The age of IoT brings us new opportunities but challenges along with it–IoT devices of all kinds are being attacked by cybercriminals. IoT must be secure to deliver the efficiency and productivity it offers.
The IoT attack surface is expansive, and it’s growing. There are over 8.4 billion IoT connected devices today, and that number is predicted to grow to 20 billion by 2020.1
The Wonder Of The IoT
IoT helps us run our businesses, provides healthcare for patients who require ongoing monitoring, manages resources for manufacturers and agricultural organizations, and it does all this faster and more efficiently than we’ve been able to do ever before.
Americans and others throughout the world use smart devices to run HVAC systems, oil drills, manufacturing machines, jet engine components, surveillance systems, and much more. We no longer need to be where these devices are. We can remotely access them via the Internet of Things.
But, IoT devices aren’t built with security in mind, and cybercriminals are already exploiting their vulnerabilities.
We Went One Step Too Far
In our wonder and enthusiasm to adopt the Internet of Things, somewhere along the way, security was left behind. Consumers and businesses alike were so anxious to take advantage of the IoT benefits that we forgot about its challenges. Security is the major challenge, and at present, we’re not meeting it. It has taken a back seat to connectivity.
According to the Department of Justice:
Unfortunately, IoT devices have also become an increasingly attractive target for criminals. To attack IoT devices, cybercriminals often probe the devices for security vulnerabilities and then install malicious software (“malware”). This malware surreptitiously takes control of the device. It can also damage the device, gain unauthorized access to the data on the device, and otherwise affect the device’s operation without permission. Installed malware may not only compromise the operation and information security of the infected IoT device but can also provide hackers a conduit for penetrating other electronic devices on the same network. Unless appropriate precautions are taken, malware can quickly spread across networks of IoT devices without a user opening a file, clicking on a link, or doing anything other than turning on an Internet-connected device.
Think First–Connect Second
An employee who brings in an IoT device and connects it to your network, or your operations department that connects up IoT devices might not be aware that they could jeopardize your IT security.
The Security Challenges IoT Poses (McKinsey & Company)
Gaps In Technical Sophistication
By nature, a complex system of connected devices opens many new attack vectors, even if each device is secure when used independently. Since a system’s most vulnerable point determines its overall security level, a comprehensive, end-to-end approach is required to secure it. Such approaches are difficult to develop, however, because most hackers concentrate on breaching a specific element within the technology stack by using one methodology. By contrast, system operators or integrators must provide end-to-end protection against all possible attack vectors, dividing their attention and resources across the system.
It is not yet clear who will take the lead in developing end-to-end security solutions for the IoT. Component suppliers and OEMs are not well positioned to accomplish this task since the IoT includes such a broad network of devices of different provenance. Integrators are better positioned to provide solutions, but they often lack the necessary capabilities.
Standards Are Absent Or Immature
The IoT lacks well-established overarching standards that describe how the different parts of the technology stack should interact. Instead, large players and industry organizations use their own solutions. Some segments, such as industrials, still rely on a small set of proprietary, incompatible technology standards issued by the major players, as they have done for many years. In other segments, such as automotive or smart buildings, standards are rudimentary. This lack of standards may slow IoT adoption or discourage device manufacturers and others from developing new technological solutions since they do not know whether their innovations will meet the guidelines that eventually become dominant. In addition, IoT players will have difficulty developing end-to-end security solutions without common standards.
Customers And End Users View IoT Security As A Commodity
Research confirmed that customers and producers consider security essential, but they also view it as a commodity—a basic feature that does not merit higher prices. This creates a fundamental disconnect between the desire for security and the willingness to pay for it. In their survey, 31 percent of semiconductor leaders claimed that their manufacturing customers want to try to avoid all security breaches at any cost; an additional 38 percent believed that their customers want security solutions that eliminate at least 98 percent of potential risks. Only 15 percent of respondents believed that their customers would be willing to pay a premium higher than 20 percent for the next tier of enhanced chip security. More than 40 percent indicated that their customers either are unwilling to pay any premium or expect security costs to decline. 3
IoT has become the new, more popular attack vector. In the fall of 2016, millions of IoT devices were easily and remotely compromised by Mirai.4 In June 2017, the UK reported that 92 percent of attacks against businesses targeted IoT devices.5 IoT is now the go-to exploitation avenue for cybercriminals.
IoT devices are designed to connect to the internet. They will actively seek connections whether you want them to or not. This invites attackers who want to find and connect to these devices without you knowing it.
IoT devices can connect to your network but still be invisible to you. You can’t control and manage what you can’t see.
Standard Security Solutions Aren’t The Answer
IoT has expanded the attack surface and provided hackers an easy target. It’s a new arena where the traditional methods of security won’t be enough. This means the exposure is real today.
You can’t put a security agent on these devices. Add to this the fact that those with IDs and passwords, in too many cases, are never updated, and that security is lacking where user interfaces are concerned. This makes IoT devices essentially defenseless.
Endpoint protection doesn’t address the issue because most devices can’t host an agent.
Mobile Device Management (MDM) solutions are costly and require administration services that many don’t want to deal with. Plus, MDM doesn’t address a large number of devices that visitors, vendors, clients, and others bring into facilities. And many IoT devices don’t have an easy way to automate firmware updates.
Network Solutions only see the IoT device when it’s connected to the network. Those that use a wireless connection to a rogue or shadow network are invisible.
° 802.1x This doesn’t work for devices that can’t use certificates, and even if they whitelist IoT devices, they don’t address situations where a 3rd-party device masquerades as an allowable device. Plus, they don’t recognize infected devices that still have access privileges.
What To Do?
IoT Security 101
Your solution must be capable of finding all IoT devices, know what they’re doing, and take action proactively to protect your organization if they pose a threat.
An agentless solution is essential because it’s the only way to protect against attacks targeted at these devices. Without a security solution with agentless visibility, any IoT device can connect to your network and remain invisible. Cybercriminals know this.
It’s critical to be able to see all the devices in your environment. However, this isn’t possible with traditional networking and network access solutions. Devices that are off the approved or managed networks are outside the kill chain. You need a solution to see devices that are “off” the approved or managed network.
Once you identify IoT devices, you must track them. This means you must fingerprint and profile all devices, determine the status of each device, track their connections and behavior, associate them with approved users, and track their connections and behavior. You must be able to assess the policy compliance or posture of each device.
Visibility is crucial. And once discovered you must take action to:
- Stop IoT devices from connecting to unmanaged, unapproved, or rogue networks or to corporate or approved networks.
- Set up policies for critical alerts.
- Manually stop a device from connecting, as well as automatically disconnect devices and networks.
Once your security solution is in place, be sure to collect data and document everything so you can assess if you’ve missed anything and learn from mistakes.