(Part 3 of our 3 part 2024 Summer IoT Security Series)
After you’ve deployed and maintained security practices across IoT/CPS systems at scale comes having ongoing training and awareness building about security. It not only reduces organizational risk, it also develops an internal culture that makes security more efficient and comprehensive. And many of the lessons learned about managing cybersecurity for IoT/OT/CPS can be leveraged by employees at home (another space filled with insecure IoT devices). Here are some of what Viakoo has seen with how leading IoT and CPS security organizations are bringing training and awareness to the forefront.
- Extend corporate InfoSec policy and the training around it to IoT/CPS systems. Without an explicit exemption from those policies, all digitally-connected systems are subject to such corporate policies.
- Focus on business continuity. By definition, cyber-physical systems have both a cyber dimension and a physical world dimension; think of the Colonial Pipeline being shut down through cyber commands generated from a billing server. Every operator of a CPS (IoT/OT/ICS) system should question what the business impact of them being compromised is – and then train appropriately on those situations.
- Communicating and meeting with your CISO helps build an understanding of how important security is to the organization overall, and why IoT/CPS security in particular is critical. Invite the CISO to your next team meeting?
- Have reporting to be proud of and able to share across other teams will lead to both ownership of IoT/CPS security and awareness across other parts of the company of what your team is doing to help everyone remain secure.
- Turn the news into training opportunities is an easy one given how almost on a daily basis IoT security issues are in the news. Today’s story was about Flax Typhoon, where IP cameras, routers, and other IoT devices were compromised at large scale to carry out cyber attacks.
- Leverage CISA resources which are there all year round but especially prominent during National Cybersecurity Awareness Month in October. There are great materials not only for basic cybersecurity, but also for more advanced practices starting to be used in organizations (such as Software Bills of Material, or Secure By Design practices).
- Constructive audits, where basic things like whether passwords, firmware, and certificates are being maintained properly and other security practices are being followed, can help establish a baseline for whether security training should focus.
- Present at conferences, especially within your specific industry. Everyone is talking about it, and by presenting your best practices and success stories you are then in a position to get feedback and refine those practices. In most industries security is never a competitive advantage (like worker safety), and sharing within the industry is encouraged.
- Get involved in an ISAC (Information Sharing and Analysis Center). There are 27 ISACs across different industries and each of them can help provide insight and training around threats specific to your industry. Check out the National Association of ISACs to see if there is one in your specific area.
- Talk to your suppliers about their security processes, and better yet read and review their security audits (such as SOC2 or ISO 27001). Work with your Procurement team to make sure they ask ALL suppliers about their security procedures, and have all new devices and systems meet your security requirements “out of the box”.
Any additional tips or best praactices you’ve used to training your team on the security of CPS/IoT systems or devices? Feel free to add to the comments section below.