The Internet of Things (IoT) is everywhere. For most, the utility of having Internet-connected, fully-capable computing baked into everyday objects is a great leap forward in technological capability—surveillance cameras that alert our cellphones when they see something suspicious, thermostats that check tomorrow’s weather report, and ovens that can look up recipes. All very practical. However, for many IT security professionals IoT has become an invisible, pervasive threat, lurking like mosquitos in the bogs of our organizations.
OWASP IoT Top Ten
In several weeks, the Open Web Application Security Project (OWASP) will release an update to the OWASP IoT Top 10 20181 that will likely include the following security issues:
- Weak, guessable passwords
- Insecure protocols
- Insecure access interfaces
- Insecure components
- Lack of secure update mechanisms
- Insufficient privacy
- Insecure data transfer
- Lack of physical hardening
- Insufficient security configuration
- Lack of device management
None of these security problems are unexpected for anyone who’s looked at IoT security (or the lack thereof). But what level of danger does this present for organizations?
The Advancing Threat of IoT
Back in January 2017, F5 Labs talked about how IoT threats were about to grow beyond denial-of-service and move into other areas of cybercrime. Just like any other area of technological adoption, we’ve seen IoT hacking move from an explorer phase (where grey hat hackers dabble with pranks), to a pioneer phase (with new criminal business models being explored, such as DDoS thingbots). Now we are entering a period of full commercial exploitation with massive thingbot networks, cryptocurrency mining,2 and wholesale invasions of privacy.3 Indeed, F5 Labs researchers have uncovered and documented how IoT represents an existential threats to our modern way of life.
Caging the Threat
What can IT and cyber-security professionals do about this? Jared Reimer, the founder and CTO of Cascadeo, asks, “Does any IT department or CISO really know about the myriad IoT stuff already going on within their companies? Of course, the IoT is a back door into otherwise-secure networks and supporting infrastructure, but what else?”
Indeed, IoT devices run stripped-down operating systems (usually Linux) which are far from the standard enterprise-manageable computers racked in secure facilities attached to managed networks. IoT is designed to be plug-and-play and live anywhere using all kinds of connectivity—including network cables, Wi-Fi, and even cellular gateways. This represents the first challenge for IT: locating and classifying the IoT devices within the organization.
Does any IT department or CISO really know about the myriad IoT stuff already going on within their companies?
Step 1: Communicate a Policy of IoT Custodianship
The first step in attacking this problem is to set and communicate a policy of ownership for IoT devices across the enterprise. This is not as straightforward as one who would think. There are a lot of devices and tools that traditionally fall outside the purview of IT that now have IoT capability. For example, F5 Labs discovered vulnerable IoT gateways as part of emergency responder vehicle fleets. The responsibility for management and lockdown for these devices may have fallen to auto mechanics or even the drivers themselves. It is because IoT is invisibly embedded in what was once non-Internet connected “things” such as vehicles, doors, pumps, and HVAC systems that it escapes notice. There needs to a clear policy with associated training for the entire organization: before anyone purchases, uses, or connects any device with a computer in it, IT must be consulted. The training should stress the reason why: inattention to IoT security could lead to severe cyber-security incidents at your company or others. Provide examples, such as how IoT coffee pots can be co-opted into a thingbots or how police cars can be tracked by anonymous attackers via IoT privacy leakage.
Step 2: Define Acceptable IoT
Second, the security team needs to provide a secure and practical standard for IoT usage within the organization. The OWASP IoT Top 10 is a good guide of what you don’t want to have running in your organization. Kip Boyle, CEO of Cyber Risk Opportunities, suggests, “IoT requirements should include capabilities for secure configuration and centralized management from makers that release regular security updates.” Kip also notes that “you should be cheerfully prepared to spend more to get the IoT security you deserve.”
IoT requirements should include capabilities for secure configuration and centralized management from makers that release regular security updates.
Step 3: Investigate the State of IoT Usage within Your Organization
Never believe what you’ve been told or your own assumptions. You need to find out for yourself what IoT devices are already in use within your environment. It’s dangerously naïve to assume there aren’t any in place already. Just like standard IT security risk assessment, you need to be aware of your assets, controls, and potential vulnerabilities before proceeding further. It’s likely that this discovery process will entail a mixture of scanning, interviews, and project reviews. Since IoT devices are often manageable over a network interface, you should be scanning for shadow IoT on service ports for Telnet, SNMP, MQTT, FTP, HTTP, HTTPS, and SSH. IoT devices often collect and transmit data, so you should also watch for outbound transmissions from unexpected devices. This kind of scanning is not a one-off event but an ongoing part of security hygiene—not only to ensure that no unknown IoT devices are introduced, but also to make certain that policies and standards are being enforced.
Step 4: Fence It All In
Once you know what you’ve got and what your organization is using, it’s a good idea to wrap network controls around the IoT systems. This is especially important as IoT systems—with their myriad remote management and data transmission methods—may have a much larger attack surface than your other computing systems. A typical IoT system is probably going to have a stripped-down Linux operating system with a minimum viable custom application running on it. These kinds of systems are going to have security shortcomings. Despite having standards and requirements for IoT, the security team may still find itself being forced to accept weaker IoT systems onto their network because of business requirements. This is where we need to look at adding controls, beginning with network access control.
Any IoT system that doesn’t absolutely need remote connection from outside your organization (and very few devices actually need this) should be network-segregated away from the outside network. It is extremely rare that anything on the Internet should be required to touch your IoT devices. This segregation can be done with VLANs, network access control lists or, best of all, firewalls. For any IoT system that needs to communicate and cross the firewall, the connection should be authenticated and verified according to the level of trust you place in it. Basic levels of trust can include:
- Unknown and completely untrusted IoT device: We don’t know what this is, but we assume It’s not good, so we’ll segregate it away until we learn more.
- Discovered but not verifiably trustworthy IoT device: We know what this is, but we still need to check its software and make sure it’s appropriately hardened and patched.
- Verified trusted for specific functions: We know what this is, what state it’s in, and what it’s supposed to be doing. We’ll let it perform its approved functions and only those functions.
Step 5: Monitor and Watch
As with any other significant activity on your networks, all IoT connections should be logged and reviewed for suspicious activity. Make sure you are monitoring which IoT devices are talking to what or whom outside of your organization, and what information and commands are flowing back and forth. Depending on the nature of these data flows, you may discover you need addition controls such as Transport Layer Security. Logs should be made any time a system is moved from one trust level to another as these are security-noteworthy events. Logs should also keep track of your inventory of IoT systems, which is a useful metric to track and share.
In general, IoT represents a whole new IT security paradigm, as well as an exponential increase in potential threats. Getting a handle on the problem within your organization is a necessity—and the sooner the better. Begin by communicating the problem to the organization. Then find and fence off how the IoT systems communicate based on how much trust and confidence you place in them. We all need to realize the IoT is here to stay, so we need to find a way to use it with acceptable levels of risk.