IoT Security Trends and What to Expect in 2021 IoT For All Podcast E103 Trend Micro’s Greg Young

Show video

- You are listening to the IoT For All Media Network. - [Ryan] Hello everyone and welcome to another episode of the IoT For All podcast on the IoT For All Media Network. I'm your host, Ryan Chacon one of the co-creators of IoT For All. Now, before we jump into this episode, please don't forget to subscribe on your favorite podcast platform or join our newsletter at IoT forall.com/newsletter to catch all the newest episodes as soon as they come out. So without further ado please enjoy this episode of the IoT For All podcast.

Welcome Greg to the IoT For All show. Thanks for being here today. - [Greg] Yeah, it's my pleasure. Nice to meet you, Ryan.

- [Ryan] Yeah, you as well. I wanted to start off by just having you introduce yourself to our audience, give a little background, experience, anything you think is relevant to give the audience some context of who they're listening to. - [Greg] Yeah. Thanks. My name is Greg Young and I'm the vice president of Cybersecurity with Trend Micro. Trend Micro's a big company, about seven or 8,000 people have been around 30 some years, like me.

I've been in IT security for about 33 years now. - Okay. - [Greg] I sound tall on podcasts. Yeah, I've done a bunch of different roles and I've worked kind of, you know, in the management role as a CSO for like the Federal Department of Communications. But also the hands-on stuff. So I did a lot of work in smart card security with integrated circuits and been, I know Rosa with Gardner as an analyst for 14 years.

- [Ryan] Very cool. Let me ask, in your experience over the last number of years in this space, how have you seen the security industry change and like what have been the biggest kind of pieces of technology implementation or just the biggest kind of trends that you've seen in the market over you know that time span that you've been in to get to where it is now? - [Greg] Yeah. It's just everything about trust has changed. So I think this is, this may not sound sort of, this just sounds sort of simplistic, but in a way we started out that we really trusted the components that we used. So before we used an operating system it would just be beaten up by authorities and certification agencies. And now we use stuff we don't even know where it's from. And you know that's neither good nor bad it's the way it is and we have to react accordingly.

So we can't put a lot of trust in the stuff we use so we have to trust how we use it. - [Ryan] Absolutely. Let's me ask you a little bit more about Trend Micro just high-level kind of, obviously security space. It really connected IoT just a little bit high level information about what the company does and the role you all play in IoT for audiences sake. - [Greg] Yeah, so a trend is very international company, very globally spread. We have headquarters in a bunch of different countries.

Historically, a lot of business in Japan, but have since moved across the globe in the last 30 years. Business and IoT specifically we've got a segment of the business, very focused on that and it's true IoT and it's split across those kinds of traditional sort of definitions of the consumer based sort of, you know, internet of things and then the operational technology focus. You know, we even have initiatives in connected cars where we're working with manufacturers there. And we've got some equipment that attaches to, you know manufacturing devices or other operational technology. - [Ryan] Now, where do you see kind of some of the biggest, I guess vulnerabilities when it comes to the IoT space as it relates to security that maybe people aren't addressing or people need to be thinking more about? - [Greg] I think the biggest issue today is that there's components that we just, we know nothing about them. So, you know in the past where we had less dynamic supply chains and costs really wasn't as optimizable as it was today.

You know, we'd have a really good idea of what components and what the specifications were, the protocols even the software that was used varied, it stayed around awhile, but now and it's a good thing that we change components a lot because it helps keep the price down, - [Ryan] Okay. - [Greg] Which is great. We can get better things, faster things, cheaper things. We can change them around and these components but we no longer know kind of what's in the black box anymore. So often there's, or the device may be trusted in a sense but the bits we're using they could have vulnerabilities within them.

And the manufacturer themselves may have no idea that there's vulnerabilities in there nor have the ability to even sort of test for those. - [Ryan] Interesting. So how does, how do you kind of handle those situations when working with customers or just engaging with, with the market with so many different components being out there and creating those kind of vulnerabilities? - [Greg] A lot of it is catch up in a way and taking the lessons we've learned in the last sort of three to four decades in traditional IT security and trying to in a way port them, not directly layer them on, but make them adaptable to this new environment.

So for example, we know that we can shield for vulnerabilities. So if you can't patch something, we can put stuff in front of it to kind of act as a virtual patch. So bringing those technologies, which we've had on the it side, like intrusion prevention systems and put those kind of, you know pre patch or no patch shields in front of them. And also just the way they're assembled and even just the idea of looking for vulnerabilities, a lot of manufacturers just honestly, and illegitimate, just haven't been exposed to that.

So it just bringing them to speed and say, Hey you should have a bug bounty program or what's that. Well, yeah, people find a problem. They can report it to you. Wow, what a great idea, but supports for that. No, no, this is special, this is for security stuff.

- [Ryan] Diving in a little bit more to the bug bounty program. How has that kind of benefited the IT space, you know and now kind of getting into IoT how do you see that kind of playing a role and what can organizations do to kind of get that going? Is that just something that's easily just kind of make aware to their users and have a way for them to report any bugs that they find and kind of simple as that or is there more to it? - [Greg] Yeah it's actually a simple nowadays that there's organizations there's third parties that you can outsource this to. There's, you know, a sort of, oh know bug bounties is a service. As a way to report back and saying, Hey, you know, I, as a researcher or I, as a as a customer have found something and I need to report it to you very quickly or in a certain parameters it should be as easy as possible so they can fix it or notify customers or then shield it. Especially when there's an embedded system that's very easy to shoot or very easy to patch or a very easy shield. Yeah. It's that simple.

Even just having something on your website or even a phone number sometimes is all it takes just the awareness and and also the internal culture to say, Hey you're reporting a vulnerability. You must be a hacker. We're going to sue you.

- [Ryan] Right. Right. Right. And as like this kind of connects a little bit to what you mentioned a second ago about the component vulnerabilities that are ever present kind of in the IoT space. Is there one component of an IoT solution that you see more security issues kind of being centered around like the, you know the hardware piece, that connectivity piece, the cloud piece, et cetera. Since the IoT space is very component driven and most times those components are coming from different partners and different manufacturers.

So is there one area where you see is more vulnerable to security threats then than the other? - [Greg] Yeah, definitely. There's a few kinds of ones that are on the top of the list. So the first is generally any sort of wireless components because if there's an issue there it's going to be typically widely distributed.

And that's also most often where we're trying to, the one point where we can really secure in otherwise an unsecured IoT component, we catch to the wireless catching to communications we can mostly protect it there that's number one. The other ones is typically in protocols because the protocols are often so bespoke, customized they're not traditional sort of TCP IP, you know, any any of the, the protocol level if there's a vulnerability in a protocol it's the kind of the worst thing it's, it's like there's a flaw in our language and how we discuss things rather than in the software. And the last is in older operating systems that are embedded or HMI's as well that are sort of done without any sort of design thought of security in mind. - [Ryan] Okay, interesting. Now let me ask this question as, as we're kind of growing in the IoT space as an industry, where you know bringing in new connectivity types, five G's coming into play and so forth.

What type of security issues do new technologies like 5G kind of bring to the space on top of the, the usual ones that we're seeing when you're talking about now. - [Greg] Yeah. It's great that you mentioned on top of it because that's really the case. So when a whole new kind of technology comes in like what happened with cloud.

We see that now with 5G that any vulnerabilities or any sort of security issues that come with 5G. You know, big enterprises, they're gonna be challenged in some ways to deal with these or big manufacturers or traditional IT manufacturers. But to do that in the in the IoT sensors is going to be challenging. So all those vulnerabilities get layered on top.

And since IoT is so communications dependent for security, you know, that's going to be really interesting. When a security guys is interesting, it's not really bad. (Laughter) - [Ryan] So how does the company, how does the company like Trend Micro or other companies in the space that focuses on security stay kind of up-to-date on discovering the types of vulnerabilities that these new technologies and different components have to help, you know not just come up with solutions to, but just be aware of in general, seems like very overwhelming task. - [Greg] Yeah. You have to do a couple of things. So one is you have to invest.

So, in the specific area, so just taking general IT vulnerability research that may be a foundation, but you port that over again it's a really different environment. So you have to spend specific research dollars on it. It's a well hidden secret that trend discovers more vulnerabilities than any other company in the world by quite a bit. We've got a whole bunch of programs like the zero day initiative and other ones. So we have the researchers and we have the third party researchers, should we pay to find vulnerabilities but you have to allocate a piece of the pie to them to say, Hey we only want to find IoT vulnerabilities or OT ones.

So we're setting aside a piece of the pie to find those. The other one is doing initiatives. For example, we set up a phony factory, a honeypot factory where we said, this is going to be a manufacturing facility. It's not just going to be in a virtual machine.

We're going to actually have equipment and we're going to make it look like it. And then we're going to watch what the bad guys do when they beat when they be on this. So that kind of, that it's going and going one step beyond just saying, Hey, let's simulate a factory. No, let's really similar in factories. The bad guys can't spot it easily.

And we'll try to catch a more sophisticated kind of attack. - [Ryan] Right. - [Greg] Just keeps the easy stuff. We'll try to catch some attacks that are a little more advanced than James Bond. - [Ryan] Yeah, yeah that makes sense. Now in addition to just the component aspect of it and the new technologies that are getting they're coming into the space, how do the use cases themselves influence or I guess what is the trend across use cases you're seeing as it comes to use cases that are more vulnerable to security threats as far as are there industries that are you're seeing more security issues arise? Is it, you know, based on industry, is it based on use cases is it based on the, maybe the technologies that are attached to those so that you kind of already alluded to it? How are you seeing it as it relates to more real life examples of abuse cases being kind of deployed out in the field.

- [Greg] Yeah. I like your word to use case too, because that's a great way to describe it. That there isn't sort of a generic sort of attack on IoT or attack on OT. It's very, very generalized. So one is, you know, existing vulnerabilities are the bulk of attacks. So 99.9% of attacks are ones we've seen before

successful attacks ones we've seen before, typically on unpatched systems. So going after unpatched stuff in IoT is the easy one. Right now we're in a trend, unfortunate healthcare is being actively targeted, you know, because of COVID it's rich territory. So that's one and the third is treating it as general IT. So if there's a system and we can ransomware it, we're going to ransomware it.

And the last one is where it's very sort of targeted. That's the very top of the pyramid, a very small amount but where it's much more knowledgeable, there's much more in-depth reconnaissance going on and it's not just sort of, hey, a windows machine, I'm going to beat it up. No, it's going to be, oh, it's a windows machine in this kind of environment. I can find a lateral movement through PLCs that, that kind of advanced one, that's a smaller one but that's obviously the most concerning - [Ryan] Yes, so as you kind of mentioned the healthcare side of things and the vulnerabilities there, are there any particular instances of security threats that you could maybe elaborate on just kind of bring a full circle into a real example of what you're seeing happen in the healthcare space, maybe as an audience, we wouldn't be kind of recognize it happening. - [Greg] Yeah. One is that a lot of hospitals, for reasons of organization history, they don't treat medical devices as part of the IT organization and ends up that nobody ends up protecting them, or it's just they're deployed hope they're gonna be secure but they're not kind of cared for like we would have our other systems saying, Hey we have to patch it we have to watch them, we have to monitor them.

And that's not, that's a generalization. It's not, that's a little unfair but a lot of hospitals where the struggle that, especially for community ones, they really struggle. So when we did, for example, showdown search we found hospitals from all around the world that were internet accessible their medical devices, particularly the controllers that the medical devices speak to.

So that's those statistics. And then, and those don't match either with sort of distribution is not proportional. Some countries were overrepresented by size. You know places like India and the US of course were very high but so in places like Mexico, that was kind of surprising.

Yeah. The other one we found is that there's a lot of forgery going on with devices that are supposed to be one make and manufacturer are assumed, are labeled as something else. We found a lot of fraud going on with the barcodes being assembled on them and what they're being reported to be when actually they were much older vintage devices. - [Ryan] And what's the kind of reasoning for you seeing that happening. Like what are the benefits that they're getting out of doing this. - [Greg] All comes back to money.

I suppose things do in life. The bad guys, why some people, some unethical people have wised up that in the reselling of medical equipment that if you sell it, something is newer, it's worth more. So they'll take an older device relabel the barcode to purport it to be a newer one, get more money for that. And great. So you've got this IB device, which is a smart accessible but the problem is you've got to patch it.

The software may break it. So if you had the medical device now and you so much it can, like, I'm gonna try to apply a windows 10 patch to a windows 95 server that won't work and neither will this except that those protections that are built into preventing those kinds of patches being applied in windows, aren't there for a lot of medical devices. So, you know I plug in my USB or go wireless and try to update the device. I broke it or I, or it caused it to fail. And then you know you've got this device instead of service. - [Ryan] Yeah. That's really interesting I, you know,

if you're not connected that space you probably have no idea it's even happening. - [Greg] Yeah, and sadly again, the, you know, the people deploying these devices, you know, the hospital staff, you know, they're not an IT people. So to watch for that and that kind of inventory or even the concept of any state we should match the barcode with some other information on the device like the labeling or serial numbering or model number. That just, that just is an extra task that busy healthcare people don't have time for often.

- [Ryan] Yeah. It's, it's truly unfortunate they're taking advantage of that kind of industry and market to, for financial gain like that. - [Greg] And sadly right now it's all about ransomware You know, they're just ransomware in the heck out of hospitals right now. It's really sad, but that's the trend. - [Ryan] Yeah especially during the pandemic. - [Greg] Yeah yeah.

You know, people will pay up right now cause they need to get back to business so. - Yup. - Yup. - [Ryan] That's really unfortunate. So I want to, I want to shift away from the healthcare space and kind of go into, like, I don't want to say it's like the opposite of the spectrum, but something that's, you know, is an interesting topic to talk about as far as IT goes, and that's more of the connected car space.

So, you know, that's something, I think people have a lot of fear when it comes to security because connected cars if they're hacked, what can happen next, obviously you know, a very life or death type potential outcome. So what are you seeing as far as the security of the platforms behind the connected cars? And I'm assuming, you know, we would like to think that there's more money invested in something like that to make them more secure, but how are you kind of seeing the contrast in the connected car space, as it relates to other spaces like healthcare and so forth. - [Greg] In the, in the car space the auto manufacturers have done a brilliant job and you know, credit where credit is due.

It's very easy and security kind poke companies in the eye or industries in the eye and saying, Oh it's not perfect but they have done frankly a fantastic job. In a couple of areas, so one is actually, you know, the in-car systems, the general systems and then there's the entertainment systems as well which are kind of the often the user interface. But both of those sides they've done a fantastic job in protecting them. Of course not all automakers are equal, especially ones from different parts of the globe but definitely for the ones that most of your listeners are going to be engaged with really great well, and above in fact I would say that in many respects they do better than the general IT industry in securing these devices. So there's always new things. So, you know, Tesla's always a popular participant in our hackathons and credit to them for having a really active bounty program and not being ashamed to let other people pound on their stuff.

But the most of the in-car systems, you know they're even tamper-proof, which is fantastic that we don't see a lot of manufacturing devices do that where you can't physically tamper with it, or if you tamper it, it'll be evident. Use of cryptography just in having a updatable software easily done and recognizable with good quality control. And also the ability to check if a patch patches is successfully applied.

So a lot of great systems, you know, and again they do have bug bounty programs as well to, to make sure that people find a problem, researchers they'll act on it. - [Ryan] Now you mentioned something in here that you've kind of seen some... I guess different levels of security and vulnerabilities based on the kind of the area in which they come or the region in which the company is operating in. Have you seen that across all different industries? And if so, are there certain areas of the world that are you're seeing more security threats kind of coming out of based on like maybe the the components that are being developed in those areas versus others? Or is it not really kind of like correlated to any one region in particular? - [Greg] Yeah, I think the correlation is probably, you know cost is everything.

So where we're expecting to get the cheapest components and you're going to pay the lowest price. You kind of get the security that you're paying for there. So a lot of components coming out of East Asia again you're cause you're demanding the lowest price from them.

They're going to give you the lowest price. A great example was a there was a vulnerability found in a, in a component. It was a very, the widely distributed component. It was a wireless one and I spoke to the manufacturer having to find it. But once I got actually find a manufacturer to talk to and they said, well, we can't, you know we can't really patch that software.

We said, why not? Well, we don't have the dev team anymore. Well, why don't you? They said, well, we can't keep the dev team around. So why not? But because we charge 10 cents our competitors who keep a dev team, they charge 12 cents.

So if we had the dev team, you know, we would be out of business because we wouldn't be able to compete anymore because there's somebody out there charging 11 who doesn't have a dev team. So we'd be charging 12 and you know we'd be out of business. So, you know, being insecure is actually our business case. They didn't quite say that but that was the bottom line was that, Hey, when you're charged, you're carving off a cent of very, of the small components that's, you know, something has to give. - [Ryan] Yeah, that's amazing how it's, you know, the margins are so razor thin that people are sacrificing something as important as security that the end user has no idea of until maybe you know, they encounter one of those security threats.

- [Greg] Yeah. And that that trip was embedded in many, many consumer devices especially sort of keyboards and mice. So that was a very widely distributed component. And again, you know, that, that's a lot, that's it. When there's millions of millions of components that's a lot of money. - [Ryan] It is. It is.

And is there anything that could kind of be done after a component like that is built and launched into, you know, put into a product? Is there anything like, what, what does how does that usually handle when security is then just you know, security, threat like that is discovered later on. Cause you know you don't know this as a problem until, you know either it's reported or consumers, you know, get their hands on it or a company like yours comes across it. And then you talk to the manufacturer and learn that you know, they're not taking security, you know or they're not really prioritizing security. So how does that usually handle it or what can be done? - [Greg] It was a couple of steps in the best cases is where it is software addressable that it can be patched. So even if you don't have the dev team you can go back and tear it apart. If there are notes for as commented at all, you see, okay here's the buffer overflow that they're exploiting.

Got it. And then you can hopefully patch it if that's possible. That's the best case scenario. Not always the case. If it's burned in silicon, for example, or if it's not software addressable or fixable, that's not good.

So ideally what you do then is you hopefully you can address it from the OEM of the components, say, Hey, we have this issue. We can't fix it. Maybe you can, because this is encased in a a laptop say, so you're gonna, you know, if you put if we had this patch, which is associated with your laptop then you can protect her. You can change your software so that it can't be exploited anymore.

Last case is nothing can be done. Just hope. You know, we try to use intrusion prevention whether it be software or hardware or networker in the device. And that's about all you can really do. - [Ryan] Wow. Okay. One of the questions,

last question I have for you before we wrap up here is kind of relating to, I guess, the information around security. So like it's something I've kind of mentioned ahead of the recording, but the vulnerability research economy is growing pretty rapidly from you all's perspective. Can you talk to our audience a little bit more about what that exactly means as far as what does that research look like? Like what does that kind of, what's the value there? What value does it provide? Kind of just ongoing and how have you seen that kind of economy in the IoT space as it relates and then comparing it to other technology industries that you know, the same kind of tasks or performance and kind of research has performed like is are you seeing IoT kind of growing more quickly? Are you seeing it not be as attractive of an industry for researchers perspective because of one reason or another? - [Greg] Yeah. You phrased that really well about attractive to researchers. The definitely it's, it's changing. There is some interest now in IoT vulnerability research but it's growing, not growing as fast as the IoT spaces.

So what this is is a whole economy now that's really layered around finding vulnerabilities. It used to be people would find bad, you know, holes and stuff, they would report, it was a hobby. But now it's become a full-time job for the good guys to find stuff. And we want the good guys to find it, not the bad guys. Cause then it's a zero day we don't find out about it but when the good guys find stuff, they go to the company and they say, Hey, look, you know, manufacturer, you know we found this vulnerability in your, you know in your turbine software or the, or the human interface for it, you know, we're reporting it to you.

We're going to keep it quiet. You got this much time to fix it. Please do so, tell us when it's fixed, so then we can disclose it so we can have people who haven't patched it, we can put a shield up for it. That's a sort of a long-winded discussion or description of what it is.

But even, you know people interested in doing that, well, they get paid, right? You gotta get paid to do this as a full-time job. And that's where the bug bounty programs come in. So if you're encouraging people to find stuff it's good news. But the challenge is there's not enough companies out there. So when you look at all of the the sort of the big names in, you know, IoT manufacturing very few of them had these kinds of programs which is really unfortunate. So third parties come in there to to get involved with that but it's still not a healthy enough economy yet.

And the, the losers are the users because you're getting stuff that's not being examined as much. You want ethical researchers to look at the stuff and find the holes before the bad guys do. That's changing more, more companies are investing in it and more researcher research backers or third parties are also starting to help an individual researcher trying to make a big company like an elevator manufacturer, change their ways.

It's tough, but a sort of a clearing house for those has a better, better job, you know sort of a middleman to do it. It's still, it's a, it's moving slowly. - [Ryan] Okay, so one of the last things I want to ask you before we finish here is around just general stuff going on in the industry that our audience may not be, or, you know be or stay as closely on top of And then also expectations kind of going into 2021 around security side. So are there any kind of news or happenings going on in the industry that is worth noting to our audience that's that, you know, is kind of a big deal to the security space and at the same time what are you looking forward to going into 2021? Or what are you hoping will happen to kind of really take some major strides on the IoT front, as it relates to security? - [Greg] Some of the big, big things going on are certainly hopefully better use of cryptography moving forward.

There's some we find, you know I think there's been a change that we're finally getting better use of cryptography and encryption into IoT devices. The downside is they're using a lot of third-party libraries often again getting the cheapest one they can find often for free which may in itself had vulnerabilities in it. The worst thing you can have is vulnerabilities in crypto because you trust it.

But then, you know, everybody's if everybody's got the master key, that's that's not a good thing. So I think the standard should be a Hey let's hold our devices at least as good as net automatic teller. If we can secure those we can certainly just, you know, secure other stuff. It doesn't have to have that kind of investment like the physical tamper proofing, but at least for that basic level of crypto it's actually really easy to do. There's a great standard out there called FIPS 140 really easy to follow basic stuff. Even just awareness of that in dev shops before you use a crypto tool kit, please, you know make sure it's a good one.

Other changes I think, are that gain we're seeing more of the manufacturers stepping up this year more hackathons, more, you know, poned-owned events we call them where there's going to be IoT components. And I think that it'd be great to see and I'm looking for and hoping I'm going to see more sponsorship, more interest from the manufacturers getting involved instead of being passive bystanders, you know really getting in there and that I think could be a quality differentiator amongst them. - [Ryan] Absolutely. And that's great. These insights have been pretty cool to listen to. I appreciate you taking the time to kind of share them with our audience. We, you know, we mentioned security.

We have some security experts here and there but some of the insights you've shared a very unique and I think very relevant to our audiences or what are and you should know, as it relates to the IoT front. If our audience is kind of, you know has additional questions or wants to learn more about Trend Micro or more about just like kind of what y'all are doing or anything follow up from this conversation what's the best way they can do that. - [David] Yeah. I think, you know, for contact with me, you know I'm on, I'm on LinkedIn as Greg Young with Trend Micro and on Twitter as @orangeklaxon, or you can find me just on Trend Micro and for the Trend Micro stuff we've got a whole bunch of public available research on IoT security, just, you know, search on Trend Micro IoT security. We've got some great reports. Like we just had some on self-driving buses in Taiwan Both blind spots in ICS security, but the gateways and you know, also some smart city stuff.

We've got all kinds of research there on the, also the factory honeypot report has been published too. That's a, that's a great one. - [Ryan] Awesome. Okay.

Fantastic. Well, Greg, it's been great having you here. I really appreciate it and great meeting you and having you share your insights with our audience truly appreciate it. And hopefully we'll be able to have you back some time to talk more about what's going on in the industry and kind of, you know, the viewpoint from your side as well Trend Micro side, and just keep her, you know, our listeners up to date on all the things happening on the security front. - [Greg] Oh, it's my pleasure, Ryan.

Thanks a lot. I've been a long time listener first time caller. So it's been fun for me too. - [Ryan] It's great to have you. - [Greg] Cheers.

- [Ryan] Alright everyone thanks again for joining us this week on the IoT For All podcast. I hope you enjoyed this episode and if you did please leave us a rating or review and be sure to subscribe to our podcast on whichever platform you're listening to us on. Also, if you have a guest you'd like to see on the show please drop us a note at Ryan@IoTforall.com and we'll do everything we can to get them as a featured guest.

Other than that, thanks again for listening. And we'll see you next time.

2021-04-08

Show video