burgerlogo

Best Practices for IoT Security

Best Practices for IoT Security

avatar

IoT For All

- Last Updated: April 13, 2021

IoT For All

- Last Updated: January 1st, 2020

featured imagefeatured imagefeatured image

In this episode of the IoT For All podcast, Optiv Security Practice Director of OT/IoT, Sean Tufts, joins us to share some of his best practices for companies to address cybersecurity concerns around their IoT devices. Sean speaks to some of the trends he’s seen in the security industry and what both companies and governments need to do to address current and future problems in the IoT security landscape.

Sean Tufts is the Practice Director for the OT/IOT business at Optiv. He's a former NFL Linebacker tuned Critical Infrastructure security leader. Post NFL, he worked for utility operators and O&G hardware suppliers. Prior to his current leadership position at Optiv, Sean was on the Digital transformation team for General Electric focusing on security services for the O&G market. In 2012 he was honored by Forbes as a "30 Under 30" recipient.

https://www.youtube.com/watch?v=pfU-ZwdGAAk

Interested in connecting with Sean? Reach out to him on Linkedin!

About Optiv: Optiv is a security solutions integrator – “one-stop” trusted partner with a singular focus on cybersecurity. Our end-to-end cybersecurity capabilities span risk management and transformation, cyber digital transformation, threat management, cyber operations, identity and data management, and integration and innovation, helping organizations realize stronger, simpler and more cost-efficient cybersecurity programs that support business requirements and outcomes. At Optiv, we are modernizing cybersecurity to enable clients to innovate their consumption models, integrate infrastructure and technology to maximize value, achieve measurable outcomes, and realize complete solutions and business alignment. 

Key Questions and Topics from this Episode:

(00:57) Intro to Sean

(03:49) Intro to Optiv Security

(07:15) Are there any Applications you can share to illustrate a typical customer engagement for Optiv?

(09:18) Why is it important for companies to think about the security piece early on?

(11:25) Are you seeing any trends around the biggest problems or concerns for IoT security?

(12:28) Are there any security concerns you’ve seen on the horizon that people should be looking for, or that you believe haven’t been properly addressed yet?

(13:48) What has been your approach to educating the market?

(19:08) Has the pandemic caused any new security concerns to surface?

(20:56) What can companies do to protect themselves from these security risks? What should they be doing?

(25:20) What needs to be done on the government and legislation side to help with these security concerns?


Transcript:

- You are listening to the IoT For All Media Network.

- [Ryan] Hello everyone. And welcome to another episode of the IoT for our podcast on the IoT For All Media Network. I'm your host Ryan Chacon one of the co-creators of IoT For All. Now, before we jump into this episode, please don't forget to subscribe on your favorite podcast platform or join our newsletter at iotfraud.com/newsletter to catch all the newest episodes as soon as they come out. But before we get started does your business waste hours searching for assets like equipment or vehicles and pay full-time employees just to manually enter location and status data? You can get real-time location status updates for assets indoors and outdoors at the lowest cost possible. With leverages end to end IoT solutions. To learn more, go to IoTchangeseverything.com that's IoTchangeseverything.com. So without further ado please enjoy this episode of the IoT For All podcasts. Welcome Sean to the IoT For All podcasts. How are things going on here?

- [Sean] Things are great, man. Things are awesome.

- [Ryan] Great. It's great to have you. I appreciate you taking some time to chat with me today. I'd love to kind of start out by just having you give a quick introduction to our audience. You have a relatively unique background coming from kind of a football career into this. So I'd love to hear a little bit more about that and kind of how it all connects together.

- [Sean] Yeah. Awesome. I'm Sean Tufts. I'm a Practice Director for our Industrial Control and IoT business over here at Optiv Inc. At Optiv we do kind of all things security we're my newly focused in cybersecurity both technology resale, where we have 500 ish partners and also a full suite of professional services. And I run all our stuff that connects to connected devices.

- [Ryan] Awesome. And how did you kind of get into this line of work coming from that football background that I know you have?

- [Sean] Yeah, that's a good question. So my football background, I played about three years in the NFL with the Carolina Panthers with the college of University of Colorado. Played linebacker. I looked back on it and I got three years in. Mostly I think I got cut every time you could get cut like if there was a cut and it was just known that I was gonna be the guy. But they always bring me back. I mean, there was either like a practice squad role or like hanging on for dear life on the special teams spot. So I was kinda always up and down, which was fun. There was a lot of fun, but sometimes I look back I'm like three years and it sounds short but it also gave me a good shot to like build a career. I wasn't like forty-five and I'll beat up with, any sort of financial security. I had to go find that first terrible job, which I did. And I started my career up and running.

- [Ryan] Did you have a kind of cybersecurity background before you got into football, like from your days in college or was there something you kind of acquired once you were done with football?

- [Sean] Embarrassingly I was a sociology major. And to this day I don't think I can spell that word, which I'm not kidding. My spelling is not great but that word will flummox me every single time. So I started out my career building wind farms actually. I live outside of Boulder Colorado and it's kind of a wind corridor out here. I got in touch with a guy who was developing land leases and putting up the turbines. And that turned into a career a couple of years later at a company.

- [Ryan] What company?

- [Sean] General Electric. Transferred at that point from renewables into like the oil and gas side at Baker Hughes and they put out a survey and the survey said, who wants to learn cybersecurity? And I was like, that sounds way more awesome than like electric motors and fracking and all this stuff. And I answered the call and like two days later they're like you're a cybersecurity expert. And I was like okay all right. So a lot of YouTube, a lot of security for dummies books, but yeah that's been my path.

- [Ryan] Fantastic. So talk a little bit more about Optiv and what you all do. I obviously know there's a lot of it's centered a lot around the security and kind of how what you do connects to the IoT space and what the general focus is for the organization.

- [Sean] So yeah, we focus only on cybersecurity. We don't have any other parts of our business. We also don't make any technologies. So we'll go to the market, to the Palo Altos of the world the CrowdStrike's of the world, the McAfee's, and then we'll work with clients to build the right programs. The most strategic like policy-based initiatives all the way down to like hands on tools remediating vulnerabilities, or mediating active threat campaigns and kind of all parts in between. The big houses and things we focus on are like attack and penetration identity throughout the whole user life cycle digital transformations, which is where I sit. There was some forward thinking around what does digital transformation mean? Yeah. It's cloud cool. Yes. It's automation. Yes. It's industry 4.0, but where are we getting this data? And it's from all these connected devices that are popping in and out.

- [Ryan] So when you think about kind of when people talk about IoT and they say the internet of things and so forth how do you all view that piece of the digital transformation puzzle? I mean, obviously there's a very large spectrum. There's consumer devices where most people associate smart things with that's what IoT is but there is this whole other side of the world, which is maybe, growing even more rapidly with on the enterprise side you have using devices to collect data for our companies to be more informed to make better decisions. So when you all are kind of thinking about IoT what does it mean to you and kind of how do you see it playing the leading role in the digital transformation kind of revolution that we're going through?

- [Sean] I think right now, when I look at our cloud businesses and everything that AWS and Azure and Google are doing and all the awesome AI implementations and the ML stuff it feels like we're really wringing black ops out of some of those easy migrations from like on-Prem servers to the cloud. we're overlaying that stuff we're getting all the value out of it. But the value is starting to become less and less. So then when this relates to IoT it's where are you getting your data next? What's the next big data Lake you can tap into? What's the next big asset class that you can go grab? And I think it's the connection to the physical world and whether that's retail location and tracking how long a customer stays at a Coke display or how they interact in the parking lot or the temperature in the building. All of those are gonna be the next islands of data that we wanna consume and monetize.

- [Ryan] So when you all work with a customer you mentioned you guys don't write kind of writing software or anything like that. Are there particular industries that you kind of have expertise or focus in when it comes to providing your security kind of guidance?

- [Sean] We don't. We have a strong relationship component inside of our business, which means a lot of what we do is organically grown from a relationship standpoint. That's another way to say a lot of our leads come in from trusted sources. For its either we've worked with a company for a couple of years or whatever. So we service all parts. I think it's like everyone has this thumb stat. But it's like 75% of the fortune 50 or something like that all the way down to like mom and pop shops. We don't have any industry focus or reference.

- [Ryan] Gotcha. And what about kind of speaking on more of the Applications front and bringing this more, kind of full circle for our audience to understand maybe a project that you all have embarked on with a customer. So by taking us through the general customer engagement. So they come to you with this problem or you're working with an organization around a customer with a certain problem. And then what does that kind of engagement look like for you all? And what's kind of the general problem people are coming to you on. And then what's the outcome kind of has looked like at the end.

- [Sean] So we work most with Chief Information Security Officer so that CSIO. It could be someone on the network side it could be someone infrastructure cloud. It doesn't really matter, but usually our entry points at CSIO on the IoT front, they're coming to us and saying I have no idea what's in my network. And I just walk the shop floor. I just went through this office and I saw a camera I didn't know about or I walked through and I saw a test bed that I know isn't running the right purchase. And I know isn't authorized and I'm kind of concerned. The biggest thing security is facing right now is just understanding what devices are out there and cause you can't secure what you can't see. So we know all the, from a corporate standpoint we know where the data center is. We know where things are in theory, where things are in the cloud because who really knows it's the cloud. We know what laptops people are running and we know all that kind of stuff but we don't know all those little non-Windows and non Linux devices that are running on the corporate land. And unless you go look, you can't find them. And we've done exercises about five years ago because of the maturity curve were low. We went out to an oil rig and literally took a flip phone and took a picture of every single piece of computing device. And then you use that to start logging serial numbers. Thank goodness we're more evolved than that, but that's still where a lot of our clients are today.

- [Ryan] That's something that I don't know if much of our audience understands kind of where most of the companies stand right now. But one of the questions I wanted to ask you a little bit more high level too to kind of tap into your general view of the market and mindset around security is and this is the question that a lot of companies bring up because security is oftentimes an afterthought unfortunately, but why should people and more of these enterprise companies when they're building an IoT solution are kind of going down that path why should they care about the security piece so much? And why is it important for them to be thinking about that early in the process rather than later?

- [Sean] I think the answer is good answers it always depends. And I think in this case it depends on the criticality. Last year a large toy manufacturer that makes dolls for girls I don't remember the name. They got breached. And they had cameras inside their dolls that were looking into the environments of our kids and in our bedrooms and stuff like that. That's problematic. They also had a bunch of credentials where they had the name, birth date, not social security number but some other information baked into those devices. That's not a good practice. So for that specific company it was critically important that they had IoT and security in the forefront of their technology. Same thing with the people who provide us electricity who provide fuel in our tanks. The biggest impact COVID had in my industry was I work a lot with critical infrastructure companies. Well, we opened up a whole new scope for what that means because all of a sudden, customers are coming to us who test raw chicken. And they were like, hey we get temperature from IoT devices. And if our temperature goes wrong in the chicken plant, everybody gets sick people will be really, really * with us. So that was an example of criticality coming crashing to the forefront. Well some of it COVID or some of it just neglect. But there's other industries where it doesn't really matter. Retail is still slow.

- [Ryan] For sure.

- [Sean] It's important to know who's in your building. It's important to know how they interact how they use the credit card but it's not gonna bring down the company.

- [Ryan] For sure. That makes a lot of sense. And now when you thinking about security and you're talking with these companies, are you seeing any trends across the industry around the biggest problems or concerns on the security side of things as it relates to IoT Applications and devices and things like that?

- [Sean] Yeah. I think the first thing to understand is that there is a curve in the scale. Cybersecurity has a, we're not on a 4.0 scale. Top grades are coming in at like B pluses the critical infrastructure world IoT world. There's been less of a focus on some of those industries some of those markets and those technologies. So we're still at the very forefront of tackling this problem. It's so immature that our previous president had to come in and actually put legislation on the table around IoT or security. But with light, it just said you've got to low credentials and be able to move the password but you wouldn't necessarily have seen that if security was treated more densely.

- [Ryan] Yeah absolutely. And where do you kind of see I guess the let's say, looking into the next 12 18 plus months, do you see any real big gaps on the security front that you're concerned about or that are maybe have not been addressed in the way you feel like they should and companies like yours or other companies need to start really paying attention to it that people should kind of be on the look out for?

- [Sean] I think right now, and I mentioned it earlier the biggest gold rush right now for the vendor space is providing tools to actually see into their network and understand what's there. But that market, whether you're a power plant or whether you're a chicken processor people are really thirsting to understand because every day someone's bringing in our office is guilty of it. Someone's bringing in an Alexa or plugging in a smart fridge or doing something silly. And those the Alexa and the smart fridges of the they're red herrings to a lot of degree but they're still bringing in test benches and they're still bringing new cool technology and new everything to transform how they interact with their business, with their clients. And none of those things have a real best practice for security. So whether you're a corporate Boone or you're working on wall street, like all this stuff is going to start changing how we interact. That's the biggest trend I've been seeing.

- [Ryan] Okay. And now let me ask you a question about your interaction with just the general companies that you talk to and work with, and maybe even just converse with that maybe are not customers per say, but one of the things we've realized in the IoT space is how important education is and how often a lot of these companies run into the decision makers within an organization who are very resistant to change bringing new technology into the business dealing with legacy systems, the costs, the unproven ROI at times there's a lot of hesitation like why companies adopt. And I'm curious if you've come across similar problems engaging with companies who are maybe stuck in a different way of thinking when it comes to security IoT and so forth that kind of stalls the adoption of new technologies whether it's in the IoT side or on the cybersecurity side or just general technology that you all work with how do you see that? What are your experience has been on that front and kind of how do you approach it?

- [Sean] Yeah, that's the Luddite conversation. The people are afraid of the printing presses. Like we got to get up a little bit. I've worked a lot with companies who were the low margin businesses or were just really tight budgets. And there was always this assumption from security of like, who would target us who would want to harm our little firm. And it's never been about that. It's always been about like, hey let's make these systems more robust. Let's make the data better. Let's make all this other stuff better, but you cannot do that without a strong cyber security thread bleeding through all that stuff. You guys talk a bunch about industry Ford auto and all the cool new stuff that all these IoT devices can like unlock. And in many cases that stuff will get shot down every single time. If you don't have a really strong how are we securing the data? How are we securing the identities? How are we securing the access? How are we securing the time of these things? And if you can't show those four main components it's really hard for someone who is a Luddite to really jump on board with it. And there's always gonna be this kind of knuckle dragging into the future component. I mean, you talked earlier about training from a cybersecurity perspective. When was the first time you heard don't click. Seven years ago, 10 years ago. And we're still having to tell people not to click on suspicious links.

- [Ryan] Well, it's interesting cause to that point, there's even things that, these spammers or whatever you want to call them are getting more sophisticated with not just the links but the formatting of the emails and the messages that come out whether it's through text message now, whether it's through email and they're able to disguise their email address so that it comes up with the name of somebody you know and not necessarily like displaying the email address which then you could tell is not real. Or they're creating the layout to look very identical to something that holds your bank information that you may get from your bank to click through and then give them access to your account. So you're right. It's something that is fascinating that we still have to kind of teach people.

- [Sean] You wanna hear a funny story about that? So my mom eighty years old should be again she's on one of the dating sites. I don't know if its the eHarmony, she sends me a link one day and she was like, hey I've got this four star general that wants to date me. And she sends it to me. And it's a picture of a four star general. It says like, Colin Powell on his chest or something and the message from is like from Dave Smith. It's like mum clearly that guy is not using the right picture. Like, come on. Like, you can't fall for this anymore. This is like the 10th time we've done this, come on mom.

- [Ryan] Yeah. It's scary though. Especially when you have loved ones that are older and technology is relatively new to them and they're kind of the happy go lucky at times with stuff they just don't, they're not skeptics yet when it comes to the technology piece, based on the way they use it. And people are preying on that. And it terrifies me. Like my parents they use technology a decent amount but my mom is kind of still a novice on that front and there's things she'll send me and it'll just be like, is this real? Is this legit? What should I do with this? And it's like, if she's asking those questions there's people out there that are getting this and not asking those questions and are just assuming that people have the best intentions when in reality they intend to know the complete opposite. And they're the ones that are getting hacked. They're the ones that are getting their identity stolen and their money stolen. It's a very scary world when it comes to that, for those who are, less up to speed on kind of the ways this can be approached and not kind of having a skeptics viewpoint with almost everything they do when it comes to technology.

- [Sean] And you know, when you start thinking about the user base and the corporate environments that this IoT game is really kind of the waves are crashing on. There's all sorts of new ways for someone to click into something. Alexa asks me every day if I want to like upgrade to some music platform and one day my five-year-old is gonna say yes. And that's gonna start happening in the corporate realms. It's gonna start happening with, all the new cool technologies. My thermostat asks me if it's too hot. That's crazy.

- [Ryan] Yeah. It's insane to me. Now I wanted to ask you though, as the security threats are continuing to evolve how has the pandemic effected the security space from your end? Have you seen new threats coming up or new problems companies are looking to solve on the security front because of the pandemic?

- [Sean] You know the thing that pandemic really is shying from a broad cybersecurity is proactive not just IoT was like number one remote access. Like I work with a lot of critical infrastructure clients like pipelines and stuff like that. And they sent home most of their staff that doesn't need to be on the pipeline but there's still guys who do, but they've now opened up a new remote gateway where they're actually logging into this equipment from their home. And there was always this kind of like subtle fear about third-party risk there. Like how were these people interacting? Where were they coming through? Was it like a VM-ware terminal? Was it accessing a piece of like Siemens gear? And people were kind of concerned about third-party risk and then the solar winds and FireEye stuff happened. And that like turned the whole thing upside down. And COVID led to work from home work from home led to a proliferation of tools and access from other parties that we weren't even thinking about. And then bam, solar winds has a presence in like 95% of our corporate environments. And there he had a big back door. That big back door went right to the . And they were monkeying around with data and playing with stuff and Microsoft was exposed. So it was the biggest security company in the world FireEye. So we're a bunch of other little mom and pop shops. I think that's been the most interesting part is how big of a light has been shined on our naivety around the cloud and how things work.

- [Ryan] Yeah. I totally agree with you. And to that point, what can companies or individuals do to better protect themselves from these risks that we've been kind of discussing, or just like the future unknown risks that will be coming up that security companies like yours are going to be battling against that these companies may not be aware of just yet

- [Sean] From the IoT perspective buy smart. I can click on Amazon right now and find a really cheap camera find a really cheap accessory, whatever it is. And you get what you pay for. We do a lot of device testing where we'll reverse engineer this equipment, we've got a utility client but we are their test bench. So if they're buying something new from the tried and true vendors or something fringe from an IoT or from a cloud vendor, we'll pull it apart first. And we find all sorts of number one shortcuts in the code shortcuts in the firmware, open ports like just things that shouldn't be there. And then number two, we do find occasions where there's been someone tinkered with it. We have a client that's got retail locations on I'll say federal facilities if 700 locations on federal facilities we found active spyware using cheap TVs sourced in foreign countries that was turning on the camera and filming what people were doing in the room. And the government put out some notifications not to buy from those vendors and it's happening. And that stuff exists left and right. And you know what, it's a numbers game. They don't care where they are. They just want to see what Intel they can get. And if in your own world, if you're buying something on Amazon, you get what you pay for.

- [Ryan] Yeah, I totally agree. We've actually had a number of guests on last year who we focused a lot of our conversation around the consumer devices and security spot or side of things. And big thing for them was talking about really understanding who you're buying from and understanding that a lot of these companies that are using like China, for instance to manufacturer devices, you don't know where the data that's collecting is going and whether it's video, audio or whatever kind of data it is. And you just blindly accept terms and conditions. You always kind of just click the box and all the updates that come through you're fine with accepting them. And there's been a lot of issues with those devices, collecting the data you don't want them to collect but most consumers are uninformed. Where they're misinformed on kind of how to go about the buying process for their devices that they put in their home. And I'm sure it's probably a similar situation for enterprises even at a larger scale.

- [Sean] Yeah, totally. The biggest killer of a CSIO. People used to think like, Oh, if you get breached the first thing to do is fire your CSIO. That's not really true. But most case scenario when the chief information security gets ousted, it's when he disagrees with the marketing team, he disagreed with the sales team because they want to have some new portal and they want to monetize this Salesforce data and they want to do all this cool new stuff. And our guy, our security it puts the brakes on it because it's too immature. And that's what gets most people fired in this world.

- [Ryan] Interesting. I didn't really know that but that's a quite fascinating because I mean I could understand why they would clash at times but the whole point of having that security information systems officer in the company is to protect the company. And that's oftentimes overlooked by those parts of the company, Camino the departments that are trying to move forward and worry about bringing in money and so forth. And it's often overlooked about how important the security piece is and what that could actually cost you financially. If you don't do it correctly the first time

- [Sean] It seems the only way we're learning is by mistake and watching something bad happen to someone else. And then a bunch of budget gets released somewhere else because this company screwed with. And that's just, it's dumb logic. So when I'm talking with my clients who don't have the authority, the budget I'm actually coaching them to go find that CMO, like go ask that guy, hey what are your

Need Help Identifying the Right IoT Solution?

Our team of experts will help you find the perfect solution for your needs!

Get Help