Jump on a bus, bicycle, taxicab, or other form of transit in Mexico and you’re likely to be riding with Mobility ADO. Behind the scenes of many of these devices is connected technologies, which provide data on maintenance, operations, and more. In total, Mobility ADO has more than 38,000 endpoints under management.
In charge of protecting this wide variety of moving devices is CSO Hector Mendez and his team. I sat down with Hector to chat about the rapidly changing device landscape, as well as how the organization is adapting to emerging threats like the Ripple20 supply chain vulnerabilities.
The Ripple20 vulnerabilities affect potentially hundreds of millions of devices – how did you handle that threat when it was announced?
We try to be very proactive when it comes to these types of vulnerabilities. With Meltdown and Spectre, for instance, that was a very specific vulnerability that affected the processors inside of some of our machines. However, when you have 2,000 of these machines potentially affected, it becomes very costly and time consuming to rebuild all of those systems, rebuild the applications, and renew everything. For this reason, we created policy rules to stop the impact of the vulnerabilities, instead of correcting them at the processor level. We took a similar approach to the Ripple20 vulnerabilities, which affect the underlying components of IoT and OT devices. We essentially stop and prevent the risk using Forescout and our rules.
As a CSO, how concerned are you overall about supply chain vulnerabilities as a risk to your organization?
Supply chain vulnerabilities are a relatively new risk category that we are paying increased attention to. The reality is that connected devices bring many benefits, but also drastically increase the attack surface of your organization. Supply chain vulnerabilities add a new layer of complexity towards mitigating that risk.
What types of devices can be found inside of your environment?
The first category of devices we have are our buses, which are equipped with devices and sensors that monitor all sorts of factors, including speed, problems with the engine, issues with the air conditioning, maintenance, and more. All of this is housed inside of a little computer inside the buses, which is then connected to the network by Wi-Fi. From there, we get all the information about the bus and its travel patterns. That data is tied to metrics for supporting the operations of the buses over time. On top of that, we also have mobile devices used to sell tickets and take registrations on the buses. These devices connect to cellular networks to transmit payment data and validate the tickets.
What are some of the unique challenges with securing that distributed of a network?
We are essentially a fully remote workforce. While there are some people working in an office on desktops, the majority of our workforce needs to be able to connect on the go from the cab, their car, or their home. We utilize tools like an SSL portal for Active Directory and virtual desktops, but the security precautions need to extend beyond that, especially because most of these devices are not corporate-owned. We need to be able to enforce policies on these devices when they do connect to the corporate network, which is where Forescout comes in.
How do you think the role of the CSO has evolved in the last 10 years?
CSOs today need to be a business enabler. The first and more important thing is that IT people want their liberty. As a CSO, we can’t kill their freedom. We need to enable them. That’s why we’ve invested in technology like Forescout, which helps us not only discover all the devices in our environment but also enforce controls and compliance. It’s helped us detect bad things on our network that shouldn’t be there and protect it from cybersecurity threats and fraud. We do this today for 38,000 devices across 15 sites – all automated.
Learn more about the Mobility ADO success story by reading the full case study.