Why this is now the time to invest in security : Page 2 of 5

May 27, 2015 //By Alan Grau, Icon Labs
Researchers from Kaspersky Labs, at their annual Security Analyst Summit (SAS), presented detailed findings of pervasive malware and embedded surveillance tools that have largely gone undetected for over a decade. The report implies that the surveillance tools were developed and deployed by the US National Security Agency.
Cybersecurity investment: a neglected requirement

Recently, President Barack Obama held a cybersecurity summit in Silicon Valley to push for greater awareness and investment in cybersecurity. At this conference, venture capitalist Venky Ganesan, the managing director of Menlo Ventures, a major investor in cybersecurity, warned that not enough was being done to protect systems from hackers, despite recent high-profile attacks.

"We still are not spending the right amount of time and resources and money on the cybersecurity problem. It's much bigger than people think," said Ganesan. In fact, Ganesan said that only 5 percent of corporate information technology budgets are spent on security. "That's the equivalent of protecting a Tiffany's with a deadbolt. We need to make sure that we spend the right amount of money because this is an existential threat to our society," he said.

All too often, companies are looking at cybersecurity and asking "What is the ROI for investing in security". That is simply the wrong question to ask. Given the threat, cybersecurity should be considered a critical requirement, just as safety has been. The critical infrastructure, manufacturing, automotive and other industries have invested billions into safety

Despite the growing risk, government initiatives and a growing awareness, companies are still, by-and-large, failing to invest in cybersecurity.

Security Challenges for Critical Infrastructure Devices

The IoT and IIoT (Industrial Internet of Things) are comprised of a wildly diverse range of device types- from small to large, from simple to complex – from consumer gadgets to sophisticated systems found in DoD, utility and industrial/manufacturing systems.

Part of the expanding web connected network, embedded devices are very different from standard PCs or other consumer devices. These industrial operational assets are commonly fixed function devices that have been designed specifically to perform a specialized task.

Many of them use a specialized operating system such as VxWorks, Nucleus, INTEGRITY or MQX, or a stripped down version of Linux. In many cases, installing new software on the system in the field either requires a specialized upgrade process or is simply not supported. In most, these devices are optimized to minimize processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms.

As a result, standard PC security solutions won't solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices.

Design category: