David Sequino, ISS: “the Internet is an amazing tool, but it has become too vast to secure every inch”

Nowadays, everyone knows that their computers or smartphones can be hacked, especially if you’re not careful while browsing the Internet. Yet, not many people take into account other gadgets, such as IoT devices, that are also connected and can be hacked.

Securing your iPhone with real-time malware protection software seems easy, but how can you prevent an attack on security cameras, wifi routers, or smartwatches? Yes, cybercriminals also exploit vulnerabilities on such devices to monitor their victims’ activities and gather sensitive information.

So, today, we talked with the Founder and CEO at Integrity Security Services (ISS) – a company that offers security services – about the security solutions for IoT devices and common vulnerabilities associated with them.

How did Integrity Security Services originate? What has your journey been like?

I founded ISS back in 2010, but I’ve been working on providing end-to-end IoT security for around 20 years. In the beginning, people would look at me with a baffled look on their faces when I tried to explain what we did. Now that there have been hacks on IoT devices – wifi routers, security cameras, Target POS terminals, and Teslas – it’s a lot easier to explain what ISS does. So, the journey has gone from a niche market for the high-end of technocrats to now, where operational managers are beginning to take notice.

End-to-end IoT device security is a complicated problem and board rooms still need education and more importantly, they need to properly budget for it because the implications of IoT device hacks could be devastating to any company. We don’t have to look further than solar winds to appreciate the risks we face.

ISS is the only security solutions provider that is truly focused on end-to-end embedded security. What we mean by end-to-end is twofold as we provide products and services for:

  • Embedded IoT device makers to lock down their devices and their supply chains
  • Enterprises to manage their IoT devices once they are fielded and in use

Can you introduce us to what you do? What technology do you use to secure various devices?

Today, we have 5 main product lines:

  • ISS Consulting augments our clients’ engineering and IT teams, as most companies do not have the resources or expertise for IoT security.
  • Device Lifecycle Management (DLM) establishes secure identity, trust, and updates between devices and services. On this foundation of trusted identity, we build a range of secure services including secure update service, diagnostic access control, secure boot, device enrolment, security provisioning, user authorization, and others.
  • Security Credential Management Services (SCMS) is the largest Public Key Infrastructure (PKI) ever built. We provide digital certificates to vehicles, roadside networking devices, charging stations, phone as a key, and traffic management centers to ensure the security of Intelligent Transport Systems (ITS).
  • AutoAuth is our Automotive Authentication Authority. It provides trusted access control for vehicle repair. This product is a collaboration between automotive OEMs, scan tool makers, and repair shops. We have 50,000 independent shops in the network and the number is growing rapidly.
  • Flex Security Toolkits are embedded software components that get built into IoT devices. They have been ported to over 20 Operating Systems and CPU combinations. Flex acts as the IoT device’s security kernel to absorb DLM generated digital assets anywhere in the device’s supply chain – from birth to operation, to service and decommissioning.

These five lines of business don’t need to be purchased together but they are designed to work in conjunction to ensure our clients’ IoT devices, users, and digital assets are secure throughout their life cycles.

Since embedded security solutions are your main focus, could you briefly explain what this field entails?

Securing embedded IoT devices requires expertise in embedded software and hardware on the device side, but the ISS solution goes beyond that. Our DLM platform also acts as the secure provisioning service to ensure every IoT device’s supply chain is locked down from birth and an IoT Company’s IP is protected throughout the device lifecycle including third-party contract manufacturing plants. Once an IoT device is built, tested, and provisioned, DLM also has several services to help enterprises securely manage their devices in the field.

The benefits are that for the first time, IoT device manufacturers have a partner they can rely on to lock down their devices, users, and digital assets. Then, they can offer their clients services to securely manage their IoT devices once they are fielded. ISS is the only company that covers the entire IoT device lifecycle from design, production, and field service, including both the IoT device and all of its connected services.

How did the recent global events affect the IoT landscape? Have you noticed any new security issues arise as a result?

Cyberwar is upon us, and it has been for a while. Recently, we have only heard about the networks of our banks, national labs, government, and enterprises being the targets and now, we are hearing about our critical infrastructure being targeted. Global cyberattacks are coming, and until the board room makes locking down their supply chains for their IoT devices a priority, our way of life is at serious risk. Every user, device, digital asset, and manufacturing site in our companies’ supply chains must be locked down and always tracked.

The Internet is an amazing tool, but it has become too vast to secure every inch. Therefore, we must deploy DLM zero-trust secure networks across our supply chains to ensure our IP is protected everywhere. Every Board Room must prioritize supply chain security the way they made web presence a company survival decision back in 1999. Until this happens, our water, power, transportation, medical and weapon systems are vulnerable to global adversaries and well-funded organized crime syndicates along with many others.

From a practical perspective, historical hacks were focused on our enterprise IT systems. In the past 3 or 4 years, we are seeing more and more IoT devices being the focus for hackers trying to gain access to our IT networks via IoT devices. We are also seeing software below the OS layer as an area of focus for hackers. The implications of this trend are very scary because our critical infrastructure relies on many millions of vulnerable IoT devices.

What are the most common vulnerabilities associated with IoT devices?

The greatest vulnerability is that too many devices are designed without considering security at all. Perhaps it is a lack of imagination or complacency, thinking that their device is too inconsequential or obscure to be vulnerable. The biggest botnet of all time, Mirai, was built out of security cameras and wifi routers with default passwords.

ISS customers realize that they have valuable assets that need protection. They realize that the cost of a major cybersecurity incident can be devastating to both the maker of the device and the end user. Brand reputation, financial assets, intellectual property, and most critically human safety are all at risk if we don’t secure all IoT devices.

Specific vulnerabilities include but are not limited to:

  • Inadequate or non-existent hardening
  • Insecure roots of trust
  • Insecure or lack of a secure boot process
  • Insecure operating systems
  • Insecure protocols
  • Insecure software and firmware update processes
  • Insecure internal and cloud-based PKI systems

Why do you think so many companies struggle to keep all of their devices under control?

Companies that care about IT security don’t let their employees bring in home PCs to work, they don’t let employees load whatever software they like, and they don’t let just anybody be a system administrator on their domain servers. Companies need to treat IoT devices the same way.

They need acquisition policies and requirements that demand a level of security in the devices they purchase and use. This kind of security consciousness needs to extend to any IP-connected device. Otherwise, that Internet-connected refrigerator in the break room might be hacked to become a spy on the internal wifi network or become a backdoor into the enterprise LAN. Remember, Target was hacked through an HVAC system provider. That hack cost the company $202M.

Additionally, most companies used to have generations of devices using different CPUs and Operating Systems, many of which did not have any security. Today, CPUs have gotten better, but most vulnerabilities are in the implementations. So, companies need a partner like ISS to help architect end-to-end security. Yet again, the board room needs to take notice and fund these activities. Until it commits to securing IoT devices, companies will continue to struggle.

What should be the first steps in securing an enterprise’s IoT devices?

Do a high-level security study of your devices, supply chains, and operational networks for such devices. A good place to start is by doing the following:

  • Take an inventory of all IP-capable devices
  • Build an inventory of safety, mission-critical devices and networks
  • Build technical cyber specifications to provide to your IoT device providers and ensure they are meeting your enterprises’ needs

ISS has products and services matching our heat map to address the IoT devices’ security. Some of the questions we ask to determine where the IoT device falls in our ISS Security Heat Map are:

  • Is the Device Connected?
  • Can the Device call home?
  • Can the device do updates?
  • Does the device have a secure OS, CPU, and software stack?
  • Can the Device cause loss of life, revenue. or brand reputation?

Companies should have policies about Internet-connected devices and they should have a monitoring program to ensure that the policies are being followed. Purchasing departments should issue specifications for the IoT devices they acquire. In many cases, ISS helps our clients write these security specifications and help administer these requirements across our client’s supply chain.

Most Tier-2 and 3 type manufacturers have no idea about secure manufacturing and will only implement what is required by their contracts. Secure 24/7 manufacturing is an ISS core competence. We help our customers ensure that the security of the device and the confidentiality of IP are protected no matter where the manufacturing is done.

Talking about individual users, what security measures do you think are essential for home devices?

This is a surprisingly tough problem. It would be nice to say that consumers should be better educated in cybersecurity and not buy insecure products. However, if our enterprises can’t do it, we can’t expect consumers to.

What we need are devices that are born secure and can maintain security throughout their lifetimes. They should be designed to be secure from the moment they are first plugged in and turned on without burdening the consumer with a lot of obscure configuration details. Everyday ISS is engaged with customers to make this secure future a reality.

IoT device providers can’t sell a device without an FCC or UL certification and home devices should have such certifications as well. ISS does this today, but we are just one company, and this requires a regulatory solution. NIST and other government agencies will need to specify and certify IoT device security depending on the market.

To conclude, virtually all IoT devices require end-to-end security. The implications of a hack shutting off a single house’s electricity don’t seem that troubling, but if the intruder can go from the house to the grid then the problem could grow exponentially. Or if the same home device with the same vulnerability is in 30M home devices, then we have a much larger problem on our hands.

Share with us, what does the future hold for Integrity Security Services?

ISS is the first to pioneer this end-to-end embedded IoT device security and management. We are opening more vertical markets, and we are hiring and training as fast as we can but it’s not fast enough.

Today, we secure over 20 Auto OEMs in the transportation vertical and over 1B devices across all the verticals we serve, including medical, aerospace and defense, industrial, consumer, and semiconductors.

As more IoT devices get connected to the Internet with a growing number of enterprises and consumers relying on these devices, ISS will grow into an enterprise-serving company to help secure and manage these IoT devices.

We are building out our company as fast as we can, but we need large consultancies to partner with us to build out practices to run our DLM systems for clients and port our Flex embedded products to IoT devices.