How do we merge IT and IoT security testing without breaking everything – implications for industry, organisations and individuals
How do we merge IT and IoT security testing without breaking everything – implications for industry, organisations and individuals.
What are the challenges of merging IT and IoT security? How do testers trained on laptops learn the practicalities of dissembling hardware devices in a safe environment, without breaking the very infrastructure they’re meant to be protecting? And how can organisations take advantage of the opportunities emerging around securing industrial environments – while at the same time safely mitigating threats?
The answers lie in recognising the similarities between IT and IoT environments rather than focussing on the differences. There is confusion around terminology used – IoT/OT/IIoT/ICS – when in fact the hardware knowledge and hacking skills required to be proficient as a consultant in this field share many commonalities. We need to address the need to assess multiple scenarios, regardless of whether the environment is web, consumer or industry focussed.
By recognising commonalties, we can develop a talent pool of individuals able to cross into this field using the skills they already bring to their job, whether they’re from a software or hardware engineering background, or are skilled at web-based security testing methods. There is a convergence of technologies which we are all aware of, call it Industry 4.0 or the New Industrial Revolution or whatever you’d like to label it as. If we are describing the technologies as merging, why not describe the skill sets that protect them in the same way?
The integration of intelligent digital technologies into manufacturing and industrial processes, and their speedy, cost-driven (but not always security driven) adoption into modern manufactured elements has created a specific need to ensure practitioners are being sufficiently trained and assessed at every level of their career. We need to cross skill and to upskill, bringing together each side of the revolution: engineers, meet the IT crowd. We need to motivate individuals to continue their learning journey to meet the needs of emerging technologies and growing threats. And we need to recognise that transitional skills such as being able to consult and advise on found vulnerabilities are just as important as technical ability. Collaboration and cross-skilling is key – not working in silos and certifying niches.
Of course it would be naïve to assume that convergence will be simple. Engineers and IT security specialists speak different languages, and have differing approaches to suit their specific areas, and don’t necessarily have a common understanding of threat and the capabilities of hostile actors. It’s one thing to accidentally bring down a website; quite another to bring down a manufacturing facility or a nuclear power plant. The stakes are high; but if we continue to recognise IT and IoT as different disciplines, we fail to recognise the inherent benefits of drawing on the skill sets of both. With training and with competence measurement we can build into the existing engineering and IT disciplines the knowledge, skills, abilities and tasks to counter the growing threat posed by rogue nations and organised crime groups. If there’s one thing we all do know for certain, it’s the fact that due to chronic underinvestment in developing cyber skills, there are currently more attackers than there are defenders. We simply need growth.
If we concentrate on cross-skilling those in complementary disciplines, we neatly circumvent the ongoing skills gap by capitalising on existing talent. It takes a lot less time to train an Industrial Engineer in the peculiarities of security testing I.T environments, than it would do someone coming straight out of university. The skills we instil can be applied to existing roles as well as those which appear as a result of Industry 4.0, creating well-rounded testers capable of understanding, and acting on, vulnerabilities found within multiple environments.
There must still be an emphasis on increasing practical skills rather than focussing on theoretical or classroom based learning, and on recognising the fundamental differences between app hacking and design verification/validation testing. It’s a simple fact that traditional penetration testing techniques don’t work in IoT and OT environments. Design reviews of complex, but fragile and dated plant bring up additional challenges not found in app-based IT Security Testing. IoT Testing training should aim to mimic real world situations, addressing the reality of undertaking a security assessment prior to undertaking any technical hacking. How have engineers connected existing devices? How fragile is the equipment and how easy will it be to break – and what are the repercussions of that? How robust is any error handling and what are the implications of breaking a command? What should the post-test report consist of, and what advice can be given?
In conclusion… we know the repercussions of malicious activity affecting IoT devices can be life-threatening, and that it’s imperative that the cyber security industry expands provision of cyber services to include industrial and manufacturing scenarios. The business case for creating IT security consultants who can address the needs of industrial and manufacturing clients is clear. At The Cyber Scheme we strongly believe all our practitioners – whether from a testing or engineering background – should be taught the skills to assess and exploit Industrial Control Systems in order to keep UKPLC safe, which is why we have introduced our IoT Hacking course. The future is literally in their hands.
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.