Episode 18
Securing the Smart Supply Chain
In episode 18, Alan Mihalic, President IoT Security Institute, speaks to the challenges and success factors associated with securing Internet-of-Things (IoT) devices in smart supply chains. He draws upon the IoT Security Framework to share some guiding principles and practices to help supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely for smart cities and critical infrastructure.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-18-securing-the-smart-supply-chain/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone. I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I will be talking with Alan Mihalic,
Dr. Dave Chatterjee:Founder and President IoT Security Institute. Alan,
Dr. Dave Chatterjee:welcome. It's great to have you as a guest. Thanks for making
Dr. Dave Chatterjee:time to share your thoughts and perspectives with our listeners.
Dr. Dave Chatterjee:So let's get started with you sharing with the listeners a bit
Dr. Dave Chatterjee:about your cybersecurity journey.
Alan Mihalic:Well, firstly, thank you, Dave, for inviting
Alan Mihalic:me, it's a pleasure to be here. My journey is a long one. It
Alan Mihalic:started off very much in a technical realm, working with
Alan Mihalic:security, security services that evolved over time into
Alan Mihalic:architecture, governance, risk management, subsequently, it
Alan Mihalic:moved into advisory services. And that's spanned a period of
Alan Mihalic:over 20 years now. Of late, relatively, I suppose, the the
Alan Mihalic:emergence of smart technologies and smart cyber has drawn me
Alan Mihalic:into that area, because it's at firstly, it's a particular
Alan Mihalic:interest. And secondly, it is certainly the the challenges of
Alan Mihalic:the future and as many cyber professionals will state that
Alan Mihalic:the future is far more interesting than the past.
Dr. Dave Chatterjee:True, very true. And in fact, when we were
Dr. Dave Chatterjee:discussing about this podcast, and we are talking about
Dr. Dave Chatterjee:securing the smart supply chain, and you are talking about your
Dr. Dave Chatterjee:IoT security Institute, the Internet of Things security
Dr. Dave Chatterjee:Institute, it, it kind of brought to mind the the reality
Dr. Dave Chatterjee:that we face today, where the more digitized we get, the more
Dr. Dave Chatterjee:smarter we get, so to speak, the more vulnerable we are. While
Dr. Dave Chatterjee:these smart devices offer many benefits and capabilities, they
Dr. Dave Chatterjee:are known to have weaker security protections. They're
Dr. Dave Chatterjee:often not easily patchable, or updatable. So there are lots of
Dr. Dave Chatterjee:challenges in front of us. You know, how would you define or
Dr. Dave Chatterjee:describe the challenges of smart supply chains?
Alan Mihalic:Well, I think firstly, we can we just look at
Alan Mihalic:IoT and devices at first, as part of that overall picture, I
Alan Mihalic:think that it's not just a technological change, but it's
Alan Mihalic:societal change. And the emergence of IoT has affected
Alan Mihalic:urban planning, engineering as much as it's impacted network
Alan Mihalic:computing services and traditional services delivery. I
Alan Mihalic:mean, effectively, IoT is at the core of our smart cities we live
Alan Mihalic:in, the smart buildings we occupy, and, and even even the
Alan Mihalic:smart bodies we inhabit. And as a result of the sheer number of
Alan Mihalic:these devices, and the increasing dependency upon these
Alan Mihalic:devices to function in an expected manner, especially in
Alan Mihalic:critical environments, bring forward a scenario where the
Alan Mihalic:ramifications of failure or compromise are incredibly
Alan Mihalic:significant. We cannot afford to be complacent when it comes to
Alan Mihalic:this type of security, particularly IoT security. So
Alan Mihalic:the interesting thing that that could effectively be looked upon
Alan Mihalic:as somewhat technology restraint. But this shift has
Alan Mihalic:also caused a great deal of change in the way we just view
Alan Mihalic:security and national security in a way that perhaps we never
Alan Mihalic:had before. And I just like to extrapolate, like, extrapolate
Alan Mihalic:upon that a little bit. The notion of protecting a nation or
Alan Mihalic:protecting our critical assets is generally being thought of as
Alan Mihalic:a government responsibility. Now from a military perspective, if
Alan Mihalic:our nation is at threat, we have an army we have an air force, we
Alan Mihalic:have a navy And the government is tasked with making sure that
Alan Mihalic:that meets the the challenges ahead and the potential
Alan Mihalic:adversaries that may threaten our, our existence. To put it
Alan Mihalic:that way. This technology, it needs to be understood and many
Alan Mihalic:are coming to it now is that it is defined security and national
Alan Mihalic:security, not simply can no longer be a government
Alan Mihalic:responsibility. And you're seeing that in the changes in
Alan Mihalic:the way that legislation is produced the way we approach the
Alan Mihalic:whole notion of being a secure society. Now, let me give you an
Alan Mihalic:example. Governments have been briefed, and are well aware now
Alan Mihalic:that they cannot, as, as previously mentioned, secure us
Alan Mihalic:they need to rely on both the public and the private sector.
Alan Mihalic:So cybersecurity is as as has been given a responsibility now
Alan Mihalic:on corporations and institutions got a responsibility. And
Alan Mihalic:governments are driving this down very strongly to ensure
Alan Mihalic:that they meet, as you mentioned, those security
Alan Mihalic:challenges that are emerging out of the IoT or, you know, bigger
Alan Mihalic:picture smart technologies. So to protect a smart grid or water
Alan Mihalic:supply or things of that nature, the government can't just do it,
Alan Mihalic:the government relies on the community and corporations to
Alan Mihalic:ensure they do their part. Now that ostensibly may seem a very
Alan Mihalic:logical thing and it certainly is, but from from a practical
Alan Mihalic:from the deployment from an accountability perspective, it
Alan Mihalic:is a seismic shift in the way we look at security. So, we may
Alan Mihalic:come in and say IoT devices, but when we look at how they are
Alan Mihalic:deployed, and the sheer number of them, and the omnipresent
Alan Mihalic:nature, it becomes quite a challenge. So we can say that
Alan Mihalic:the conversation can be can be had at multiple tiers, with with
Alan Mihalic:similar considerations.
Dr. Dave Chatterjee:Absolutely. In fact, you know, it is really,
Dr. Dave Chatterjee:you need to take a holistic approach a people process and
Dr. Dave Chatterjee:technology approach, you need to involve the various
Dr. Dave Chatterjee:stakeholders, like you said, government alone is incapable of
Dr. Dave Chatterjee:securing the critical infrastructure, the partnership
Dr. Dave Chatterjee:with the private sector is essential. I have to mention, in
Dr. Dave Chatterjee:the context of this discussion, in March of 2018, my city of
Dr. Dave Chatterjee:Atlanta suffered one of the largest and most expensive
Dr. Dave Chatterjee:ransomware attacks, costing upwards of $17 million. The city
Dr. Dave Chatterjee:and its services came literally to a standstill. You know, all
Dr. Dave Chatterjee:the automated operations were kind of crippled, everything had
Dr. Dave Chatterjee:to be handled by paper, in person payment of water bills,
Dr. Dave Chatterjee:renewals of business lines, licenses, payment of parking
Dr. Dave Chatterjee:tickets, you know, everything got affected. And, and that's
Dr. Dave Chatterjee:just a, well, I don't want to use the word just But that's an
Dr. Dave Chatterjee:example of a city getting breached. Now, think about our
Dr. Dave Chatterjee:nuclear infrastructure. Think about, like you mentioned, the
Dr. Dave Chatterjee:water systems, the natural gas resources, we are deploying
Dr. Dave Chatterjee:smart technologies everywhere, to enhance efficiency, enhance
Dr. Dave Chatterjee:effectiveness. But along, you know, while we do that, unless
Dr. Dave Chatterjee:we are extremely security conscious, it's going to be it
Dr. Dave Chatterjee:is a huge challenge. It's not easy to handle. In fact, you
Dr. Dave Chatterjee:mentioned during our prior discussion about the security by
Dr. Dave Chatterjee:design approach, and that really appeals to me, I'd love for you
Dr. Dave Chatterjee:to expand on that for our listeners.
Alan Mihalic:Okay, well, security by design is
Alan Mihalic:effectively ensuring that cyber security and principles of
Alan Mihalic:privacy are included in all all stages of the design build run
Alan Mihalic:process. Now. We that means that security is not factored in,
Alan Mihalic:after a building or a city solution has been implemented,
Alan Mihalic:but it's very much part of the entire process. And because
Alan Mihalic:urban urban planning and engineering is such a
Alan Mihalic:complicated area, because both in the physical and virtual
Alan Mihalic:aspects, it's paramount that these checks and balances are
Alan Mihalic:maintained through the process. And we can take that as simply
Alan Mihalic:as saying that, again, coming back to the idea of IoT devices,
Alan Mihalic:ensuring that they're appropriately sourced for their
Alan Mihalic:purpose, not simply as a case of the beneficial price points and
Alan Mihalic:equally, the standards need to ensure that, that the privacy of
Alan Mihalic:the of the community and of the individual is protected. Now you
Alan Mihalic:can, you can take that out from a device to, to the philosophy
Alan Mihalic:of the city, you can take that out to the, to the risk appetite
Alan Mihalic:of the community. And so security by design means to
Alan Mihalic:factor in, the considerations that you would, when assessing
Alan Mihalic:the risk profile, the security controls required to protect a
Alan Mihalic:given asset. Now, I'd like to sort of take a little bit
Alan Mihalic:further than that. Now, we often you know, for those of us that
Alan Mihalic:have been around long enough and have always defined security as
Alan Mihalic:securing an asset, and that asset is often taken a physical
Alan Mihalic:form, but just on the previous point that, that security by
Alan Mihalic:design can be taken to the investment can be taken to a
Alan Mihalic:community say the state of self. Now, let me give you an example.
Alan Mihalic:Um, you know, we look at the stock market, and we look at the
Alan Mihalic:the stability of institutions to be able to provide a service
Alan Mihalic:step that has a return on investment. Now, if we look at
Alan Mihalic:that, in this context, communities, cities, have a
Alan Mihalic:responsibility to ensure that they can provide all of the
Alan Mihalic:services required for a day to day operation. Now, from a
Alan Mihalic:business perspective, you were talking about bringing down the
Alan Mihalic:services in Atlanta now, look at the look at the investment. If
Alan Mihalic:we look at that meeting followed with the investment implement,
Alan Mihalic:implement implications, and the associated risks associated with
Alan Mihalic:doing business as we evolve into a smarter and smarter world. I
Alan Mihalic:mean, would you invest into an organization or a city that has
Alan Mihalic:such a potential bad record, you would have to consider that you
Alan Mihalic:would have to say, well, what's their infrastructure like? What?
Alan Mihalic:What happens if it all falls over? And when we speak about
Alan Mihalic:the energy sector, we know that minutes is millions, we're not
Alan Mihalic:talking about small sums of money. Additionally, from a
Alan Mihalic:society point of view from from the welfare or mental health of
Alan Mihalic:their citizens, as we ask them more and more to be participants
Alan Mihalic:into this smart world, we have to understand that people by the
Alan Mihalic:nature requires stability and security to function properly.
Alan Mihalic:Now, if we live in a society that that has these disruptions
Alan Mihalic:that there is also an a follow on effect to the community. And
Alan Mihalic:just may I finish off that point by saying that often these
Alan Mihalic:concerns are difficult to communicate across the table,
Alan Mihalic:especially at this time in the story. In the future, obviously,
Alan Mihalic:it will become easier as it becomes more prevalent. But the
Alan Mihalic:argument for smart technology, we know the benefits, we know
Alan Mihalic:what can be done, and we know the potential that it has. But
Alan Mihalic:from a business, if I might just wear a business hat for a
Alan Mihalic:moment, as cyber professionals, we need to ensure that it's not
Alan Mihalic:the technology alone that needs to be positioned, but we have to
Alan Mihalic:understand the core of what makes a successful
Alan Mihalic:implementation. And one of those, of course is return on
Alan Mihalic:investment. Now businesses, communities, government, all
Alan Mihalic:look at return on investment, we provide a service as we get a
Alan Mihalic:return on investment. And we we decide whether there is positive
Alan Mihalic:or negative nature. No more is that
Alan Mihalic:applicable to the smart technology sector. In other
Alan Mihalic:words, the underpinning success story of any smart technology
Alan Mihalic:implementation is to trust more. We can stand up a server if it
Alan Mihalic:gets knocked out, we can stand up a power plant if it gets
Alan Mihalic:knocked down, but when the trust of the community is knocked
Alan Mihalic:over, and because of its by its very nature, smart technologies
Alan Mihalic:require the participation and engagement of a broad number of
Alan Mihalic:people across an array of areas, if trust is lost, that somewhat
Alan Mihalic:comes back to my original point about the psychology of
Alan Mihalic:communities, then that's a very hard thing to get back Dave.
Alan Mihalic:It's very hard to ask someone to provide all the privacy
Alan Mihalic:information, all of the access to things that that can be
Alan Mihalic:aggregated and circulated, when that's abused. And that's
Alan Mihalic:becoming another very critical area. So once again, a point for
Alan Mihalic:consideration.
Dr. Dave Chatterjee:Absolutely. In fact, your point is your
Dr. Dave Chatterjee:points are very well made. Security has to be etched not
Dr. Dave Chatterjee:only in the organizational DNA, but also in the human mindset.
Dr. Dave Chatterjee:It might sound a little odd, but that's the environment we live
Dr. Dave Chatterjee:in. Because every step we take, whether in the capacity of a
Dr. Dave Chatterjee:professional or in our personal capacity, the security
Dr. Dave Chatterjee:implications have to be considered and I'm trying to
Dr. Dave Chatterjee:keep it at a level that everybody can relate to. I can
Dr. Dave Chatterjee:get a little more technical if I wanted to but I don't want to at
Dr. Dave Chatterjee:this time. But But yes, at a high level, literally every
Dr. Dave Chatterjee:aspect of our life, professional, personal are
Dr. Dave Chatterjee:getting affected. And it's a very, very difficult, formidable
Dr. Dave Chatterjee:challenge to get everyone to do their part. You know, I've been
Dr. Dave Chatterjee:saying this for a long time that cybersecurity is everybody's
Dr. Dave Chatterjee:business, we can have the best of cybersecurity professionals,
Dr. Dave Chatterjee:we can have a great design in place, we can even implement as
Dr. Dave Chatterjee:per plan, but to be able to sustain it to achieve almost
Dr. Dave Chatterjee:like a high level of precision, and, you know, to make it as
Dr. Dave Chatterjee:fail proof as possible, many, many things have to come
Dr. Dave Chatterjee:together. And that makes it a formidable challenge. While I
Dr. Dave Chatterjee:think of challenges, one thing that comes to mind is vendor
Dr. Dave Chatterjee:selection, vendor management, I've learned that the IoT
Dr. Dave Chatterjee:vendors don't have a great reputation of providing very
Dr. Dave Chatterjee:robust devices, once they have sold something, they kind of
Dr. Dave Chatterjee:would like to walk away from it. Given the proliferation of the
Dr. Dave Chatterjee:devices, the fact that we will be using such devices more and
Dr. Dave Chatterjee:more, what are your thoughts and recommendations on vendor
Dr. Dave Chatterjee:selection and vendor management in the context of IoT devices?
Alan Mihalic:Yes, of course. Well, I mean, from the outset,
Alan Mihalic:it's effectively a case of buyer beware. And as the as the, as
Alan Mihalic:the evolution of these devices has has moved forward, people
Alan Mihalic:are becoming more aware. And some of the key areas, of
Alan Mihalic:course, as I touched on previously was to understand
Alan Mihalic:that it's not about price point. You know, we are talking to
Alan Mihalic:naturally it's a consideration, we were talking about 1000s of
Alan Mihalic:devices here, millions of devices. And it's not difficult
Alan Mihalic:to understand that the procurement department when it
Alan Mihalic:sees the orders, and sees what the associated costs may be,
Alan Mihalic:they certainly there's a push that, you know, let's buy cheap,
Alan Mihalic:it's effective, let's buy cheap. But we've quickly understood
Alan Mihalic:that the first thing we need to understand is, as I mentioned,
Alan Mihalic:is that IoT device has to fit be fit for purpose, it needs to be
Alan Mihalic:able to maintain a baseline security that is in accordance
Alan Mihalic:with the data that it's collecting, aggregating,
Alan Mihalic:filtering, analyzing, etc. It cannot simply be a, a, let's
Alan Mihalic:call it a dumb device for want of a better word that has no
Alan Mihalic:inherent security controls. Because, you know, there's that
Alan Mihalic:old, you could spend an awful lot of money on security
Alan Mihalic:controls, but be undermined and undone by a $10 IoT device.
Alan Mihalic:Yeah, there's the old you know, this the old story about the the
Alan Mihalic:goldfish bowl, you know, what a temperature sensor in the casino
Alan Mihalic:where they brought down the casino through that, and that's
Alan Mihalic:it's been overly used and, obviously, overly referenced.
Alan Mihalic:But it's, it's applicable. And so I think that to your
Alan Mihalic:question, what needs to be done is that organizations,
Alan Mihalic:government, need to provide assessments and checklists to
Alan Mihalic:ensure that the purchasing process is aligned to what the
Alan Mihalic:product will be exposed to, and the and the risk associated to
Alan Mihalic:that, to that product. And that can be driven by a, as I said,
Alan Mihalic:buyer beware, we have better educated people that can make
Alan Mihalic:those decisions, get the can put in the appropriate standards and
Alan Mihalic:checklists that ensure that this is what we need. And that step
Alan Mihalic:one will have to be a compliance governance model against these
Alan Mihalic:devices, you cannot simply go out and procure something
Alan Mihalic:because you think it's the best product, we need to take that
Alan Mihalic:GRC component into, into effect. Equally, governments are now
Alan Mihalic:around the world starting to look at actually mandating that
Alan Mihalic:you know, that it has to, for a particular organization to to
Alan Mihalic:procure a particular device for a particular purpose needs to
Alan Mihalic:adhere to this mandated standard. So that's that they
Alan Mihalic:are the positive things that need to be done. And, and I was
Alan Mihalic:on a few weeks back on a bit of a bit of a panel and even
Alan Mihalic:looking at the potential of labeling requirements for
Alan Mihalic:products both in the let's say business sector and but also in
Alan Mihalic:the privacy sector. I'm sorry, in the in the in the public
Alan Mihalic:community sector, whereby and it's a challenge, we won't go
Alan Mihalic:into that detail because the time isn't necessarily here to
Alan Mihalic:have that break that down. But But effectively, it's a
Alan Mihalic:communication education tool that enables people to make
Alan Mihalic:informed decisions on what they are buying. Now if we take that
Alan Mihalic:into the home for a moment, you go off Dave in to the local
Alan Mihalic:store and you want to buy a device you can read on the side
Alan Mihalic:of the box. This has been rated ABC And it cost 2995. The other
Alan Mihalic:one hasn't been rated ABC and it costs 1095. You are then put in
Alan Mihalic:a position to say, Well, what does that mean, to my family to
Alan Mihalic:myself to my privacy? What does it to us? What does it mean to
Alan Mihalic:us? So that's another aspect of potential labeling could could
Alan Mihalic:be a way and that labeling could be interpreted within a business
Alan Mihalic:context in another way. But to round off your question, it's
Alan Mihalic:effectively self knowledge, corporate knowledge, standards
Alan Mihalic:and legislation that ensure that we aren't always buy cheap,
Alan Mihalic:because it's some, it's an easier decision to make.
Dr. Dave Chatterjee:To add to that, we have to have a rigorous
Dr. Dave Chatterjee:selection and evaluation process. In my book, I talk
Dr. Dave Chatterjee:about the commitment, preparedness and discipline
Dr. Dave Chatterjee:framework of creating a high-performance information
Dr. Dave Chatterjee:security culture, and one of the themes of that framework or the
Dr. Dave Chatterjee:framework speaks to creating this culture where every step
Dr. Dave Chatterjee:that an organization takes, and in this context, the one that
Dr. Dave Chatterjee:comes to mind is, is developing the business case for buying
Dr. Dave Chatterjee:anything. And business case, as you know, has several evaluation
Dr. Dave Chatterjee:criteria. And security has to feature very prominently,
Dr. Dave Chatterjee:whoever is sponsoring a particular purchase needs to
Dr. Dave Chatterjee:clearly articulate and know which devices are being bought
Dr. Dave Chatterjee:from whom, why, what steps have been taken to review, to
Dr. Dave Chatterjee:validate. So it has to be a very comprehensive process, it has to
Dr. Dave Chatterjee:be institutionalized, so it's as fail-proof as possible. Well,
Dr. Dave Chatterjee:yes,
Alan Mihalic:sorry. And I think to take a point further, that
Alan Mihalic:that is the business case, that needs to consider, as I said,
Alan Mihalic:that the trust models underpinning the return on
Alan Mihalic:investment, it's pointless being a medical clinic, that can,
Alan Mihalic:having enormous service benefit health service benefits in
Alan Mihalic:adopting this technology. And equally, it reduce it will be
Alan Mihalic:more cost efficient, but at the cost of losing the trust and
Alan Mihalic:breaching the law, then the business case for for the
Alan Mihalic:selection process of vendors, etc, takes a different turn,
Alan Mihalic:equally, equally. And I think this is one point that I tend to
Alan Mihalic:really focus on is that there is a community expectation in all
Alan Mihalic:of this. When you work for company A, and you sign your
Alan Mihalic:paperwork saying I adhere to employment policies and so
Alan Mihalic:forth, there's an HR department there, you know, there are
Alan Mihalic:aspects that protect you as an individual, not just as an
Alan Mihalic:employee, equally, these technologies that are out there
Alan Mihalic:in the community, to be absorbed and utilized by the community
Alan Mihalic:has an underlying community expectation as to what they do
Alan Mihalic:and how they do it. And we need to assume, well, I don't have
Alan Mihalic:given us yet, like most of us, we don't really know how the
Alan Mihalic:traffic system works. You know, red lights come tell us to stop
Alan Mihalic:and green lights tell us to go but behind all of that there is
Alan Mihalic:a great deal of due diligence around that particular service,
Alan Mihalic:there's, you know, we have a community expectation that when
Alan Mihalic:one light turns red, the other one turns green. And you know,
Alan Mihalic:and as I said previously, the assumption is, well, the most
Alan Mihalic:people don't know how all of that works. And equally, what
Alan Mihalic:we're proposing here with smart technologies, we have to
Alan Mihalic:appreciate that the majority of people have stuck know how it
Alan Mihalic:all works. Not all same way, I don't know the trend, how the
Alan Mihalic:transmission works in my car, I just assume that somebody does.
Alan Mihalic:And I think that that's part of our business case, and that's
Alan Mihalic:part of our community obligations as we move forward.
Alan Mihalic:And, you know, this is a heady time, there's a lot of money to
Alan Mihalic:be made, there's a lot of benefits to be had. And it's a
Alan Mihalic:bit like a new frontier, you know, we want to rush out there
Alan Mihalic:and get a plot of land, you know, and put a stake in it, you
Alan Mihalic:know, and I think that we need to be very mindful of that.
Dr. Dave Chatterjee:Absolutely. Just imagine we go out there and
Dr. Dave Chatterjee:be buy these smart devices to install at our homes, we get
Dr. Dave Chatterjee:excited about the product, we get excited about the benefits.
Dr. Dave Chatterjee:But are we also thinking about the security aspects, the
Dr. Dave Chatterjee:security implications, that level of awareness, I don't
Dr. Dave Chatterjee:believe is there and you know, it's not even a fair expectation
Dr. Dave Chatterjee:that it should be there. And that's where the education has
Dr. Dave Chatterjee:to be more widespread. You know, I'm big on making cybersecurity
Dr. Dave Chatterjee:part of the core curriculum. So you know, anybody who's
Dr. Dave Chatterjee:graduating from college with an undergraduate degree, at least
Dr. Dave Chatterjee:has had one course on security because you want to change the
Dr. Dave Chatterjee:mindset. You want to ensure people are constantly thinking
Dr. Dave Chatterjee:about the security implications because if that's not happening,
Dr. Dave Chatterjee:and if people still are a very important part of the process,
Dr. Dave Chatterjee:they're unlikely to achieve the due diligence that you talk
Dr. Dave Chatterjee:about. Because it has to, it has to feature not only in the
Dr. Dave Chatterjee:mindset of the senior leadership, but across all
Dr. Dave Chatterjee:levels of the organizational hierarchy.
Alan Mihalic:And may I, just quickly on that point, which is
Alan Mihalic:extremely relevant, I would extend that education out to the
Alan Mihalic:executives, to board executives, you and I have grown up in a
Alan Mihalic:time when we both heard the words well, you know, that's,
Alan Mihalic:that's the chief executive for this, and they don't know
Alan Mihalic:anything about technology, or that's not their problem. Well,
Alan Mihalic:I don't think that it's no longer a sustainable argument.
Alan Mihalic:They certainly understand how e commerce works. They certainly
Alan Mihalic:how their supply chain works, how transport and logistics
Alan Mihalic:work, or they may not be truck drivers. I think it's a it's a
Alan Mihalic:poor excuse. And I think it's it's imperative that
Alan Mihalic:cybersecurity courses at the appropriate level, be at
Alan Mihalic:business risk be assigned, risk exposures conducted in a way
Alan Mihalic:that's applicable to the audience, of course, but it
Alan Mihalic:needs to be brought to the to the board level to the executive
Alan Mihalic:level. That argument of well, I don't know much, much about
Alan Mihalic:security, that's not my area. I don't think that floats anymore.
Alan Mihalic:I mean, that they aren't you know, executives need to
Alan Mihalic:understand price to market ratios, they need to understand
Alan Mihalic:the share market, they need to understand, you know, the the
Alan Mihalic:aspects of business administration. I think
Alan Mihalic:cybersecurity and its obviously its financial and regulatory and
Alan Mihalic:other requirements, it again puts it clearly a module on the
Alan Mihalic:on the curriculum, I would say, albeit a small one, but it
Alan Mihalic:certainly I think has has a place.
Dr. Dave Chatterjee:I couldn't agree with you more, in fact,
Dr. Dave Chatterjee:many years ago, and I was having this discussion with the senior
Dr. Dave Chatterjee:executive of a large organization who said, Dave I
Dr. Dave Chatterjee:don't have time for cybersecurity, I have to run
Dr. Dave Chatterjee:billion dollar operation, that security has to be handled by
Dr. Dave Chatterjee:the Department. And so I told him, I said, you know, I get it,
Dr. Dave Chatterjee:that it's you don't have to be that doesn't have to be your
Dr. Dave Chatterjee:focus. But you have to provide the support, provide the
Dr. Dave Chatterjee:commitment, because at the end of the day, if that security
Dr. Dave Chatterjee:fails, the implications can be severe. Now, if I were to have
Dr. Dave Chatterjee:the same conversation with him today, I promise you, he would
Dr. Dave Chatterjee:be saying something different. But it's taken a while for even
Dr. Dave Chatterjee:the leadership to recognize how significant and how critical
Dr. Dave Chatterjee:information security competency is, it often takes,
Dr. Dave Chatterjee:unfortunately, takes government mandates it takes legislation to
Dr. Dave Chatterjee:get the organizational commitment, that is the
Dr. Dave Chatterjee:necessory. And whichever way it is, the sooner it happens, the
Dr. Dave Chatterjee:better. And as you and I know, the tone has to be set at the
Dr. Dave Chatterjee:top, if there's Yes.
Alan Mihalic:And if we take that. And if we take that,
Alan Mihalic:logically, back and forward, as we've been conducting this
Alan Mihalic:conversation, governments are legislating to the point where
Alan Mihalic:they're requiring that critical infrastructure executives to do
Alan Mihalic:something about situational awareness they need it's part of
Alan Mihalic:a defense strategy now. And governments are clearly saying
Alan Mihalic:if you're not educating yourself, and if you're not
Alan Mihalic:doing that, which is required, we will come in through some
Alan Mihalic:sort of regulatory means and do it for you now that that that
Alan Mihalic:sets off the bells in the beltway in the boardroom,
Alan Mihalic:because nobody wants to regulate it coming around and talking
Alan Mihalic:about what you're doing, or you're not doing. So. So to your
Alan Mihalic:point, the initial conversation was it's not my business. That's
Alan Mihalic:the that's the security department. The follow up
Alan Mihalic:conversation is, I am being made accountable. And these are
Alan Mihalic:intelligent people we're talking about, they do what they do very
Alan Mihalic:well. And when they understand that accountability is
Alan Mihalic:associated with their actions, then then the mind shift
Alan Mihalic:changes. But until we, we start through education legislation,
Alan Mihalic:to apportion responsibility, there'll be a slow trend coming.
Dr. Dave Chatterjee:Very true. And you know what, what worries
Dr. Dave Chatterjee:me is, unfortunately, we we have a proven track record of being
Dr. Dave Chatterjee:reactive, catastrophes have to happen before we get all serious
Dr. Dave Chatterjee:about it and do things. We are right now going through this
Dr. Dave Chatterjee:pandemic, without trying, trying to put blame on any
Dr. Dave Chatterjee:organization, it is still my conjecture that we should have
Dr. Dave Chatterjee:been better prepared, given the investments we had in place, the
Dr. Dave Chatterjee:resources we had in place, but we were unfortunately caught
Dr. Dave Chatterjee:napping And we were reactive. And I worry that through
Dr. Dave Chatterjee:breaches, we could have even more severe catastrophe. And I
Dr. Dave Chatterjee:hope that never happens. So we can't afford to be reactive, I
Dr. Dave Chatterjee:hope, whether it's the government, whether it's the
Dr. Dave Chatterjee:private sector, they truly form this partnership, this global
Dr. Dave Chatterjee:network, and they approach cybersecurity as one global
Dr. Dave Chatterjee:team, as opposed to taking a isolated, regional national
Dr. Dave Chatterjee:approach. I think cybersecurity is such a challenge that has to
Dr. Dave Chatterjee:be addressed holistically with all the key players coming
Dr. Dave Chatterjee:together banding together. And that leads to the next
Dr. Dave Chatterjee:discussion I want to have with you is about the IoT Security
Dr. Dave Chatterjee:Institute that you run. And it comes to mind because of the
Dr. Dave Chatterjee:global nature of the organization and how it
Dr. Dave Chatterjee:encourages partnerships. And I believe that we need more of
Dr. Dave Chatterjee:that. Can you speak to the Institute its offerings, its
Dr. Dave Chatterjee:benefits?
Alan Mihalic:Yes. And it's, it moves nicely from it, we move
Alan Mihalic:nicely into it from your previous statement in that part
Alan Mihalic:of the smart technology sector is that we work with so many
Alan Mihalic:different people, cyber professionals originally and to
Alan Mihalic:generalize somewhat, worked within the IT groups, they had a
Alan Mihalic:perimeter. And they ensured that the outside was out in the
Alan Mihalic:inside was in with smart technologies, IoT critical
Alan Mihalic:infrastructure, we see more and more cybersecurity professionals
Alan Mihalic:working with urban planners, engineers, industry leaders and
Alan Mihalic:then an array of transport and other essential services
Alan Mihalic:sectors. So the the IoT really came about because we did
Alan Mihalic:research and we looked at there was no shortage of documentation
Alan Mihalic:or white papers that said, Oh, look at these are all the issues
Alan Mihalic:you need to be mindful of. So we we, as an institute, we started
Alan Mihalic:looking at a means by which that we could come up with a with a
Alan Mihalic:with a framework or effectively a guideline that would provide a
Alan Mihalic:cyber and privacy principles to professionals that could be
Alan Mihalic:implemented from a base build through to build completion. So
Alan Mihalic:in other words, it's a way of establishing a comprehensive set
Alan Mihalic:of guidelines to help to help each of the supply chain
Alan Mihalic:participants to specify, procure, install, integrate, and
Alan Mihalic:maintain IoT security within smart technology ecosystems.
Alan Mihalic:Now, that's a big statement. And but But what it's saying is,
Alan Mihalic:there's, it's there's a lot that happens in a Smart Security IoT
Alan Mihalic:environment. So we we wrote a framework through through global
Alan Mihalic:global contributions. And we utilize aspects of NIST and
Alan Mihalic:Carnegie Mellon. And we put together a workflow methodology
Alan Mihalic:with that allowed for cyber professionals to step through a
Alan Mihalic:series of domains. Now all of this is available freely to
Alan Mihalic:download by the IoT security Institute website. And I
Alan Mihalic:encourage people who are interested to do so. And it has
Alan Mihalic:a series of let's call them domains or actors with
Alan Mihalic:associated activities that ensure all of those aspects of
Alan Mihalic:security by design, are factored into the process and considered.
Alan Mihalic:Now, it's not a standard that stipulates you will do it this
Alan Mihalic:way. It is very much consultative in nature, because
Alan Mihalic:we're mindful that a white paper is a white paper. But a person
Alan Mihalic:tasked with doing a job within an organization needs to have a
Alan Mihalic:methodology by which to work through and engage. So the
Alan Mihalic:framework is very much that, it identifies areas of concern, it
Alan Mihalic:qualifies them, it provides action plans. It's all done by a
Alan Mihalic:facilitation guide, which ultimately ends up in a final
Alan Mihalic:report. So what does that all mean. It it says at the end of
Alan Mihalic:the process, this is where we are; there. this is what we we
Alan Mihalic:want to be. And these are all of the security and privacy aspects
Alan Mihalic:that we've had to take onboard. Now, I won't go into elaboration
Alan Mihalic:as I said, it's freely downloadable. But two of the
Alan Mihalic:components that are there might be privacy, that might be one
Alan Mihalic:looking at the privacy experts on it. We also have a domain
Alan Mihalic:that covers Building Information Modeling, Building Information
Alan Mihalic:Modeling takes into account the relationships that organizations
Alan Mihalic:have with third parties and providers. So if you are looking
Alan Mihalic:at a particularly critical infrastructure that relies on a
Alan Mihalic:third party, what are the security controls, information
Alan Mihalic:flows all the security components in that; it is
Alan Mihalic:pointless you having a moat and a 50 foot wall around your
Alan Mihalic:organization, when you're buying blueprints for an Hvac system,
Alan Mihalic:or some other aspect or some sort of design principle from a
Alan Mihalic:third party that's working out of a shared office. I mean, we
Alan Mihalic:know where the criminals are going to go first, right. So
Alan Mihalic:that's, that's, I mean, a little bit off track there. But But
Alan Mihalic:what I'm saying is that that's an example of the process. So it
Alan Mihalic:may not be applicable in your instance. But that may be
Alan Mihalic:applicable in someone else's. And finally. And finally, it
Alan Mihalic:even works with other standards. So it's not exclusive. If you
Alan Mihalic:wish to utilize the framework and incorporate other aspects of
Alan Mihalic:standards that may be applicable to your organization, you're
Alan Mihalic:certainly capable to do so. But I think finally, that the whole
Alan Mihalic:point is to provide a a guideline, a methodology
Alan Mihalic:workflow, that allows cyber professionals to work through a
Alan Mihalic:series of challenges, let's say.
Dr. Dave Chatterjee:Appreciate that ,thanks. But as I think
Dr. Dave Chatterjee:about frameworks, and there are several of them out there, I
Dr. Dave Chatterjee:think you put it rather well, that frameworks are not meant to
Dr. Dave Chatterjee:be followed blindly. They are meant to be contextualized. They
Dr. Dave Chatterjee:are meant to be looked at, from the perspective of the
Dr. Dave Chatterjee:organization, the organization culture, they need to be
Dr. Dave Chatterjee:compared with other frameworks. But it definitely offers an
Dr. Dave Chatterjee:excellent starting point, a checklist, a baseline to help
Dr. Dave Chatterjee:organizations kind of shore up their defenses. You know, you
Dr. Dave Chatterjee:mentioned about about vendors, buying Hvac devices from
Dr. Dave Chatterjee:vendors, one of the breaches that come to mind is the Target
Dr. Dave Chatterjee:breach. And the hackers were able to get in by compromising
Dr. Dave Chatterjee:one of the the one of one of Target's business partners. And
Dr. Dave Chatterjee:that's what's what's making our environment so difficult to
Dr. Dave Chatterjee:secure. Because you're no longer talking about an individual
Dr. Dave Chatterjee:organization, we're talking about the organization and its
Dr. Dave Chatterjee:network of partners, the supply chain. And, and so therefore,
Dr. Dave Chatterjee:unless every organization has the right security posture, it's
Dr. Dave Chatterjee:going to be a challenge, because there's always going to be
Dr. Dave Chatterjee:vulnerabilities, you know, this. Today we're talking about
Dr. Dave Chatterjee:vulnerabilities associated with IoT devices. I've had several
Dr. Dave Chatterjee:conversations about vulnerabilities where people are
Dr. Dave Chatterjee:the focus, but people are also part of this buying process of
Dr. Dave Chatterjee:IoT devices, people are part of the implementation process of
Dr. Dave Chatterjee:the IoT devices. So just like you said earlier, you just can't
Dr. Dave Chatterjee:focus on the technology, you have to focus on the other
Dr. Dave Chatterjee:aspects, the governance aspects, the people the process.
Alan Mihalic:Exactly right. And you make a very good point here.
Alan Mihalic:Numerous examples come to mind, a transport company moving
Alan Mihalic:refrigerated content around the country is escaping,
Alan Mihalic:temperatures are being commuted routes are being committed,
Alan Mihalic:communicated and and beyond the company's control. I mean,
Alan Mihalic:that's the solution. That's the that's the how they operate. But
Alan Mihalic:third parties who who potentially support those IoT
Alan Mihalic:devices who who manage and so forth, how secure are they
Alan Mihalic:because if they're compromised, and it's, it's unknown for a
Alan Mihalic:period of time, it's a direct impact upon the company. I mean,
Alan Mihalic:if things are not going right, in that context, if you look at
Alan Mihalic:sustainability within buildings, lighting is a very costly aspect
Alan Mihalic:of doing business. That that is a very critical area that that
Alan Mihalic:touches the bottom line, again, dependency against third parties
Alan Mihalic:potentially, who are supporting that in some shape or form. So
Alan Mihalic:So when when conducting if we were to look at the framework,
Alan Mihalic:we would say, there's a very strong, you know, there's an IoT
Alan Mihalic:device checklist Incorporated. Within that that comes to points
Alan Mihalic:we spoke earlier. But there's also a whole lot of other
Alan Mihalic:security practices, there might be IP involved. And I just like
Alan Mihalic:to touch on this if I have a minute. I see that, you know, as
Alan Mihalic:we have buildings that are certified for fire and water
Alan Mihalic:damage, I envisage that in the near future, we will have
Alan Mihalic:buildings that are certified for cybersecurity. And people say,
Alan Mihalic:Well, why is that? Because remember, IP is one of the
Alan Mihalic:greatest things you're going to have. And if that stolen from
Alan Mihalic:you, then then you potentially lose your business, your
Alan Mihalic:organization goes down. So you could spend millions of millions
Alan Mihalic:of dollars in r&d to come up with something which is
Alan Mihalic:innovative and progressive, have it stolen rebadged and sold at
Alan Mihalic:1/5 of the cost because that organization that stole it, or
Alan Mihalic:perhaps the the organizational crime unit that stole it and
Alan Mihalic:moved it on, didn't have any of the r&d costs. So when we are
Alan Mihalic:talking about this, we're not we're talking about so many
Alan Mihalic:levels of interaction. So when I say the cyber safe building, if
Alan Mihalic:you were to take an office, in some building in downtown,
Alan Mihalic:today, you probably wouldn't think about you think, Oh, I've
Alan Mihalic:got, you know, good encryption or good HTTP. But there are all
Alan Mihalic:the aspects of a smart building that play into that into
Alan Mihalic:interconnected world that needs to be factored into your
Alan Mihalic:decision. And how are you going to factor that into your
Alan Mihalic:decision. Organizations or corporation buildings or
Alan Mihalic:precincts are going to smart certify their building to a
Alan Mihalic:certain rating, so that certain companies will feel comfortable
Alan Mihalic:doing business within that, within that, within that
Alan Mihalic:building? So this thing just keeps unfolding Dave, it depends
Alan Mihalic:how you want to look at it, but again, it's another
Alan Mihalic:consideration of cybersecurity, as you said, as everyone's
Alan Mihalic:concern, but it impacts us on so many levels, that, potentially,
Alan Mihalic:we're not considering as much as we should.
Dr. Dave Chatterjee:And, you know, that's precisely why I'm
Dr. Dave Chatterjee:also very big on cybersecurity drills. We have fire drills,
Dr. Dave Chatterjee:that's very popular. But I'm not sure we have information
Dr. Dave Chatterjee:security drills at that level or at that scale. And I think,
Dr. Dave Chatterjee:whether it's implementing smart devices, whether it's expanding
Dr. Dave Chatterjee:your smart supply chain, you have to constantly test to
Dr. Dave Chatterjee:assess where the vulnerabilities are, again, easier said than
Dr. Dave Chatterjee:done. Many organizations do tabletop exercises, I'd say
Dr. Dave Chatterjee:something is better than nothing. But it has to be part
Dr. Dave Chatterjee:of the organizational consciousness, it has to be part
Dr. Dave Chatterjee:of the organizational governance, infrastructure
Dr. Dave Chatterjee:governance design, where there has to be constant testing, you
Dr. Dave Chatterjee:know, you cannot again, leave things to chance, like you said,
Dr. Dave Chatterjee:we will be adopting these smart devices, there's no going back,
Dr. Dave Chatterjee:we will enable our supply chains, there's no going back.
Dr. Dave Chatterjee:But we have to have that security layer in place. And we
Dr. Dave Chatterjee:have to constantly test to assure we have the level of
Dr. Dave Chatterjee:robustness that we desire. So so this has been a fabulous
Dr. Dave Chatterjee:discussion, I'd like to give you the opportunity to close it out
Dr. Dave Chatterjee:with some key messages for our listeners, as you know, our
Dr. Dave Chatterjee:listeners range from business leaders, cybersecurity
Dr. Dave Chatterjee:professionals, students, teachers, so you have a lot of
Dr. Dave Chatterjee:people to potentially influence here. Well, I'd like
Alan Mihalic:to sort of break it down on a couple of things
Alan Mihalic:that were involved with, obviously, the first is the free
Alan Mihalic:download of the IoT OSI framework. Now that can be as I
Alan Mihalic:said, freely downloaded and applied and dissected as as
Alan Mihalic:individuals or organizations see fit. Part of what we did though,
Alan Mihalic:was you know very much with an understanding of how the real
Alan Mihalic:world works, is that part of the IoT OSI is also a Education Lab
Alan Mihalic:or the educational initiative, then, which is the SSP campus.
Alan Mihalic:Now, the SSP campus provides cyber certification for the next
Alan Mihalic:generation of cyber professional covering a lot of what we
Alan Mihalic:discussed, you know, talking about all of that involvement
Alan Mihalic:and industrial control systems and the convergence of it, you
Alan Mihalic:know, to things we haven't touched on today, but they don't
Alan Mihalic:assure a well known by your audience. So what we do there,
Alan Mihalic:we have a series of certification programs that
Alan Mihalic:provide Yes, the future cyber professional the opportunity to
Alan Mihalic:take all of this onboard and, and take this much sought after
Alan Mihalic:skill set now as obviously, as we progress and receive some,
Alan Mihalic:some very real world training as well as good academic uplift as
Alan Mihalic:to how to apply that. So that's the aspect of of the educational
Alan Mihalic:arm of that. And we also have the opportunity for people to
Alan Mihalic:join the IoT cyber network, and be part of that. So if they wish
Alan Mihalic:to sort of bump heads and exchange ideas, it's certainly
Alan Mihalic:worth it. We're also very much a believer in in supporting up and
Alan Mihalic:coming cyber professionals and, and we also have scholarships
Alan Mihalic:through the SS campus. We've recently entered into a
Alan Mihalic:scholarship with wom see a Latin America, which is an
Alan Mihalic:organization that facilitates inclusion of more women into
Alan Mihalic:cyber and to to make it much more of an inclusive industry
Alan Mihalic:and that we're very, we're very proud to be part of that. We've
Alan Mihalic:also launched a scholarship program for African women and
Alan Mihalic:we're trying to work that through the campus as well. And
Alan Mihalic:finally, without too much going on about things. We also had,
Alan Mihalic:you know, part about involvement. As you know, what
Alan Mihalic:you were talking about is we were working with companies,
Alan Mihalic:organizations that are involved in the very nature of
Alan Mihalic:cybersecurity services and so forth. Our SSP campus provides
Alan Mihalic:authorized training partnerships with these organizations, which
Alan Mihalic:you know, if I give you an example, you know, one of ours
Alan Mihalic:is wellness tech group, which is a leading smart technology
Alan Mihalic:service provider in the public lighting infrastructure and, and
Alan Mihalic:other services and, and their brand. Iris Sentinel is their
Alan Mihalic:cybersecurity unit. And then one of the assists campus authorized
Alan Mihalic:training partners. So the objective there is they take
Alan Mihalic:their cybersecurity suite of services, but they also provide
Alan Mihalic:training and certification, where required are wanted by the
Alan Mihalic:clients so that they leave something behind, so that the
Alan Mihalic:people within the organization have the smart technology, smart
Alan Mihalic:cyber skills. So that's a bit of a round up. But, you know,
Alan Mihalic:welcome everybody to go to the website and get a lot more
Alan Mihalic:information about all of that. And if you have any questions,
Alan Mihalic:of course, you can always reach out through the various traps.
Dr. Dave Chatterjee:Fantastic, Allen that was great. I'd like
Dr. Dave Chatterjee:to commend you for running this nonprofit organization, we can
Dr. Dave Chatterjee:do with all the help the cybersecurity community I mean,
Dr. Dave Chatterjee:and why the cybersecurity the global community, we could do up
Dr. Dave Chatterjee:with all the help. And I would encourage the listeners in their
Dr. Dave Chatterjee:respective capacities to become, but to be more security
Dr. Dave Chatterjee:conscious, never to leave anything to chance, explore and
Dr. Dave Chatterjee:leverage the best possible resources out there, constantly
Dr. Dave Chatterjee:reflect, examine, analyze possibilities, because these
Dr. Dave Chatterjee:efforts are all well worth it. Because if we don't do that, the
Dr. Dave Chatterjee:consequences can be very, very undesirable. So once again,
Dr. Dave Chatterjee:thanks for talking to my listeners talking to me. It's
Dr. Dave Chatterjee:been a pleasure, Alan, and hope to bring you back again
Dr. Dave Chatterjee:sometime.
Alan Mihalic:Thank you very much, Dave. It's been a
Alan Mihalic:pleasure. I thoroughly enjoyed it.
Dr. Dave Chatterjee:A special thanks to Alan Mihalic for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.