shopping, more convenient payment means, and AI that can switch on your favorite Netflix series at your command. The downside of these innovations is the risk of cybercrime. Attackers are looking to steal our personal data, disable critical infrastructure, or simply render websites they dislike inoperative. Many businesses struggle with trying to balance protecting against cyber threats and creating a great customer experience. In a digital world, where your brand value is so critical, how can you ensure your customers a secure yet engaging experience?
To meet your customers’ expectations, security cannot, and should not, only be reflected in the solutions that you offer. Security should be (or should become, where it is not already) an integral part of your organization, deeply embedded into the development processes of your solutions, as well as their maintenance. Such a transformation requires investment and time; it will not happen overnight. Take your time to do things right.
A strategy to upgrade your cyber resilience
Whether you are an experienced player in the field of security or a new player trying to figure out what the right thing to do is, consider the following focus areas:
Prioritize cyber hygiene
Looking at some of the largest cyber-attacks in history (Dyn, WannaCry, and NotPetya), these breaches were enabled by known vulnerabilities and/or common software weaknesses. The 2016 Dyn attack, which disrupted several high-profile websites using the Mirai botnet, was based on common (thus considered weak) username/password combinations of IoT devices. WannaCry utilized a Windows exploit which was only made public one month before the attack, and NotPetya reused the same exploit just one month after WannaCry.
In short, these attacks show the importance of making sure that your solutions are free from known vulnerabilities, known malware, and common software weaknesses at all times. Simply put, these vulnerabilities/weaknesses are known to the public, meaning there is public information on how to take advantage of them. Also, known vulnerabilities are often found in software products or open-source components which are widely used throughout the world (hence the wide geographical spread of WannaCry and NotPetya). There is a very reasonable chance that your solutions may just contain such components as well. Therefore it is crucial that you closely monitor their susceptibility to attacks and act accordingly if needed (e.g. by making sure your open-source software is always upgraded to its latest version). This is not a one-time effort, you should have a vulnerability management process in place to keep your solutions up to date.
Of course, patching and updating software is easy to express as a best practice, but often more difficult to enact due to technological, resource, or financial pressures. However, this is exactly why a vulnerability management program is so important. Your software will become vulnerable at some point, if they are not already. If you are not planning for this event, you are effectively ignoring the risks posed. Not all risks need to be mitigated, but you certainly cannot assess and accept risks that you do not fully understand, or that are outside the purview of your business.
In conclusion, start with avoiding the ‘common mistakes’ to reduce the likelihood of ending up in the next ‘worldwide cyber-attack headline’. Understand what risks are posed by new vulnerabilities, and have a plan in place to determine the requirements, and impacts, of mitigation strategies. Prevention is always better than cure when it comes to a large scale cyber incident.
Embed security at the core
The previous point mainly addresses ‘non-targeted’ cyber-attacks. But what if someone is specifically aiming to compromise your solution(s)? To make this as hard for the attackers as you can, security should be embedded in your solution from the drawing board, not smeared onto the solution just prior to release. Although more and more organizations are subjecting their solutions to security testing once developed, it could be very costly to wait until the very end of the development cycle to address security needs, since often the way to remediation lies in adjusting the solution’s design.
Security should be a key and recurring area of focus at every stage of the development cycle, starting with formulating the solution’s (security) requirements and creating its design. If you are looking for inspiration of how security fits into the design of your IoT solution, please check out UL’s IoT Security Top 20 Design Principles. Some main principles you might want to embed into your systems:
- Provide a manual override for safetycritical operations, to reduce the risk of physical harm to the end user, or to make sure that certain product functions are not lost (such as having a physical key as back-up to a smart door lock).
- Ensure parameters such as private cryptographic keys, passwords, etc. are unique per device to avoid the largescale compromise of your solutions through a single breach.
- Allow for software updates, and ensure that these updates are cryptographically authenticated prior to installation and execution. Implement ‘antirollback’ features to prevent the installation of previous, vulnerable firmware versions.
- Use industry standard security protocols, with ‘best practice’ defaults for any remote or wireless connections and authentication of connections to management services.
Of course, a 100% secure solution does not exist, and there is always the trade-off between how much you want to invest and what risk you are willing to accept. This will determine the robustness of the security controls implemented in your solution and the difficulty of breaching your product.
Integrate security throughout your supply chain
Many solution vendors leverage third-party components as part of their solutions. Any such component will by default change the risk posture of your system, since as a customer of that software component you often have no – or very limited – control over the component’s maintenance. Security is only as strong as its weakest link (which could be a procured component), but since it is your brand that is customer-facing, the end users will only direct their security concerns to that brand. Your brand.
Therefore, it is important to integrate security into your supply chain, to better manage and safeguard your solution’s security, as well as to ensure you have considered and fully covered any legalities around the potential for risk in components over which you have no control.
Slowly, organizations are starting to include security demands in their procurement requirements, such as healthcare providers for procuring (wearable) medical devices, telecom providers for IoT services that leverage mobile networks, and even retailers promoting smart home products in their marketplace. All of this in an effort to incorporate security as an aspect of quality in the services they deliver. To protect their customers. To protect their brands.
Solution vendors participating in such ‘trust frameworks’ should consider ensuring mechanisms for transferring such risk to their supply chain partners, when needed. Solution vendors can for example negotiate service level agreements for remediating vulnerabilities by their partners in case their components are found vulnerable, require security evaluations to be performed regularly on the procured components, request insight into the evaluation reports, and create shared incident response plans to which all involved parties must commit.
As outlined above, a recommended strategy for increasing the level of cyber resilience of your solutions is to first cleanse your solutions of any ‘common mistakes’, then embed security into your solutions from the design onwards, and lastly, address security into your supply chain to enhance the chain’s trust and the end product’s cyber resilience. Of course, if you’re starting anew, this process starts with embedding security into your design from the outset, but realistically there are many solutions already out there (and many more about to be released) where this just has not yet occurred.
None of the above will be simple, but try not to make things more complex than they need to be. Think of the saying: “A smart man learns from his mistakes. A wise man learns from the mistakes of others”. As UL, we see the mistakes made by many, and are active in the remediation of these during our assessments and our participation in industry and governmental forums. So, don’t just be smart, be wise – learn from UL’s cross-industry expertise in digital security to help you improve faster and more efficiently.
If you feel that your solution is adequately secured and you are looking for a way to showcase this to your customers and differentiate from your competitors, contact us about UL’s Cybersecurity Assurance Program (CAP). Based on the ANSI/UL 2900-1 standard for Software Cybersecurity for Network-Connectable Products, CAP attests to the effective implementation of a wide range of security controls, the absence of exploitable known weaknesses and vulnerabilities, and the presence of attentive product risk management.
Written by Laurens van Oijen.