In the last few weeks, the Ripple20 vulnerabilities have once again brought the challenge of securing IoT and OT devices to the forefront, underscoring the risky supply chain of software and hardware components that serves as the foundation for many of these devices.
While these vulnerabilities are significant on their own, what they show on a more fundamental level is the dire need to rethink how we are all approaching IoT security as an industry, all the way from manufacturing to the mitigation of vulnerabilities.
What makes the Ripple20 vulnerabilities so widespread is that the security flaws lie in the TCP/IP stack that underlies many embedded systems, including industrial control systems, medical devices, and printers. It’s not just one type of device or manufacturer that is impacted by this, but potentially hundreds of millions that this software crept into their supply chain. This is an opaque process, with little or no visibility into what components make up each device.
The obvious solution to this challenge is to start building connected devices with security in mind. This hasn’t been the case to date, as we’ve rushed to connect billions of devices to our home and corporate networks with no “bill of materials” or “nutritional label” to account for what’s in their components. What’s more, there is little incentive for manufacturers to correct this, as it’s more costly and complex. Sometimes, it’s just not possible.
That’s why should call on the industry to fundamentally shift towards embracing collaboration and contribution. Security is a team sport, and each vendor has a huge opportunity to make an impact. The concept isn’t a new one and is often touted by companies as they form partnerships and alliances. But the Ripple20 series of vulnerabilities highlighted the importance of that value once again in a number of ways, from disclosure, to identification, to mitigation.
For the devices already out there, we need more companies like JSOF who are pouring resources and investment into research around potential security flaws. These companies also need to engage with the industry throughout the process, sharing those new insights and working in collaboration with the manufacturers to roll out patches before the vulnerability is announced to the public. And, in some cases, it is important to work with peer vendors – even competitors – to deepen the collective understanding of a vulnerability’s impact.
An important component of that research is responsible disclosure. While this is important in any type of security research, it is especially true with the wide-ranging nature of IoT vulnerabilities, even more so with the impact to critical infrastructure. For Ripple20, JSOF’s diligence to find potentially impacted vendors meant digging through LinkedIn profiles, job descriptions, and more to find any connection to vendors affected by the vulnerable software. Then after compiling a list, making sure that each company was dutifully notified before publication, omitting those that did not have fair warning.
Finally, the industry needs to work together to help companies remediate these issues. Anecdotally, one large financial firm I worked with found at least 3% of all its devices were potentially vulnerable – a significant challenge for any organization, regardless of their security budget. There is no one silver bullet that fixes these vulnerabilities, but the more support companies can get in these tasks, the better.
Over time, the hope is that manufacturers also join in, and we can start building connected devices with a security-first approach. While this isn’t a transition that will happen overnight, one place to start would be with a “bill of materials” for IoT and OT devices. A significant challenge in identifying which devices are affected by Ripple20 has been that there isn’t an easy way to identify which devices are running the vulnerable software Treck under the hood, ultimately making the disclosure and remediation process more complicated.
The bottom line is we’re all in this together, working as allies against the attackers and bad actors. This mindset will only become clearer as we begin to understand more the fraught supply chain that was created underneath IoT and OT devices, and how that will impact organizations for years to come.
Ellen Sundra is the VP of Systems Engineering at Forescout Technologies.