The Device Chronicle interviewed Mirel Sehic, Global VPGM Cyber Security @ Honeywell Building Technologies, on the latest trends in cybersecurity for IoT-connected industrial devices.
Mirel is the VPGM / Head of Cybersecurity for Honeywell Building Technologies (HBT) and is working to address challenges, driving breakthrough growth opportunities, capabilities, and efficiencies, and promoting best practice excellence across the ever-changing IT / Operational Technology (OT) cybersecurity landscape. Mirel also believes in using simple methods to distill complex topics to educate, empower and enable teams to integrate emerging technologies across Digital Operations (Cloud, AI), ICT, and Cybersecurity.
Outside of his work with Honeywell Building Technologies, Mirel is a member of the board of Building Cyber Security (BCS), a non-profit organization leading Cyber Physical Standards development, education, certifications, and labeling authority, advancing the physical security and safety in public and private sectors.
Mirel begins the interview by emphasizing that regulatory frameworks and standards are essential, and he remarks that “we are starting to see more of them (regulatory frameworks and standards) as society and governments wake up to the fact there is increased risk and a need for better overall governance and hygiene in connected systems spanning OT, IoT, and IT.
In cybersecurity readiness for IoT devices, Mirel describes three critical stages of creation, deployment, and upkeep:
At a high level, he says, and if we shift left and start with the IoT device manufacturer, then having secure device lifecycle process (SDLC) methodology in play is essential where there is any software on hardware. The whole lifecycle approach to development needs to be taken into account from gathering analysis, design, implementation, and testing, to deployment and maintenance.
On the hardware device, he says, we need to have a real-time secure OS that is hardened to the point that it only executes the calls and procedures that the IoT device is designed and intended to do.
Then he says you must ensure that the device is continually updated and you reduce the risk of breaches through undetected vulnerabilities, and this involves asking and knowing how the device is updated. A product security instance response team with a P cert process typically handles this. “The team will issue the appropriate alerts and ensure it is clear which personnel should update which devices and that the process is readily available in hotfixes and routine maintenance patches.”
Mirel also highlights some additional ancillary considerations for protection: These include ensuring that systems require multi-factor authentication for users, least privilege access, and knowledge of where precisely the devices sit, whether that is in critical infrastructure or a segmented network using the C2M2 (Cybersecurity Capability Maturity Model) Model or ISA 99 zones or conduits. “Finally, you need to examine the architecture of the IoT device to understand how you can secure it within the cybersecurity environment it finds itself in.”
Mirel also stresses the need for user education: “Users need to know what the different devices in the IoT fleet are designed to do and what they are capable of. Also, it’s important to understand what the devices are used for and to have good processes in place for decommissioning.”
Device lifecycle management is slowly starting to mature. Mirel believes that frameworks, standards, and regulations are only a part of this. Mirel says the rubber hits the road for new greenfield builds, and here, there is the capacity to take the right approach to cybersecurity from the beginning. Here you can bake in best practices, whereas, in brownfield, it is a case of having to bolt onto legacy infrastructure. “These OT systems have stood the test of time and deliver value. Still, there are specific challenges in adding to them, whether we are waiting for the right life cycle opportunity to migrate to get us to “good” or need a particular planning methodology.”
Mirel boxes standards and frameworks into two large groups:
There are common overarching frameworks from NIST and NISO with similar controls.
Then there is the second, they drill deeper, such as ISA / IEC 62443 and NERC CIP for critical infrastructure protection.
Implementing cybersecurity in product design
Mirel says the best advice he can give to product managers is to follow secure development lifecycle methodology requirements: you map the stage to threat modelling, then you map design to access control, and then you map development to encryption. You need to work through the methodology step by step.
In general IoT, many manufacturers are looking for a fast time to market, so cybersecurity can be overlooked, and this can happen often in the consumer market. In industrial IoT, there is often more rigor and more reflection on proper cybersecurity protection. The premise is that you would want a critical update once you find a vulnerability, but the caveat is that the update will not disrupt the operation, and it must be a vulnerability that is exploitable in the operational environment. OTA updates minimize the “time to live” of that vulnerability exploitable in the operating environment. What is the risk of opening a previously air-gapped environment to OTA updates? And each industry is different: You must ask the question, if I do nothing, what is the propensity to have that vulnerability exploited? Do I need to update the exposure immediately and benchmark what it means for OTA connectivity to the site? Or do I patch it as part of my routine maintenance life cycle every three months?
Mirel observes that many more digital transformation initiatives are taking place across these industries, and the “comfort levels” are growing for IoT connectivity. He says “You are looking for business benefits from digitalization, but this has to be married against business risk. What does the delta look like? Is it negative or positive towards connectivity? If it is only slightly negative, you may look at mitigating factors, decide to proceed, and absorb the risk for the reward. But as industry and digitalization evolves, we will reach the point where connectivity is critical.”
Mirel’s group looks at OT environments and air-gapped clients. They help industrial clients consider the “what if” of connecting their business. If they can generate X, Y, and Z in terms of increased production efficiency and new value, how will that then affect their threat footprint? How can they rein it back in so the risk is manageable? The real boon for C suite in IoT connectivity and machine data analysis, is the promise of the ability to be more agile to business performance by having metrics and decision support from the data to hand on refinery performance to make better decision making. “Are these outcomes and data insights readily available a strategic good for the executive management? It could have huge impacts on the supply chain, on personnel who come to maintain and fix equipment in a facility, and significant knock-on effects on how you manage the lifecycle of a facility.” A fascinating strategic topic for corporate leaders to ponder, Mirel concludes.
Image by KJ Pargeter on Freepik