Cybersecurity in an edge computing world

Let's be honest, a Chief Information Security Officer (CISO) doesn’t have the easiest job in the world. Now the job is getting even "edgier" as more and more Internet of Things (IoT) and remote operational technology devices are being added to the already lengthy list of assets CISO's need to safeguard.

Health devices, water quality monitors, telemetry from smart cars; the list is growing and growing, as is the volume of data that these devices are generating. Shipping all this data to central servers makes little sense. Processing at the edge where the data is created can mean faster decision-making and reduced data transport costs. A recent Gartner® report 'Predicts 2024: Edge Computing Technologies are Gaining Traction and Maturity'¹ found "19% of respondents have already deployed edge computing and an additional 32% expect to deploy during the next three years."

When so many of the originating sources of data are devices that, by their nature, do not have sophisticated security defences, how does a CISO protect the streams of data that these devices are creating? While edge computing does not necessarily introduce brand new security risks, we do need to consider how these risks materialise in an edge environment, and determine if we have the appropriate controls to manage them.

‍

Using the data where it is created

A helpful way to describe edge computing is by way of an example. Think of a smart car in self-drive mode. There are cameras around the car that allow it to monitor the movements of other vehicles, pedestrians, animals, and so on. Those images need to be processed in real-time so that if the car needs to suddenly brake or swerve to avoid an accident, the decision can be processed immediately and the car can take the most appropriate action. If there is a delay because the images need to be transmitted to a server elsewhere for processing and the decision relayed back to the vehicle, it could be the difference between whether or not an accident occurs. So the processing takes place on a server in the car: at the edge. Edge computing is all about processing data and making decisions as close to the point where the data is created as possible.

Here in New Zealand, Spark Business Group is working on a number of edge computing projects. Together with the Ministry for Primary Industries (MPI), we are working on a project to install cameras on fishing vessels, to verify fishers’ reported data, which helps manage New Zealand’s fisheries in a truly modern way. An important component of the system is the processing of video footage that happens onboard the vessel - at the edge. The results of that processing are then uploaded via Spark's 4G network to a cloud system, where further processing takes place. We are on track to deploy processing at the edge on all vessels operating with our equipment by the middle of this year.‍

‍

Limitless possibilities

Edge computing has limitless possibilities, and currently, we’re only just scratching the surface of what it can offer. The only limit is human imagination and innovation. Current use cases include:

• Smart city devices measuring everything from traffic patterns to air quality, with systems analysing and sending out alerts to city residents when needed
• Farmers using systems to monitor various aspects of their farming operations, from moisture in the soil to the location of their animal stock
• Healthcare devices used to monitor patient health and alert clinicians to anomalies that could indicate a life-threatening situation
• Smart watches that gather data about the wearer's movements and send an alert if the wearer might have had a fall

All of the data in the use cases above requires real-time or near real-time processing. Few monitoring devices have the computing power to do analysis, requiring servers or other computing devices at the edge to analyse data, then pass on the results. Those results will be fed into the systems that will do more complex analysis, such as correlating the information from a variety of different devices that will help with making informed decisions.

‍

Balancing on the edge: weighing security risks against the benefits of efficient processing

Like so many other aspects of security, it's necessary to find the balance between managing risk and reaping the benefits of a solution.

- Jenny Botton, CCL Head of Corporate Information Security, Governance & Assurance

If we apply too much security, we risk putting too many obstacles in the way of being able to use the technology effectively. Too little security, and we could have undesirable outcomes, such as a cyberattack resulting in physical damage or the devices themselves being used to launch an attack.

When your computing devices are no longer all housed in a secure, centralised data centre, risks relating to physical security are heightened. Devices can be more easily stolen or tampered with, meaning they either cannot collect or send data, or process it incorrectly. They may well be located in a rugged environment such as a fishing vessel, on a farm, or out on the road, meaning that there is a chance that the device will be damaged accidentally. I remember being told the story of soil moisture sensors being damaged because a group of curious Pūkeko decided to pull on the wires and subsequently chewed on the sensors. Choose devices that offer safeguards against physical tampering. If not available, use physical locks and place devices in restricted areas and monitor with systems that can detect physical interference.

System-based security risks also need to be re-evaluated. The proliferation of devices increases complexity, and it is important to make sure the operational systems supporting them do not introduce new vulnerabilities. Questions to ask yourself are:

• Can our data be intercepted while it's being transmitted from the edge to its destination in the cloud or the data centre?
• Could there be weaknesses in the design of our environment that could allow an attacker to use the devices as an entryway to gain access to the overall computing environment?
• Do we know if we have any devices that have critical security vulnerabilities but have not been patched or updated?
• Have we reviewed whether the devices connecting to our network have been shipped with weak access mechanisms, such as local accounts called "admin" with the password "admin"?

‍

Our top considerations for securing your edge environment

1. If you don't know what you have, you can't secure it
   Having an up-to-date inventory of the assets that you have in your environment is crucial. You need to know what the asset is, where it is, and who is responsible for it. Most importantly, figure out what your "crown jewels" are; these are the assets that are absolutely critical for your organisation's ability to keep operating, and so, they are the ones that deserve the greatest amount of protection. ‍
2. Segregate, segregate, segregate
   Separate your networks as far as it is practically possible for your environment using demilitarised zones or physical separation. This means if attackers break into one network, then they will have to jump additional hurdles to get into the next one.
3. Have a good incident response plan and practise it
   There is a saying that there are two kinds of organisations: those that have had a security breach and those that don't know they have been breached. It is no longer a case of if but when. Your organisation will have a security incident at some stage, and even if it doesn't, you will experience a failure of the devices that you rely on for data. Develop your response plan for operational and security incidents, and ensure that you practice it so that it becomes second nature for the teams when they need to respond.
4. Make sure you have disaster recovery in place
   In line with the previous consideration, there will come a day when you have an event that will require that you need to recover data from a portion of the system or, in the worst case, the entire system. Having backups that you have tested is not enough; if you need to rebuild the entire system, would your team know how to do that? Documenting your plans on how to recover is essential.
5. Patch, patch, and patch again
   According to the Verizon 2023 Data Breach Investigations Report: "The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities". Make sure that either your team or your vendors are maintaining a vigorous patching routine to keep your devices secure. If you are relying on your vendors for patching, make sure that you have an agreement with metrics that you can use to measure their activities.
6. Employ encryption
   Use cryptographic techniques to encrypt data at rest and in transit. If the data is "scrambled", then even if an attacker gets their hands on a device or manages to intercept the data while it is being transmitted, it will be meaningless to them.

‍

Figuring out the strategy to protect your edge computing devices and networks can be daunting, especially with the growing number of devices that CISOs must manage. Operational teams are sometimes unaware of what security risks those new smart devices can introduce, and so IT security teams need to be across what their operational colleagues are planning and implementing. For example, the system and security architecture that works for a manufacturing environment is unlikely to work for cameras on boats monitoring fishing catch. While the risks may be similar, the means to manage the risks may be quite different.

That then leads to the question: if we have all this edge computing gear generating all this data, where does that information ultimately end up and how do we manage the whole environment? This is where considering hybrid cloud solutions may be useful, especially where organisations need to cater for a mix of computing environments and rapidly evolving processes. Working out what will suit your organisation's environment and finding the balance between security risks and maximising the benefits of edge computing can be a complex program of work.

The considerations above are our top picks, but this is by no means a complete list. If you're looking for advice and guidance on what to do, our team are here to lend a hand.

ABOUT THE AUTHOR

Jenny Botton leads CCL's internal security and governance team. She has almost 30 years of risk consulting and security experience, which she uses to manage CCL's security risk posture and ensure that CCL's products and services are secure by design and implementation. ^‍

¹Gartner, Predicts 2024: Edge Computing Technologies Are Gaining Traction and Maturity: A Gartner Trend Insight Report, Thomas Bittman, Toni Iams, Sandeep Unni, Eric Goodness and Bob Gill, 18 October 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.