网络安全难题：谁负责保护物联网网络的安全？

由 理查德·阿迪卡里塞普 24， 2020 4：00 上午 PT

能够告诉您的音响系统选择和播放特定歌曲，或者仅使用语音在线订购内容，或者让冰箱告诉您食物短缺，或者让办公室打印机自行诊断，并自动向供应商提供服务，这是很难击败的。

这样的功能正在推动对智能办公室、智能家居、智能家电、智能建筑和智能城市的需求，所有这些都通过物联网 （IoT） 进行连接。

IoT 是一个物理对象网络，它配备了传感器、软件和其他技术，用于通过 Internet 与其他设备和系统交换数据。其中包括嵌入式系统、无线传感器网络、控制系统、家居和楼宇自动化系统、智能家居设备以及智能手机和智能扬声器。

根据数字转型研究公司"Transforma Insights"，到2019年底，全球有76亿台活动物联网设备，到2030年将达到241亿台。

连接泰迪熊 - 等等， 什么？

当然，在2020年家庭工作必需品的刺激下，人们将大量非商业设备连接到他们的企业网络。有些是可预测的，有些可能是令人惊讶的。例如，根据全球网络安全公司Palo Alto Networks的《2020年物联网安全报告》，泰迪熊和其他玩具、运动器材，如运动机器、游戏设备和互联汽车。

连接到 IoT 网络的设备数量和种类不断增加，使得实施网络安全变得越来越困难，因为每个设备都是潜在的薄弱环节。

例如，通过造成交通堵塞，可以攻击大量连接的汽车来摧毁城市。

智能建筑甚至城市可能遭到黑客攻击，危及控制 HVAC 系统、火灾报警和其他关键基础设施的自动化系统。

据报道，数字入侵者通过智能恒温器进入家庭，通过远程加热来恐吓家庭;然后通过连接到互联网的摄像头与居民讲话。

在医疗保健行业，黑客攻击的影响可能最严重，因为设备故障或劫持将危及生命。

"互联医疗设备——从WiFi的输液泵到智能MRI机器——增加了共享信息的设备的攻击面，并造成安全问题，包括隐私风险和可能违反隐私法规的行为，"安全供应商tripwire的作者阿纳斯塔西奥斯·阿拉姆帕齐斯写道。

CEO们脚踏实地

那么，谁将负责物联网网络中的网络安全呢？个别电器或设备的供应商？谁拥有或运行网络？使用 IoT 网络的公司或组织？

全球研究和咨询公司 Gartner预测，到 2024 年，75% 的 CEO将承担对 Gartner 称之为网络物理系统（CPS） 的攻击的亲自责任。

Gartner 将 CPS 定义为"旨在协调传感、计算、控制、网络和分析的系统，以便与物理世界（包括人类）进行交互。

这些系统"将所有互联 IT、运营技术 （OT） 和物联网 （IoT） 工作都用于安全考虑，这些工作涉及网络和物理世界，例如资产密集型、关键基础设施和临床医疗保健环境。

OT 包括硬件和软件，通过直接监控和/或控制检测或导致工业设备、资产、流程和事件的变化。

换句话说，到 2024 年，75% 的 CEO 可能会对物联网安全故障负责。

为什么选择首席执行官？Gartner 研究副总裁 Katell Thielemann 写道，由于监管机构和政府将大幅提高对CPS的规章制度，以应对因未能获得CPS而导致的严重事件增加。很快，CEO 们将无法为无知辩护，也无法在保险单背后退缩。

安全意识培训公司KnowBe4的首席传道者和战略官佩里·卡彭特（Perry Carpenter）告诉TechNewsWorld，"追究CEO责任"是一种明确的可能性，并且与CEO根据2002年《萨班斯-奥克斯利法案》对其财务证明的准确性和合法性负责的方式是一致的。

《萨班斯-奥克斯利法案》的创建是为了打击公司欺诈行为。

卡彭特说，全国公司董事协会（NACD）"认识到网络安全应该是一个甚至上升到董事会水平的问题。"它指导了如何做到这一点。

Carpenter 说，公司可以购买网络保险，但网络保险"如果公司不满足高安全性标准，则因不支付保险而臭名昭著"。

此外，"监管机构不会急于为可能有明显疏忽的 CEO 和公司提供轻松的出路。

基于风险的方法是否可行？

全球管理咨询公司麦肯锡（McKinsey&Co.）发现，企业之间正朝着采用基于风险的方式实施网络安全，但这不会为CEO提供全面保护。

CDW 表示，基于风险的信息安全方法使组织能够根据其独特的运营环境、威胁环境和业务目标采取量身定制的策略，该解决方案为美国、英国和加拿大的商业、政府、教育和医疗保健客户提供技术解决方案。

他们让采用者"了解风险缓解工作的影响，提供风险的全面视图，并填补其他安全方法可能留下的空白。使用基于风险的方法完全符合许多组织正在采用的企业风险管理 （ERM） 战略。

"风险总是等式的一部分，"卡彭特说。"当组织或 CEO 对风险的容忍度高得令人无法接受，或者只是选择把头伸到沙子里置之不问时，问题就来了。

人们普遍承认，没有完全安全的系统，所以让CEO们对CPS的失败负责不会是过头了吗？

"重点不是百分之百的保护，"卡彭特说，"而是要确保系统如何构建时有适当的保护。CEO 们不能只是用（100% 的安全性不存在的事实）作为借口，他们需要在建立安全和弹性方面考虑。

指指点点没那么简单

尽管可能与《萨班斯-奥克斯利法案》相一起，但指责问题并非易事。

全球网络安全公司古鲁库尔的首席执行官萨柳·纳亚尔（Saryu Nayyar）对TechNewsWorld表示："最终，首席执行官要对其组织的运作负责，但现实比简单的'责任就停在这里'更微妙。

纳亚尔说："网络攻击是复杂的，往往涉及许多移动件。因为他们是 CEO而将责任推给他们，可能不合适。

纳亚尔指出，也就是说，当首席执行官未能为其安全团队设定高标准或确保达到标准时，他们应该承担个人责任。

目前还不清楚谁将或应该承担责任，Salvatore Stolfo，创始人和首席技术官在Allure Security，一个安全即服务的应用程序，防止网络钓鱼诈骗，告诉TechNewsWorld。

他问道："是制造不安全物联网设备的公司的首席执行官，还是购买和部署物联网设备的公司的首席执行官？"目前没有立法明确理论上谁将承担该责任。

Stolfo建议，让首席执行官个人负责的替代方案是采纳 Cyberspace 太阳能委员会 （CSC） 的建议，让物联网设备制造商对销售有缺陷的产品或不提供基本安全功能（包括在安全漏洞被建议的那样已知时更新设备软件的能力承担责任。

这是CSC在2019年提出的80项建议之一，该建议是在网络空间中形成维护美国的共识。

如何使物联网网络更安全

Palo Alto 网络建议以下步骤保护 IoT 网络：

• 利用设备发现来获取连接到 IoT 网络的设备数量和类型、其风险配置文件及其可信行为的详细、最新的清单;
• 对网络进行分段，以将 IoT 设备控制在自己严格控制的安全区域中，使它们与 IT 资产保持独立;
• 采用安全密码做法，将新连接的物联网设备的默认密码替换为符合企业密码策略的安全密码;
• 继续修补和更新固件（如果可用）;
• 时刻主动监控 IoT 设备。

运营技术（OT）和物联网安全公司Nozomi网络的联合创始人安德里亚·卡卡诺（Andrea Carcano）告诉TechNewsWorld，保护物联网网络需要综合采购设计安全的产品，并采用整体安全方法。

"IT 专业人员不能再只担心其 IT 网络的安全性和连接性，"Carcano 说。"他们必须考虑其网络和物理系统的安全性。”

Cybersecurity Conundrum: Who's Responsible for Securing IoT Networks?

By Richard Adhikari Sep 24, 2020 4:00 AM PT

https://www.technewsworld.com/story/86857.html

It's hard to beat being able to tell your sound system to select and play a particular song, or order something online using just your voice, or have your refrigerator tell you when you're running short of food, or have your office printer diagnose itself and demand service automatically from the vendor.

Features like this are driving the demand for smart offices, smart homes, smart appliances, smart buildings, and smart cities -- all connected through the Internet of Things (IoT).

The IoT is the network of physical objects equipped with sensors, software and other technologies for exchanging data with other devices and systems over the Internet. These include embedded systems, wireless sensor networks, control systems, home and building automation systems, and smart home devices, as well as smartphones and smart speakers.

There were 7.6 billion active IoT devices worldwide at the end of 2019 and there will be 24.1 billion in 2030, according to digital transformation research firm Transforma Insights.

Connected Teddy Bears - Wait, What?

Surely spurred by the work-from-home necessities of 2020, people have connected a multitude of non-business devices to their corporate networks. Some are predictable and others might be surprising. For example, teddy bears and other toys, sports equipment such as exercise machines, gaming devices and connected cars, according to global cybersecurity firm Palo Alto Networks' 2020 IoT Security Report.

The increasing number and variety of devices hooked up to IoT networks is making it progressively difficult to implement cybersecurity, because every device is a potential weak point.

For example, it's possible to hack large numbers of connected cars to shut down cities by causing gridlock.

Smart buildings and even cities can be hacked to compromise automated systems that control HVAC systems, fire alarms and other critical infrastructure.

Digital intruders have reportedly accessed homes through smart thermostats to terrorize families by turning up the heat remotely; and then speaking to the residents through the cameras connected to the Internet.

The effects of hacking will likely be most severe in the healthcare industry, where equipment failure or hijacking will endanger lives.

"Connected medical devices -- from WiFi enabled infusion pumps to smart MRI machines -- increase the attack surface of devices sharing information and create security concerns including privacy risks and potential violation of privacy regulations," wrote Anastasios Arampatzis, an author for security vendor Tripwire.

Holding CEOs' Feet to the Fire

So, who will be responsible for cybersecurity in an IoT network? The vendors of individual appliances or equipment? Whoever owns or runs the network? The company or organization using the IoT network?

Global research and advisory firm Gartner predicts that, by 2024, 75 percent of CEOs will be held personally responsible for attacks on what Gartner calls cyber-physical systems (CPSs).

Gartner defines CPSs as "systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans."

These systems "underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments."

OT consists of hardware and software that detects or causes a change in industrial equipment, assets, processes and events through direct monitoring and/or control.

In other words, 75 percent of CEOs could be held responsible for IoT security failures by 2024.

Why CEOs? Because regulators and governments will drastically increase the rules and regulations governing CPSs in response to an increase in serious incidents resulting from failure to secure CPSs, Gartner research VP Katell Thielemann wrote. "Soon, CEOs won't be able to plead ignorance or retreat behind insurance policies."

Holding CEOs responsible "is a definite possibility and is consistent with the way that CEOs are held accountable for the accuracy and legitimacy of their financial attestations under the Sarbanes-Oxley Act of 2002," Perry Carpenter, Chief Evangelist and Strategy Officer at security awareness training firm KnowBe4, told TechNewsWorld.

The Sarbanes-Oxley Act was created to crack down on corporate fraud.

The National Association of Corporate Directors (NACD) "realizes that cybersecurity and, by extension, cyber-safety should be an issue that even rises to the level of the Board of Directors," Carpenter said. "It has issued guidance for how to do so."

Companies can buy cyber insurance, but cyber-insurance policies "are notorious for not paying out if the company does not meet a high bar of security excellence," Carpenter remarked.

Further, "regulatory bodies won't be in a hurry to offer easy outs for CEOs and companies who may be demonstrably negligent."

Is a Risk-Based Approach Feasible?

There is a move among enterprises towards adopting a risk-based approach to cybersecurity, global management consultant firm McKinsey & Co. found, but that won't provide CEOs blanket protection.

Risk-based approaches to information security let organizations adopt strategies tailored to their unique operating environment, threat landscape and business objectives, according to CDW, which provides technology solutions to business, government, education and healthcare customers in the U.S., the UK, and Canada.

They let adopters "understand the impact of risk mitigation efforts, providing a comprehensive view of risk and filling gaps that may be left by other approaches to security. The use of a risk-based approach fits neatly within the enterprise risk management (ERM) strategies being adopted by many organizations."

"Risk is always part of the equation," Carpenter said. "The problem comes when organizations or CEOs have an unacceptably high tolerance for risk or simply choose to stick their heads in the sand."

It's widely acknowledged that there is no such thing as a fully secure system, so wouldn't holding CEOs responsible for the failure of a CPS be overkill?

"The point won't be to have 100 percent protection," Carpenter said, "but rather to ensure that there's proper due care in how systems are architected. CEOs can't just throw up their hands and use [the fact that 100 percent security doesn't exist] as an excuse, they need to build with safety and resilience in mind."

Pointing Fingers Not So Simple

Despite possible parallels to the Sarbanes-Oxley Act, the question of blame will not be easy to resolve.

"Ultimately, the CEO is responsible for the operation of their organization, but the reality is more nuanced than just simply 'the buck stops here'," Saryu Nayyar, CEO of global cybersecurity company Gurucul, told TechNewsWorld.

"Cyberattacks are complex and often involve many moving pieces," Nayyar said. "Placing liability on the CEO because they are the CEO may not be appropriate."

That said, CEOs should be held personally accountable when they fail to set a high standard for their security teams or ensure that standard is reached, Nayyar noted.

It's not clear who would be or should be held responsible, Salvatore Stolfo, founder and chief technology officer at Allure Security, a security-as-a-service application that protects against phishing scams, told TechNewsWorld.

"Is it the CEOs of companies that manufacture insecure IoT devices, or the CEOs of companies that buy and deploy them?" he asked. "There is no current legislation making it clear who would theoretically hold the liability."

An alternative to holding CEOs personally responsible would be to adopt the recommendation of the Cyberspace Solarium Commission (CSC) to hold IoT device manufacturers liable for selling defective products or not providing for basic security features including the ability to update device software when security vulnerabilities become known as recommended by, Stolfo suggested.

This is one of 80 recommendations made by the CSC, which was established in 2019 to develop a consensus in defending the U.S. in cyberspace.

How to Make IoT Networks More Secure

Palo Alto Networks recommends these steps for securing IoT networks:

• Employ device discovery to get a detailed, up-to-date inventory of the number and types of devices connected to your IoT network, their risk profiles, and their trusted behaviors;
• Segment your network to contain IoT devices in their own tightly controlled security zones, keeping them separate from IT assets;
• Adopt secure password practices, replacing the default password of newly connected IoT devices with secure ones adhering to enterprise password policies;
• Continue to patch and update firmware when available;
• Actively monitor IoT devices at all times.

Securing IoT networks requires a combination of purchasing products that are secure by design, and taking a holistic approach to security, Andrea Carcano, Co-founder of operational technology (OT) and IoT security firm Nozomi Networks, told TechNewsWorld.

"IT professionals can no longer just worry about the security and connectivity of their IT networks," Carcano said. "They must think about the security of their cyber and physical systems."