Choosing Your IIoT Security Battles: A UL Leader’s Insights
The 20th century saw the creation of rigorous consumer product safety and occupational safety guidelines designed to protect people from the risks of everything from electric shock to fire and physical hazards. “More and more, this century, you are seeing the concept of safety expanded to include cybersecurity,” said Ken Modeste, director of connected technologies at UL LLC, an organization founded in 1894. “We still look at traditional hazards based on safety engineering principles, but increasingly we are seeing that connectivity is driving a new concept of safety.”
One central challenge is the relative immaturity of the IIoT security field. There is a fundamental lack of qualified IoT-focused cybersecurity professionals as well as a yearning for a sort of magical cybersecurity silver bullet — whether that be a piece of technology or the services from a security consulting firm. Modeste says UL’s approach to IIoT security is unique in that it is rooted in the organization’s analytical approach in tackling a given risk from a variety of angles. There is a role for testing, standards (consider the set of UL 2900 cybersecurity standards as a case in point) and thoughtful strategy and risk mitigation. “We felt that cybersecurity, just like safety in the previous century, was a problem to be tackled in pieces and parts,” Modeste added. “There is a need to look at cybersecurity as a long-term issue, trying first to build a foundation and identify the low-hanging fruit and holes you could address and then build from there.”
In the following Q&A, Modeste shares advice on building such an IIoT security foundation, while providing perspective on how organizations can prioritize spending on Internet of Things projects.
What kind of guidance do you have in helping industrial companies identify which IoT security priorities?
Modeste: With respect to cybersecurity, when you look at any organization, there are three intersecting circles:
- One is the opportunity an organization has for somebody to want to take something whether it is their intellectual property or shutting down their business.
- The next circle is bad actors and threats.
- The final circle is the vulnerabilities: Products with weak cybersecurity, weak processes, lack of training and so forth.
You want to focus on where all three of these circles intersect. That is how you can get an ROI on your cybersecurity spending. Some organizations tend to focus on everything — all three circles.
Can you provide an example of how UL works with clients to help identify cybersecurity priorities?
Modeste: Yes. I was recently working with a company to have them define their cybersecurity objective in a paragraph or less, then breaking down their strengths and weaknesses and finally prioritizing those to determine where to spend money.
If you don’t have the right people and talent and are getting swamped with everything within this problem space, it’s easy to lose focus. You may [think you need to offer] training, you need to buy the best perimeter tools, the best detection tools and do the best consulting with a pen testing organization. But if you don’t have solid cybersecurity objectives aligned with your organization's needs, then you are going to spend your dollars willy-nilly.
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
As with anything else, you have to build up a plan based on factual data that you revisit on a regular basis.
That’s why we created the UL 2900 series of standards: to help establish a cybersecurity risk assessment framework.
Speaking of IIoT security risk, how do you see that interacting with industrial organizations’ quality initiatives?
Modeste: If I had to keep the answer to 20 words or less, I would say: “We help companies manage their risk so they can do what companies do best, which is to innovate.”
Quality is the history of what we help organizations with.
We have become partners with clients, helping them imbue quality and safety in their products.
Most organizations over the 1980s and ‘90s and in the new century have been implementing quality systems with metrics and maturity models to try to measure themselves and improve.
Our goal is, in five or 10 years, to see more industry adopt security as part of their overall quality mechanisms.
How do you see the current cybersecurity risk climate affecting executives’ view of cybersecurity?
Modeste: If you were running an organization at the C-suite level, 20 or 30 years ago, you had a concern bubbling up around cyber-espionage. Now, with the global landscape, you see attacks where there is a perception that the cyberattacks such as those that shut down Ukraine’s power grid are preparation for global attacks that could happen down the line. There is a suspicion that future cyberattacks could cause a problem in their business operations.
Which industries do you see moving the fastest to take steps to improve cybersecurity?
Modeste: Medical is one. Medtech companies now recognize that cyber scenarios can affect the safety of a medical device — especially now that FDA had released its first cyber alerts.
Another industry that is starting to open their eyes is lighting. More and more, those lights are being shipped with IoT functionality, and a growing number of organizations are starting to have connected lights scattered throughout their buildings — more so than IP or telecom infrastructure or access control, locks or readers. If you walk into a hotel lobby, you could have 100 or 200 lights there. You also have connected lights for street lighting, parking lighting, on buildings and high rises.
How mature do you see the IoT cybersecurity market?
Modeste: I like to say safety is the adult in the room and cybersecurity is the baby. We have to nurture that baby.
There is a talent pool challenge with something like 2 million positions open worldwide that are unfilled. In the United States, it is something like 1.2 million.
There is often an assumption that you can buy a piece of cybersecurity technology, and everything will be fine. Or hire a consulting company and everything will be fine.
One of the reasons we wrote our standards is organizations were coming to us and saying: “There are hundreds of standards out there and hundreds of technical guides, and every day, a new vendor knocking at my door selling my a solution, whether it has value or not? How do I filter out the noise?”
This problem is why we created our foundational standards focusing on the supply chain.
When it comes to IoT cybersecurity, you often end up with a limited amount of resources and a breadth of knowledge. That is a hard nut to crack.
In the medical space, for example, there are something like 200 new devices that come into the market every year. Imagine the challenge that poses for a hospital with six to ten security people. There is no way they can reasonably study 200 devices to assess their security on top of supporting how the clinical environment interfaces with the IT environment.
Organizations are spending the dollars but are having to pick and choose the battles they fight.
The problem is picking and choosing; there are so many options and a lot of noise in the marketplace. Our hope is that UL can help offer to help quiet down that noise.