Chief Security Officer, Global Value Chain, Cisco
We used to only imagine a world where connected “things” talk to, listen to, and observe all of us. For example, biometric data compiling real-time as we eat, sleep, and go about our lives in order to provide us with better health outcomes. Or a world where devices are able to talk to other devices at speeds beyond human comprehension to improve the performance of human transportation, factory floor production, or the human interface with our mobile devices. With today’s influx of connected devices, we are already roaring down a high velocity digital highway. Our challenge now is to understand how to reap the benefits of that connected world while also ensuring security with every connection we make.
These connected devices are sharing information and controlling operations across a spectrum we could not have imagined even five years ago. Moreover, the convergence of Information Technology (IT) and Operational Technology (OT) has been sweeping global industries, including sectors such as energy, heavy equipment, transportation and healthcare. Digital connectivity has also expanded into all aspects of daily living and government, exacerbating the need for ever more vigilance and security across and through this interconnected environment.
Today’s focus must be on who has access to the operational data generated by this hyper- connected world and how to ensure that every device in it is secure. The exponential increase in the number of connected sensors and devices creates an attack surface of unprecedented depth and breadth. Thus, the challenge is to secure these exponentially increasing connections.
What often keeps me up at night is my concern for the hidden and often overlooked reality that as we digitize, we are expanding the ecosystem of third parties who will inevitably impact us. Who will be “touching our stuff”, whether physically or digitally?
The more we connect – the more transparent and collaborative we are – the more we are allowing others to observe and possibly control us. For better, or for worse.
As participants in digital culture, whether individually or at an enterprise level, we must be aware of who and what is digitally and physically touching our information and devices. As the deployment of connected devices expands, the related third party security risk of data loss, invasion of privacy and cyberattacks will only rise.
To meaningfully address this inevitability, let’s step back and examine the problem by defining it in terms of threats and threat impacts.
Manipulation – The alteration of technology that allows unintended control or observation. Such an alteration of a connected device and its resultant security vulnerabilities can have a host of ramifications. Ramifications that include a failure of the device itself or control of the Information Technology (IT) systems to which it connects, including a denial of service. Ramifications can also manifest in the Operational Technology (OT) that has converged with these affected IT systems, including outright failures or reconfigured operational settings.
Espionage – The observation of confidential information at any point in the new ecosystem of digitally and operationally converged technology. Espionage is not just the prerogative of nation states anymore. A disgruntled co-worker or a devious neighbor can equally be an unwanted observer.
Disruption – From the most draconian level of a full denial of service to precise surgical alterations that allow data and operational processes to be changed. Have you ever been in an airport when a reservation system goes down?
THE THREAT IMPACTS
Tainted Solutions – Whether hardware, software or cloud-based services, the threats identified above lead to the risk of taint—anything that no longer functions as its designer or user intended. Taint can have far-reaching consequences.
Counterfeit Solutions – Functional integrity and quality are compromised when deceptively “real” looking and functioning technology is put into operation. We can all fall prey to spoofed emails or a false front cloud platform.
Intellectual Property Misuse – The lifeblood of innovation, intellectual property (IP), when disclosed in whole or in part, can be effectively leveraged by bad actors to manipulate, falsify, and create tainted and counterfeit solutions.
Awareness of these threats and threat impacts to you, your enterprise, community or government must encompass a view throughout the entire value chain. What exactly is this “Value Chain”? The value chain is the end-to- end lifecycle for any technology used in our growing digital culture.
RISK VS. REWARD
Connected technology should be used to serve us – humanity. To use it wisely we must examine when and how to use it, balancing the security and safety risks inherent in connectivity with its obvious benefits.
Let’s explore this essential survival tip for the digital age, because the connected world requires a rigorous risk and reward analysis.
It is important to understand a digital device before you connect it. Be aware of why and with whom you are sharing information. From a consumer perspective, consider the example of a smart refrigerator. The primary function of a refrigerator is to keep items cold. Ask yourself:
- Do you really need it to check Facebook or read email?
- Do you actually need it to count the eggs or check the expiration date of your milk?
- Will you even use all the features it provides?
- Does the refrigerator allow you certain control options?
- Can you manage who can access the refrigerator from other connected devices?
- Does the manufacturer provide software updates to address new security vulnerabilities?
Similar consideration should surround the use of any connected device. This is true for consumers, enterprises and governments alike. Inherent in all cases is the need to also address the potential third party threats. So the next time you’re chasing the latest shiny object— whether a connected refrigerator in your home, or connected industrial controls systems in the manufacturing plant— avail yourself of your human advantage, perhaps enhanced with data analysis and some artificial intelligence for good measure, and weigh benefit versus risk FIRST.
The extraordinary opportunity to reap life-altering bene ts from the burgeoning growth of connected devices is ours as we roar down today’s digital highway. But to live wisely and thrive in our new digital culture, we must think through how best to take advantage of pervasive connectivity, balancing the security and safety risks inherent in every on-ramp.
Edna Conway currently serves as Cisco’s Chief Security Officer, Global Value Chain, creating clear strategies to deliver secure operating models for the digital economy. She has built new organizations delivering cyber security, compliance, risk management, sustainability and value chain transformation. She drives a comprehensive security architecture across Cisco’s third-party ecosystem.
Conway is recognized domestically (US Presidential Commissions) and globally (NATO) as the developer of architectures delivering value chain security, sustainability and resiliency. She was recently appointed to the Executive Committee of the U.S. Department of Homeland Security’s ICT Supply Chain Risk Management Task Force. Her insight is featured in a range of publications, analyst reports, and case studies, including Forbes, Fortune, Bloomberg, Washington Post, CIO Magazine and the Wall Street Journal.
Acknowledgement of her industry leadership includes membership in the Fortune Most Powerful Women community, and awards including: a Fed 100 Award, Stevie “Maverick of the Year Award,” a Connected World Magazine “Machine to Machine and IOT Trailblazer” Award, an SC Media Reboot Leadership Award, a New Hampshire TechProfessional of the Year 2018 Award, and CSO of the Year Award at RSA. Conway serves or has served on Cisco’s Cyber-Security Board, Risk and Resiliency Operating Committee, Global Compliance Governance Committee and Eco Board. She also serves as an independent advisor on the Executive Advisory Boards of many technology companies and organizations.
Prior to Cisco, Conway was a partner in an international private legal practice and served as Assistant Attorney General for the State of New Hampshire.
For more: Twitter: @Edna_Conway; Cisco’s Global Value Chain security solutions at https://bit.ly/2DxM20u