A topic that I recently got asked about was vulnerability mitigation for IoT systems, which shows that even within the security community there is still a belief that mitigation equals threat resolution. For IoT systems this simply does not work for many reasons, first among them is that these IoT, OT, or ICS systems performing mission-critical roles in order to deliver value to stakeholders, including operations for healthcare, manufacturing, transportation, and hospitality where lives are directly at stake should certain systems fail.
For IT systems it’s a strategy that makes sense. Malware mitigation, where an organization is relying on practices like network segmentation, kill switches, and network access control, can allow the malware to show itself while the organization (in theory) remains safe. This can be faster and less resource-intensive than hunting for potential threats. However, it’s a risky approach because it assumes that those mitigation approaches are robust and working properly. If network segmentation or network access control are not maintained properly (which often happens in IoT/OT/ICS environments) then organizational risk skyrockets.
Using malware mitigation is very dependent on what type of system is being secured. For a laptop its may be very effective to halt it’s internet traffic and restrict it’s operations in order to stop a malware threat from spreading. For an IoT or industrial control system using those same mechanisms may stop the malware threat but also stop the operations of business-critical systems. In that case other methods than malware mitigation would be more effective (such as quickly moving to IoT system vulnerability remediation).
Malware mitigation is not as effective for dedicated systems such as IoT, OT, or ICS because of their custom firmware and operating systems and heavy use of open source software. Much of the backlog in the National Vulnerability Database (NVD) is for open source vulnerabilities that are present in IoT/OT/ICS, so in that sense there is some but marginal advantage for malware mitigation.
Especially with shortage of cybersecurity resources in many organizations a related question is whether organizations have put too much emphasis on “find-and-fix” vulnerabilities and not enough on threat mitigation. For IoT/OT/ICS system, quite the opposite is the case. Many organizations might have a false sense of security that the threat mitigation techniques they use in the data center can replace the need for remediation. For IoT/OT/ICS systems remediation is the only way to ensure that the systems are both operational and secure. Mitigation that stops the functioning of an IoT system may be secure but it would be the equivalent of the phrase “the cure being worse than the disease”; it would be corporate malpractice.
For IoT and related systems mitigation should never be the destination – organizations must remediate vulnerabilities as quickly and comprehensively as possible to shrink the IoT attack surface. Automation, in both asset discovery and cyber hygiene is the right way to go about it, but there also needs to be a plan and strategy. Does yours stop at mitigation? Maybe it’s time to think through the value of being remediation focused instead.
