1. Home
  2. Surveillance
  3. Sala stampa
  4. i-PRO Blog Series: Week 2 - Cyber Hygiene: Creating a Culture of Cybersecurity in your Organization by Will Knehr

This blog on the pillar of cyber hygiene is 3 of 5. Want to read up on the previous blogs?
Click on the link below. 

Week1: i-PRO’s Internet of Things Cybersecurity Pillars to build a strong security program
Week 1 bonus: Resiliency – Will your devices be there when you need them the most?

Have a question? Contact us at
CybersecurityExpert@i-pro.com

I know. I know. When most people think about hygiene, they think about taking showers or brushing their teeth, the things that we do to keep ourselves clean to prevent diseases or other illnesses. Cyber hygiene is a similar concept but applied to computers, networks, and security. It is the things we do on a routine basis to help protect our networks from attackers.

In an i-PRO poll of almost 100 LinkedIn users we asked, “How often do you think security camera passwords should be changed?” 51% of respondents said every 3 months, while 25% said every 6 months, 16% said every year, while 9% they shouldn’t be changed.  When considering how often to change passwords there are three major considerations.  The first one is industry requirements, the second one is organizational requirements, and the third one is legal or insurance requirements.  Industry requirements vary, so I recommend verifying with your compliance framework.  For example, HIPAA or HITRUST for the medical field, CJIS for law enforcement, or PCI/DSS if you process credit cards.  I think it is worth noting that NIST has updated their password guidance in recent years.  It turns out that when users are required to update their passwords every 60-90 days and use complex passwords, they tend to write them down, reuse old passwords, or store them on their computers.  For this reason, NIST has removed a timeline for resetting passwords and has instead recommended changing passwords in the event of a system compromise, if a password is disclosed to another user or to an unauthorized user, or if a shared account has a user leave the organization.  The other factor to consider is organizational requirements.  Many organizations have policies or guidelines for how often passwords should be changed, failure to follow these policies could cause a problem with our third requirement, which is legal or insurance.  Cyber insurance often comes with certain guidelines or practices that must be followed, it is important to read your policy and understand those requirements when making a password policy.  

Moving on…for our second pillar in the series about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices.  We’ll dive into the maintenance, care, and management of these devices since they are often deployed with a kind of “set it and forget it” mentality, and left alone unless they malfunction. However, to run a good cybersecurity program, we must apply the same principles to IIoT devices as we do to computers or any other network device. IIoT devices need their firmware and software updated regularly, their passwords need to be changed, and scanned for vulnerabilities. 

Consider this for just a minute: at home you probably have a router that you purchased or that your internet service provider gave you. When was the last time that you updated the software on that device, the firmware, or have you ever changed the default password that came on it? For most people, the answer to that question is that they have never updated the software or firmware on their home router, and they have never changed the default password. Now I know that a home router isn’t an IIoT device, but it is something relatable for everyone reading this. Many IIoT devices are treated the same, they are deployed and initially configured, but just kind of left to run after that.

I have identified 8 keys to effective cyber hygiene for IIoT devices which are listed below, but I warn you that it is easier said than done.

1. Have a full inventory of all IIoT devices on your network. All cameras, security system components, SCADA devices, sensors, programmable logic controllers, etc. Be sure to include manufacturer information and model numbers, that way if there is a vulnerability announcement you’ll know if it applies to your environment

2. Hot tip – consider setting up vulnerability alerts for your IIoT devices,  that way whenever there is a vulnerability disclosure, you’ll be the first to know. My favorite is to subscribe to the CISA vulnerability alert bulletins, and you can even customize which alerts you sign up for – that can be done here Cybersecurity and Infrastructure Security Agency (govdelivery.com).

3. Check for firmware and software updates for these devices on a routine basis

  • Routine basis is a bit of a generic timeline, but it really does depend on the type of device.
    Typically, IIoT devices only release updates once or twice a year so they don’t need to be updated as often as other devices on your network

4. Update or change passwords on IIoT devices on a routine basis

  • Routine basis in this case is a generic timeline as well. In my opinion, updating passwords for IIoT devices every 90 days is a bit unrealistic for most organizations.
    So, figure out something that is manageable

5. Conduct vulnerability scanning looking for critical vulnerabilities

  • Be careful when conducting vulnerability scans on IIoT devices, especially for the first time because the scans may cause the devices to fail. I recommend testing the devices before deploying them so that you’ll know if they are ok to scan in the future
  • I also recommend scanning in small segments at a time, that way if devices do fail, it doesn’t knock everything offline

6. Conduct vendor and device risk assessments when purchasing new IIoT devices

  • Take a close look at the vendor selling the device and see if they have a good reputation for updating their products when vulnerabilities are found
  • Check to make sure the vendor does some type of code analysis to ensure they are deploying a secure product
  • Pick a device that has the right settings and protocols for your network

7. Conduct configuration backups of devices

  • Make sure these backups are stored offsite or in the cloud

8. Ensure IIoT devices are covered in your Policies and Plans (incident response, change management, config management, patch management, business continuity)

I think the best way to summarize cyber hygiene is to think of it as creating a culture of cybersecurity in your organization.  Baking cybersecurity into every physical security, IT, or other function in your business. So just like you shower and brush your teeth on a routine basis (hopefully), consider grooming your IIoT devices on a routine basis. Come back next week and we’ll discuss product security.

Have a question? Contact us at
CybersecurityExpert@i-pro.com