It’s easy to lose sight of security principles by design when you’re on the verge of panic, but the long-term costs can be high.
“If you don’t plan, you plan to fail.” —Modern proverb
WWith so much emphasis on the short-term disruption of COVID-19, there has been less discussion of its long-term ramifications for the adoption of the technology.
One likely scenario is that the pandemic will lead to a long-term increase in the automation and remote management of assets ranging from industrial machinery and heating, ventilation and air conditioning (HVAC) systems to supply chains. . In health care, a long-term increase in virtual care and telehealth are likely. As many organizations under budget pressures have suspended operations, the pandemic will pave the way for organizations better positioned to automate processes.
IIn early March, companies began to rethink their business processes and other operations after the World Health Organization classified COVID-19 as a pandemic. Clearly, there has been a “huge increase in the number of Slack and Microsoft Teams users reported for collaboration,” said Chris Kocher, CEO of Gray Heron, a management consulting firm. Teleconferencing providers have also made rapid gains. “Teladoc for telehealth has also seen tremendous growth,” Kocher added.
Remote access to industrial control systems (ICS) has also increased recently, following a decline in recent years, according to Shodan The data. In the United States alone, there are now nearly 50,000 ICS devices connected to the Internet. Use of the remote desktop protocol, which allows Windows users to manage desktops or servers remotely, has also increased, after the protocol began to fall out of favor in late 2019 due to security breaches. .
Many industry organizations have already implemented “basic remote monitoring,” said Yasser Khan, CEO of One Tech. These relatively simple capabilities were sufficient when workers could still inspect machines in person. But because many facilities have been reduced to small crews, their priorities have shifted. Plant managers are increasingly looking to “figure out how they can get better insight into the health of their machines, from a distance,” Khan said.
Many organizations are also rethinking disaster recovery planning, according to Nitin Kumar, CEO of Appnomic. “Often what happens when a natural disaster or a computer virus hits an organization and its systems go down, you go into a kind of manual mode,” Kumar said. “Business continues, but at a slower pace. But COVID-19 is not a normal disaster. “Now your manual and demand capacity has been impacted and your system capacity is stifled or inaccessible. So you need more systems or automation, not more people. Organizations that can afford to expand automation are likely to do so when they rethink their disaster recovery planning and business continuity planning.
The spread of connectivity and automation is nothing new, of course. In 2016, security guru Bruce Schneier observed that human intervention is increasingly unnecessary. “The Internet senses, thinks and acts now,” he wrote. “We’re building a world-class robot, and we’re not even realizing it.” Schneier concluded that it is vital to consider what he called a “new robot covering the world”.
While the societal role of software has expanded for decades, the security ramifications of a world with largely automated or semi-automated IoT-enabled devices could be profound. “Computers have enormous power to help us and improve it, but the more complex the system, the more problems there are that can go wrong,” said Kate Stewart, Senior Director of Strategic Programs at the Linux Foundation. “We have to try to figure out how to understand what can go wrong, mitigate the damage and increase the reliability of software. “
SSecure by design
Traditional cybersecurity concepts such as security by design are sometimes abandoned when organizations are in crisis response mode. COVID-19 “will make it difficult to adhere to security principles by design,” said John Loveland, global head of cybersecurity strategy at Verizon. “Everyone moves very fast. As organizations expand their remote working and automation capabilities during crisis, they are more likely to make mistakes. “You can’t let technology or new business processes overtake the security behind them. You need to make sure that your internal security team is a part of every decision you make about new technologies, processes, or ways of working.
Experts recommend considering security as early as possible when planning technology deployments. “Make sure you involve stakeholders, the company as well as the operators in the safety discussions,” recommended Bob Martin, co-chair of the Software Reliability Working Group to the Industrial Internet Consortium.
“You must consider [security] as one of the main aspects of any solution and, like the foundation of a house, everything else is built on it, ”said Andrew Jamieson, director, safety and technology at UL. Organizations that neglect to build a proper foundation risk rebuilding it or “at least spending a lot of time and effort fixing something that could have been much more easily fixed sooner,” Jamieson said.
Nonetheless, security by design principles are unlikely to be high on the priority list as organizations suddenly turn to remote working, remote control of assets and possibly expanding automation capabilities. . “This is indeed a huge security issue, even when you are using secure technologies, because we don’t have the time to apply them securely,” said Frank Hißen, an independent security consultant.
Safety by design principles often incorporate a range of hardware and technology components. Putting them together can be a puzzle. “Sometimes vendors selling the ‘puzzle pieces’ that make up a deployment lack adequate security measures,” said Chris Catterton, director of solutions engineering at One Tech. Expanding the reach of the remote access capabilities of an IoT deployment increases the need “to include endpoint security as well as at the system level, whether through the cloud or on-premises systems. accessible via VPN, ”Catterton said.
Ffind and regain the safety balance
While it is vital to integrate security features into products and processes, it is not possible to anticipate all possible future threats. “You can’t always make design decisions about safety early on in a project and keep them valid,” Jamieson said.
There is often a tension between adding new features to software and ensuring its usability and security. “There are a lot of features that appear on our cell phones that crash randomly and the consequences, while annoying, are not life threatening,” said Stewart. “We are increasingly seeing open source being used in applications where, if the software is unreliable, it could harm someone. ”
Ultimately, securing systems comes down to resiliency and agility. “If you’re just building for resilience, you’re going to be in trouble” when new security vulnerabilities emerge, ”Jamieson said. “So in today’s world, you also need agility: the ability to quickly modify, correct, update or refactor systems when things change. ”
Security agility also connects to safety by design principles. “You need to build security from the start, and that security approach needs to include aspects of resiliency and agility,” Jamieson said. “If you don’t design for safety, you design for failure.”