An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.
As the internet takes physical form, today’s cybersecurity simply doesn’t cut it.
By 2023, there will be three times more networked devices on this planet than humans, according to a report from Cisco. As more and more connected devices join the Internet of Things, the target banks of hacker crews, including sophisticated and state-backed malicious actors, grow to include not just computers with sensitive data, but also pacemakers and railway sensors. In an era where a hacked camera could work as a point of access for a cyberattack, time is running out for governments and private businesses to build up an adequate defense. Simply put: The existing solutions to cybersecurity are just not sufficient any longer.
One of the most popular approaches to defending against attacks today is vulnerability patching: the process of periodically checking operating systems, software, applications, and all software components for newly published vulnerabilities, in order to patch them quickly, before they are being exploited by malicious actors. Until now, vulnerability patching was in the spotlight for securing IoT devices, since most vendors find it difficult to keep their device up to date. But we must ask ourselves: if it is so difficult to update IoT and embedded devices, can we still rely on vulnerability patching to secure them?
For embedded and IoT devices, patching is a difficult and expensive task. Vendors today spend countless hours to integrate a patch and release a new version, not to mention a tedious regulatory process for mission-critical devices that is required before launching the update. This process can take months, in which not only a lot of money and time has been spent, but the devices themselves remain vulnerable to exploitation. In other cases, many of the devices will never receive the update due to isolated environments and other external factors. Vulnerability patching is a solution for mitigating known vulnerabilities, while there are always unknown (zero-day) vulnerabilities that remain unhandled and endangering the devices. The more code you write, the higher the chances of adding a new vulnerability that can potentially be exploited to the system, and the amount of code continues to grow exponentially. The heavy use in third-party and supply-chain code makes it even more difficult to protect devices and keep them up-to-date.
For example, the Colonial Pipeline was recently hacked by the Darkside, an Eastern European criminal hacker group. The Pipeline was attacked on May 7 after a single password was breached. The attack, originally, cost the pipeline 75 bitcoin, 64 of which has been recovered. Vulnerability patching wouldn’t be sufficient in this case. What could have helped is a runtime security solution that protects and monitors the devices in real-time.
Today, patching has become a game of whack-a-mole. With connected devices, particularly mission-critical, patching becomes even more challenging. For example, a hospital network used to only have to worry about a hacker attacking the computer system, but now an attacker can hack any medical IoT device in the network, and from there, potentially gain access to the entire hospital’s network—including patient files, medical history, and payment information. Dealing with these attacks at the vulnerability level requires huge amounts of resources, and even the most successful operations cannot ensure bulletproof security since they only root out the known vulnerabilities and only if they manage to update them on time, which is rare. This will not prevent new cyberattacks and will not offer any real-time active defense against potential hackers. Imagine how much time and effort it would take an enterprise to patch up millions of vulnerabilities daily. It’s just not possible and with the rise of IoT devices, hackers know this.
Experts should be moving away from perpetually investing resources in manually and arduously patching all vulnerabilities, especially since it’s costly and most devices are not updated on time. Instead they should look for ways to automatically identify and prevent the exploitation attempts themselves through proactive, runtime security controls. These proactive controls will allow a better solution for the distributed, hard to manage and hard to patch IoT environment, while offering a better level of security and visibility that works autonomously without requiring any updates. Vendors and device manufacturers are already spending money and time to maintain their devices (including a significant legacy device plan) and this is only expected to grow with the new regulations and IoT market growth. This is the time to think about a better, more sustainable solution that saves money in the short term on patches and brings data visibility and autonomous capabilities to the edge devices in the long-term. It’s the only way cybersecurity solutions can keep up with the ever-evolving threats and make sure all critical assets are under proper protection.