Podcast: Play in new window | Download (Duration: 56:40 — 77.8MB) | Embed
Subscribe: Google Podcasts | Email |
In this episode of the Security Ledger Podcast (#203) we talk about the apparent hack of a water treatment plant in Oldsmar Florida with Frank Downs of the firm BlueVoyant. In our second segment: is infosec’s lack of diversity a bug or a feature? Tennisha Martin of Black Girls Hack joins us to talk about the many obstacles that black women face as they try to enter the information security field.
Part 1: Don’t Hack the Water!
An obscure water treatment facility in Oldsmar Florida became ground zero for the United States concerns about foreign adversaries ability to access and control critical infrastructure last week, after local officials revealed in a news conference that an unknown assailant had remotely accessed the facility’s SCADA system and attempted to raise levels of the poisonous chemical sodium hydroxide in the drinking water by a factor of more than 100.
The attack failed after a worker at the treatment plant saw it play out on his terminal in real time, and adjusted the sodium hydroxide levels back to normal. Nor would it have worked, officials assured a worried public: sensors elsewhere in the water distribution system would almost certainly have caught the abrupt increase in the dangerous chemical.
But closies do count when it comes to critical infrastructure hacks, and the Oldsmar incident set off a federal investigations and a flurry of warnings and editorial hand-wringing about the risks facing critical infrastructure systems. That’s especially true with so many workers accessing them remotely during the pandemic, leaving sensitive systems exposed.
Episode 202: The Byte Stops Here – Biden’s Cyber Agenda
In our first segment this week, Frank Downs of the firm BlueVoyant joins us in the Security Ledger studio to discuss the water system hack and why critical infrastructure firms continue to struggle to protect their environments.
Can Infosec Walk the Talk on Diversity?
For years professionals have decried the lack of diversity in the information security field which, even more than high tech in general, is dominated by white men. At infosec conferences, concerted effort has been made giving more visibility and voice to women and minorities. The dreaded “MANels” – panels made up entirely of men – have been targeted and, in many cases, banished. But down in the trenches – where information hiring takes place and information work is done – there is little evidence of change.
The lack of progress, despite a crushing shortage of infosec workers and the stated intentions of infosec leaders and executives, might get you wondering whether cyber’s lack of diversity is a bug or a feature of the system.
Our next guest suggests that it may be a feature indeed. Tennisha Martin is the founder of Black Girls Hack, a group that looks to promote women of color in cyber security. In this conversation, Tennisha and I talk about the many large and small obstacles that keep women like herself from pursuing cyber security careers: from inequalities in K-12 education to pricey certifications and acronym-stuffed job requirements. Solving those problems, Tennisha says, is going to take more than kind words and promises from Infosec leaders.
Tenniesha Martin is the founder of Black Girls Hack, a non profit organization that promotes women of color in the information security field.
 100vw, 321px”><figcaption>Shareth Ben is the Executive Director of Insider Threat and Cyber Threat Analytics at the firm Securonix. </figcaption></figure>
</div>
<p><a href=)
Shareth Ben is the executive director of field engineering at  100vw, 275px”><figcaption>Barry McMahon is the Senior Global Product Marketing Manager at LogMeIn</figcaption></figure>
</div>
<p>In our second segment, we’re joined by <a href=)
Barry McMahon a senior global product marketing manager at LastPass and LogMeIn. McMahon says that, despite talk of a “password less” future, traditional passwords aren’t going anywhere anytime soon. But that doesn’t mean that the current password regime of re-used passwords and sticky notes can’t be improved drastically – including by leveraging some of the advanced security features of smart phones and other consumer electronics. Passwords aren’t the problem, so much as how we’re using them, he said.
 100vw, 267px”><figcaption>Katie Petrillo is the manager of LastPass Product Marketing at LogMeIn. </figcaption></figure>
</div>
<p>But all that online shopping carries its own risk: identity theft and fraud. And, as with the Coronavirus, too many Americans are failing to take adequate steps to protect themselves from harm. </p>
<p>In our second segment this week, Katie Petrillo of the firm LastPass joins us to talk about some of the threats waiting for online shoppers, and some simple ways to protect yourself from harm. </p>
<hr class=)
 100vw, 284px”><figcaption>Brian Trzupek is SVP of Emerging Markets at DigiCert</figcaption></figure>
</div>
<p>IoT devices do none of these things. A device is typically manufactured and provisioned an identity that will generally last for the entire duration of that device. However, the software on that device may change quickly and frequently throughout the lifetime of the device. Another key difference between IoT and enterprise identity and authentication is that, in IoT environments, devices may be only rarely connected to the network. That means they may not be able to get updates, or, in some cases, may not even be able to support standard revocation models. These key differences mean you need a way to ensure every device’s authenticity and integrity.</p>
<h2>What’s needed for effective IoT security?</h2>
<p>A few fundamentals are needed to secure IoT environments.</p>
<h3>Robust device security</h3>
<p>First, you need a cryptographically strong device identity. This is commonly called the device “birth certificate.” A device certificate creates an identity for each “thing” in an IoT ecosystem, making sure each device authenticates as it connects, and protects communication between devices.</p>
<h3>IoT supply chain security</h3>
<p>Manufacturers need a way to track and ensure their devices’ content to respond effectively to future vulnerabilities or compromises. Not knowing what is on your devices, such as libraries, software, chips, open-source, is the easiest way to get compromised.</p>
<h3>Ability to disable a device</h3>
<p>If the device is connected to the network and using Public Key Infrastructure (PKI), revocation of the certificate is a very effective way to disable its ability to bad things. However, if you do not have a means of using revocation with a device, but it is communicating back to a service the manufacturer controls, then the device identity can be used to gate access to backend services and have the effect of quarantining and identifying a troublesome device. If you are not the manufacturer and have a compromised device, then network segmentation and egress monitoring allow you to control the device.</p>
<h3>Ability to update a device</h3>
<p>However, many devices are connected in a way that they can be updated. It’s essential to ensure that a secure update mechanism is designed in from the start—and that the integrity of the update can be confirmed before the update takes place.</p>
<p>It’s also important to be able to build in the ability to respond to unauthenticated access and recovery. Some organizations create update procedures that coordinate closely with routine device maintenance, or any other occasion that a certified employee visits the device. In these cases, using cryptographically secure authentication to the device through PKI will allow the qualified worker to gain proper access and perform necessary duties. This needs to be designed in from the start. It is also important to remember that in some cases, a device may not be updatable, and will require its own specific deployment policies and practices.</p>
<h3>Service side authentication</h3>
<p>IoT devices should all use strong authentication when communicating with their services. Unauthorized devices should be identified and dealt with per your policy.</p>
<h3>Remediation plan</h3>
<p>Despite your best efforts, you may need to respond to breaches. Consider how you will identify compromised devices or spot vulnerabilities in the software used in your device. Once you have developed a plan to discover these issues, you can determine how you will respond to correct the issue or quarantine the device. Developing a well thought out remediation plan in advance will greatly help you when the time comes to respond to an issue.</p>
<h2>PKI delivers for IoT security</h2>
<p>PKI is uniquely positioned to deliver on essential, distinct security needs of the IoT. It’s market-ready, widely adopted, and provides the flexibility and interoperability organizations need to support a wide range of IoT applications.</p>
<p>According to the Institute of Electrical and Electronics Engineers, “When you’re looking at authenticating devices, the only real standards at the moment that offer any real interoperability tend to be Public Key Infrastructure (PKI).”</p>
<p>It’s clear that PKI delivers the essential authentication and encryption components needed by the IoT for data security, making it a proven solution and market-ready platform for IoT device security today. With a strong PKI platform from a leading global provider, modern PKI that fits the large scale and flexible deployment models of the IoT is effective and ready to use.<a name=){kind=spacer}
