Cybersecurity investment: a neglected requirement
Recently, President Barack Obama held a cybersecurity summit in Silicon Valley to push for greater awareness and investment in cybersecurity. At this conference, venture capitalist Venky Ganesan, the managing director of Menlo Ventures, a major investor in cybersecurity, warned that not enough was being done to protect systems from hackers, despite recent high-profile attacks.
"We still are not spending the right amount of time and resources and money on the cybersecurity problem. It's much bigger than people think," said Ganesan. In fact, Ganesan said that only 5 percent of corporate information technology budgets are spent on security. "That's the equivalent of protecting a Tiffany's with a deadbolt. We need to make sure that we spend the right amount of money because this is an existential threat to our society," he said.
All too often, companies are looking at cybersecurity and asking "What is the ROI for investing in security". That is simply the wrong question to ask. Given the threat, cybersecurity should be considered a critical requirement, just as safety has been. The critical infrastructure, manufacturing, automotive and other industries have invested billions into safety
Despite the growing risk, government initiatives and a growing awareness, companies are still, by-and-large, failing to invest in cybersecurity.
Security Challenges for Critical Infrastructure Devices
The IoT and IIoT (Industrial Internet of Things) are comprised of a wildly diverse range of device types- from small to large, from simple to complex – from consumer gadgets to sophisticated systems found in DoD, utility and industrial/manufacturing systems.
Part of the expanding web connected network, embedded devices are very different from standard PCs or other consumer devices. These industrial operational assets are commonly fixed function devices that have been designed specifically to perform a specialized task.
Many of them use a specialized operating system such as VxWorks, Nucleus, INTEGRITY or MQX, or a stripped down version of Linux. In many cases, installing new software on the system in the field either requires a specialized upgrade process or is simply not supported. In most, these devices are optimized to minimize processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms.
As a result, standard PC security solutions won't solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices.