A cybersecurity seal of approval is not enough

This is a contributed piece by Dr. Mike Lloyd, Chief Technology Officer of RedSeal


Cyberthreats continue to dominate the headlines and wreak havoc on corporate networks. There are now nearly one million new malware threats released every single day, according to recent reports. In a bid to stem the tide, several groups have announced programs to rate the cybersecurity of network-connectable products and systems.

In April, Underwriters Laboratories (UL), a prominent safety standards organization (the UL certification mark is on everything from lightbulbs to wireless routers), unveiled its Cybersecurity Assurance Program (CAP). This comprised of a set of standards to establish testable cybersecurity criteria for network-connected devices and systems to assess software vulnerabilities and weaknesses, minimize exploitation and increase security awareness. Meanwhile, the Cyber Independent Testing Lab (CITL) is set to introduce a new cyber ratings system for 100,000 software applications ranging from web browsers to industrial control systems. Some are calling it “Consumer Reports for software security”.

I don’t argue with the need for new cybersecurity standards and rating systems, especially given the rapid emergence of the Internet of Things (IoT). After all, there will be 21 billion IoT devices connected by 2020, according to research firm Gartner, and this will vastly increase the vulnerability of networks. IDC predicts that two-thirds of networks will experience an IoT security breach by 2018. Given numbers like those, I applaud the UL and CITL programs—they are an important first step.

But let’s acknowledge that an IoT version of a lightbulb is not like a regular lightbulb.  For regular lightbulbs, we know what we are concerned about – will it burst into flames, or shower glass on innocent bystanders? When it fails, does it fail safe? IoT challenges that way of thinking. We can (and do) build internet connectivity into light bulbs – at first, as a way to save energy by automating turning off of lights, and later, for security, so that we can do things like track which motion sensors are turning on lights in buildings that should normally be dark at 3am. 

But all this connectivity means we now have to think about wily, deliberate adversaries, who are putting effort into thinking up clever ways to exploit these capabilities, ranging from denial of service through to “stealing” a sense of the health of a company by seeing whether people are working long hours.  These are new challenges, and they keep changing – our cyber adversaries are smart, and they change their tactics every time we figure out how to block their current methods. This creates a dynamic, shifting problem that is not like UL certification of a standard lightbulb – a technology that had not developed all that many new interesting physical behaviors in the time between Edison and the compact fluorescent.

Starting to get the picture? It’s not a pretty one. Networks and network-connected devices are an almost infinitely complex system. And securing them is an almost infinitely complex challenge. Device and software certifications like those now promoted by organizations like UL and CITL while perhaps a good start, are not sufficient.

Here’s a better start: a thorough assessment of your organization’s network-wide risk. Once you have assessed your risk, you can then make truly informed security decisions. You can make changes to reduce risk, insure against risk or simply decide that you can live with risk. After the assessment, you will better understand the state of the network. You can measure resilience, verify compliance and accelerate incident response. A thorough assessment will also allow you to accurately measure how well prepared you are now and actively promote progress toward where you want to be in the future.

Finally, a network-wide assessment should not be a one-time event. You need to continuously monitor changes in your network and the devices connected to it to identify and assess new risks as they appear.

To be honest, you don’t have much choice, because information security as it stands now will not be up to the job in our IoT future. The level of reliability and resilience required to safeguard data in the world of IoT is vastly greater than what we are accustomed to now. As the network grows more dynamic, it will demand monitoring that is just as dynamic. A seal of approval stuck onto whatever IoT devices you purchase is simply not enough.


Also read:

The IoT “time bomb” report: 49 security experts share their views

Do organisations really need a ‘Chief IoT Officer’?


« Duo may represent Google's latest push into emerging regions


The real meaning of… Mobile, Machines and the Malware Man-in-the-Middle »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?