Security-by-Design Principles Are Vital in Crisis Mode
“If you fail to plan, you are planning to fail.” —Modern proverb
With so much focus on the short-term COVID-19 disruptions, there has been less discussion about its long-term ramifications for technology adoption.
One likely scenario is that the pandemic drives a long-term increase in automation and remote management of assets ranging from industrial machines to heating ventilation and air-conditioning (HVAC) systems to supply chains. In health care, a long-term uptick in virtual care and telehealth is likely. While many organizations with budget pressures have suspended operations, the pandemic will pave the way for better-positioned organizations to automate processes.
In early March, companies began to rethink business processes and other operations after the World Health Organization classified COVID-19 as a pandemic. Most obviously, there has been a “huge uptick in reported users of Slack and Microsoft Teams for collaboration,” said Chris Kocher, managing director of Grey Heron, a management consulting firm. Teleconferencing vendors have also seen rapid gains. “Teladoc for telehealth has also seen huge growth,” Kocher added.
Remote access to industrial control systems (ICS) has also increased recently, following a dropoff during the past few years, according to Shodan data. In the U.S. alone, there are now nearly 50,000 ICS devices connected to the internet. The use of remote desktop protocol, which allows Windows users to manage workstations or servers remotely, has also ticked up, after the protocol began to fall out of favor in late 2019 as a result of security vulnerabilities.
Many industrial organizations already have “basic-level remote monitoring in place,” said Yasser Khan, CEO of One Tech. Such relatively simple capabilities sufficed when workers could still inspect machines in person. But because many facilities have been pared down to skeleton crews, their priorities have shifted. Plant managers are increasingly looking to “determine how they can gain further insight into the health of their machines, remotely,” Khan said.
Many organizations are also rethinking disaster recovery planning, according to Nitin Kumar, chief executive officer at Appnomic. “Often what happens when a natural disaster or a computer virus hits an organization and its systems go down, you switch to a sort of manual mode,” Kumar said. “Business continues, but at a slower rate.” But COVID-19 is not a normal disaster. “Now, your manual and demand capacity have gotten hit and your system capacity is choked or inaccessible. So you need more systems or automation — not more personnel.” Organizations that can afford to expand automation are likely to do so as they rethink their disaster recovery planning and business continuity planning.
The spread of connectivity and automation is nothing new, of course. In 2016, security guru Bruce Schneier observed that human intervention is increasingly unnecessary. “The Internet now senses, thinks, and acts,” he wrote. “We’re building a world-sized robot, and we don’t even realize it.” Schneier concluded that it is vital to consider what he termed a “new world-spanning robot.”
Although software’s societal role has been expanding for decades, the security ramifications of a world with widespread automated or semi-automated IoT-enabled devices could be profound. “Computers have a tremendous amount of power for helping our lives and making it better, but the more complex the system, the more things that can go wrong,” said Kate Stewart, senior director of strategic programs at the Linux Foundation. “We have to try to figure out how to understand what can go wrong, mitigate the harm and increase software dependability.”
Secure by Design
Traditional cybersecurity concepts such as security by design sometimes fall by the wayside when organizations are in crisis response mode. COVID-19 is “going to make adhering to secure-by-design principles challenging,” said John Loveland, global head of cybersecurity strategy at Verizon. “Everybody is moving very quickly.” As organizations move to expand remote working and automation capabilities during the crisis, they are more likely to make mistakes. “You can’t let either the technology or the new business processes outpace the security behind it. You need to ensure that your internal security team is a part of every decision you make regarding new technology, processes or ways of working.”
Experts recommend making security a consideration at the earliest possible stage when planning on technology deployments. “Make sure you bring in the stakeholders, the business as well as the operators into security discussions,” recommended Bob Martin, co-chair of the Software Trustworthiness Task Group at Industrial Internet Consortium.
“You need to consider [security] as one of the primary aspects of any solution and, like the foundations of a house, everything else is built on top of that,” said Andrew Jamieson, director, security and technology at UL. Organizations that neglect to build a correct foundation risk rebuilding it or “at least spend a great deal of time and effort fixing something that could have been much more easily remedied earlier on,” Jamieson said.
Still, it is unlikely that security-by-design principles will top the priority list as organizations abruptly move toward remote working, remote control of assets and possibly expand automation capabilities. “That is indeed a huge security issue, even when using secure technologies because there is no time to apply them securely,” said Frank Hißen, an independent security consultant.
Security-by-design principles often incorporate an array of hardware and technology pieces. Assembling them can be something of a puzzle. “Sometimes vendors selling the ‘puzzle pieces’” that make up a deployment lack adequate security measures, said Chris Catterton, director of solutions engineering at One Tech. Expanding the scope of remote access capabilities of an IoT deployment heightens the need to “include security at the end points as well as at the system level, whether via the Cloud or on-premise systems accessed through VPN,” Catterton said.
Finding and Refinding Security Balance
While building security features into products and processes is vital, it isn’t possible to anticipate every possible future threat. “You can’t always make design decisions about security early on in a project and have those stay valid,” Jamieson said.
There’s often a tension between adding new features to software and ensuring it is kept safe to use and secure. “There are a lot of features that show up on our cell phones that randomly crash and the consequences, while annoying, aren’t life threatening,” Stewart said. “We’re increasingly seeing open source be used in applications where, if the software is not dependable, it could hurt someone.”
Ultimately, securing systems boils down to resilience and agility. “If you build only for resilience, you are going to be in trouble” when new security vulnerabilities surface,” Jamieson said. “So in today’s world you also need agility: the ability to quickly change, patch, update or otherwise refactor systems when things change.”
Agility in security also connects to security-by-design principles. “You need to bake in security from the outset, and that security approach needs to include aspects of resilience and agility,” Jamieson said. “If you don’t design for security, you are designing for failure.”