Imagine permitting anyone around the world to remotely access data within your organization or to run computers, equipment, and machinery. Now consider the fact that there are billions of business devices—from basic security cameras, barcode readers, smart locks and smart lighting through more sophisticated building automation systems and industrial machines—all connected within the larger Internet of Things, or IoT.
This vast network consists of unrelated machines and computing devices that transfer data without human-to-computer or human-to-human interaction. What is more, the number of developers and manufacturers embedding their products with smart technology is growing, sparked by consumer demand for convenient data access, management, and tracking from any location using any desktop computer, portable laptop, or mobile phone.
Smart devices are in place throughout financial, energy, government, and utilities sectors, helping businesses minimize operating cost, improve productivity, enhance the customer experience, elevate workplace safety, and mobilize staff. And benefits are being reaped by everyone from small neighborhood businesses through global enterprises. It’s already transformed the patient experience within the medical and healthcare environment. IoT has improved motor vehicle safety and traffic flows within transportation systems, and it’s provided the ability to evaluate statistical data and control processes within manufacturing industries.
But as with most technical advances, IoT introduces another layer of business risk. This is because smart devices open a network up for potential access, devices that include not only company-controlled equipment but also small and seemingly innocuous gadgets brought on site every day by employees and contractors.
The IoT Security Landscape
A survey conducted by Tripwire in partnership with Dimensional Research in 2017 found that 96 percent of respondents for whom digital security was a significant aspect of their job expected an increase in Industrial Internet of Things, or IIoT, security attacks. This along with government regulations have led organizations to invest more heavily in IoT security technologies, whether at the network level or in the form of IoT authentication, such as digital certificates, two-factor authentication, and biometrics. Data encryption is another strategy companies might use to maintain data integrity and IoT device security. IoT API security, PKI, and security analytics are also emerging as viable options for detecting and thwarting intrusions.
The inherent risk that accompanies the use of IoT or smart technology and the need for IoT security surfaced as far back as 2014 with Stuxnet, an attack targeting industrial programmable logic controllers, or PLCs. This was said to have been aimed at damaging an Iranian uranium enrichment facility. Stuxnet ultimately destroyed as many as 1,000 centrifuges. A few years later, in 2016, cybercriminals conducted a DDoS attack in Finland exploiting a gap in an organization’s IoT security, which shut down heating systems across two buildings, an act that was detrimental given the country’s bitter cold temperatures. Recent research also noted that millions of consumer electronics and security cameras have been embedded with peer-to-peer communications technology offering no encryption or authentication, which gives cybercriminals the ability to form a direct connection, bypassing firewall restrictions.
Top IoT Security Risks
Unlike traditional networks, IoT is composed of billions of independent devices, each of which bringing a broad range of capabilities, standards, and protocols. This can make security far more complex.
As a result, IoT devices have become attractive playgrounds for cybercriminals looking to access sensitive data, to sabotage operations, or to form botnets. For example, an attacker might access a basic office printer and, in doing so, view all information scanned or printed through that machine. A smart printer, thermostat, or security camera can also offer a connection to the business network, thus potentially exposing a slew of proprietary data.
Once hacked, the device’s functions can be controlled remotely, providing a cybercriminal with the ability to do anything from halting a building’s heating system to wreaking havoc on critical equipment necessary for daily operations including assembly lines.
IoT devices are also shown to be rich targets for hackers building botnets, large networks of infected devices often employed to run Distributed Denial of Service, or DDoS, attacks that flood servers with more requests than can be feasibly handled within a given timespan to bring it down. Beyond this, smart devices provide access points for eavesdropping or infecting networks with malware, with hackers often requiring a ransom payment before a business is allowed to resume normal operations.
While preventing an IoT security breach resides in part with device developers, users also need to take steps to secure their IoT devices at the network once in hand. So what steps can a business take to prevent takedown or data breach? The following are our top ten strategies to balance the inherent benefits of smart technology with the need for IoT security.
Top Ten IoT Security Strategies
- Change default passwords. The first step to improving IoT security can seem commonsense. But as security consultants, we run into default passwords all the time. We recommend that businesses establish and enforce procedures to change default passwords for every IoT device on the network. The updated passwords should be changed over a period of time. The passwords can be stored in a password vault similar to how service accounts and privileged user passwords are protected. This can help seal that backdoor into the network and thwart unauthorized users from obtaining access to sensitive information.
- Separate the corporate network. Whenever possible, separate the corporate network from vendor-managed and unmanaged IoT devices. This might include HVAC systems, security cameras, temperature control devices, electronic signage, smart televisions, media centers, security DVRs and NVRs, network-connected clocks, and network-connected lighting. Use VLANs to separate and keep track of various IoT devices on the network and to manage important functions such as facility operations, security operations, and medical equipment. Lastly, apply an Access Control List, or ACL, to VLANs or network access ports whenever possible to limit communication to the least amount that is required for device operation.
- Prevent IoT devices from communicating with the internet unless absolutely necessary. Many devices run archaic operating systems, and many embedded operating systems can be used to reach out to command and control locations. We’ve even come across systems that had been compromised before they were shipped from other countries. While it’s impossible to completely eliminate an IoT security threat, you can prevent IoT devices from communicating outside of your organization unless absolutely necessary. Doing so can seal a potential backdoor into your network and notably reduce the risk of an average IoT security breach.
- Control which vendors are allowed remote access to IoT devices. To improve IoT security, businesses can put controls in place to limit the number of vendors granted remote access to IoT devices. Access can be limited to those individuals performing tasks under the supervision of knowledgeable employees, which might include access through remote hands, such as WebEx. When remote access is absolutely necessary, ensure those vendors use the same solutions as would in-house personnel. This may include access through the corporate VPN solution. Companies should also designate a staff member as the individual responsible for monitoring remote access solutions on a daily basis. This includes tracking all changes back to an approved change management ticket. If vendors must access the network, it is important that vendor due diligence and risk reviews are performed on a regular basis. Finally, scrutinize any unusual remote login behavior, such as after-hour logins or failed login attempts. If at all possible, all remote access should be limited and controlled.
- Implement a Network Access Control (NAC) solution. A NAC solution with proper switch and wireless integrations can help an organization improve IoT security by detecting most devices and identifying rogue connections to the network. It can also apply controls to the devices that are not authorized or granted merely limited access to the network. If a NAC solution is not in the budget, a solid network scanning utility or vulnerability scanner may be used to identify devices. When those responsible for IoT security within an organization understand where each device is located, it’s easier to apply manual restrictions on the switch ports and wireless controllers on which devices might be connected. A NAC solution like ForeScout, CISCO ISE, or Aruba ClearPass are great tools when looking at options to secure your network.
- Implement a vulnerability scanner as soon as possible. Vulnerability scanners from commercial vendors are effective in detecting the types of devices connected to a network and are thus useful tools for organizations looking to enhance their IoT security. The use of a vulnerability scanner along with a regular scanning schedule can uncover known vulnerabilities associated with connected devices and are a great start for companies looking to get their IoT environment under control. There are many affordable vulnerability scanners on the market. If a vulnerability scanner is out of the question, consider implementing free scanning options like NMAP. A lot of device types, and vulnerabilities, can be identified with basic NMAP options.
- Run an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) on the network. While continually running an IDS or IPS on your network will not detect all malicious network traffic, it can offer a good indication when an IoT device has been compromised should it traverse the IDS/IPS. Businesses can choose one of many commercial and non-commercial versions available. We also recommend that businesses update their signatures regularly to catch known attack patterns once an IDS is in place. A lot of IDS/IPS solutions will pick up communication to known threat locations. If it picks up internal systems communicating outbound to a known threat location, this is a key indicator that a system is compromised. There are ways to obfuscate the attack, but having a good IDS/IPS in place is a great way to catch, and hopefully block, many attacks in progress.
- Ensure proper management of all IoT devices. Proper device management includes both patch management at the local device level along with enterprise-wide inventory management. Inventory management will ensure remotely managed devices are cataloged, with records in place detailing registration, configuration, authentication, and other pertinent device data. Once your company knows where IoT devices are on the network, assign an owner to manage each device type and designate one individual to handle regular device updates. If a device requires internet access, we recommend granting access only on a limited basis, or restricting access to the update location only. This can be done with proper firewall management practices.
- Restrict internal and external port communication on your firewalls. To elevate IoT security, we also recommend that companies prevent outbound communication unless that communication is specifically required. Ports 80 and 443, typically associated with the internet, are common services that are open from the corporate network. But 80/443 might not be required for other VLANs associated with specific device types. These two ports are known to pose significant network threats since they allow web surfing, are rarely monitored, and offer an entry path into the network. It is very common for malicious hackers and identity thieves to use those ports to exfiltrate data, as they are often left open in most organizations. This could allow a backdoor into the organization.
- Remove unsupported operating systems, applications, and devices from the network. To improve IoT security, conduct an inventory that reveals which operating system a device might be running. Microsoft no longer patches Windows XP or Windows 7, with several Linux flavors likely unsupported, as well. If you can no longer patch that operating system, it shouldn't be connected on the network. If the vendor has gone out of business or no longer provides updates for the device, it also should not be connected to the network.
By implementing a few basic IoT security precautions, businesses can seal common entry points into their network. Then, when the time comes for a more advanced strategy or to outsource the IoT security function, a cyber security consulting firm can help. Cyber Security Services offers a range of tools and services to help identify IoT risks in your organization.
About Cyber Security Services
Cyber Security Services is a consulting firm and security operations center (SOC) headquartered out of Columbus, Ohio. The company provides IoT security solutions, virtual CISO services, security monitoring, penetration testing, around-the-clock monitoring, cyber security product expertise, and security consulting for clients nationwide.
By Matt Santill, CISSP
Cyber Security Consultant