The Internet of Things is, by virtue of the concept, an Internet of Things That Can Be Hacked. If it can be connected, it can be compromised – and, so too can everything else that connects to the Things.
This is not news to anyone who pays attention to the tech sector. The "security disaster waiting to happen" that is IoT has been discussed here before. High-profile IoT hacks have swept recent headlines, including hacks of cars, pacemakers, baby monitors, televisions and even toilets.
Even last year's notorious Target hack resulted from an Internet of Things vulnerability. Hackers managed to steal network credentials belonging to a third-party refrigeration and HVAC vendor. They then used those credentials to access Target's internal network and push malicious software to the retailer's cash registers and other point-of-sale devices. In doing so, they were able to steal data from millions upon millions of credit cards.
Still, the Internet of Things is not a technology that is slowing down. As Big Data gradually becomes Infinite Data while we necessarily progress from the Information Age to the Systems Age, IoT is becoming the next big thing by making the impossible-to-track amount of data created every moment more readily accessible to the enterprise.
In short, the Internet of Things is highly vulnerable – and it is not going away. It must, therefore, be secured.
Below is an outline of expert advice on some basic steps that every organization with an IoT solution should implement or at least seriously consider.
Expect Imperfect IoT Users
"My push in the industry is to drive awareness," said Bill Lucchini, senior vice president and general manager of security firm Sophos, during an executive roundtable panel on Internet of Things security at the recent Connected Cloud Summit in Boston. "We have to think about security up front."
Sadly, in a world where the most common password is "123456," user error is a common vulnerability – something Lucchini's fellow panelists were quick to point out.
"You could mis-install [the software]," pointed out Ken Carroll, Schneider Electric's vice president of software platforms. "You gotta recognize people could misuse things."
Paul Roberts, editor in chief of The Security Ledger and moderator of the panel, agreed with Carroll's assessment – and pointed out a related scenario: When the customer doesn't change the default password on an IoT device.
"Should the…vendor…compel users to do that?" Roberts wondered aloud. "Absolutely," answered Carroll.
Walk It Through
Perhaps the most fundamental part of the type of advance security mindfulness Lucchini stressed is asking "What if…?" – walking through every possibility.
"Mario," who asked not to be identified, is a security specialist at a Fortune 25 enterprise technology company. In an interview with eSecurity Planet, Mario pointed to last year's Target breach as a perfect example of why contingency planning is so important.
"Had [Target's] administrators walked through the various possible scenarios that could result from allowing a third party into their network, they might have been able to reduce or prevent the situation that did occur," said Mario. "Management want[ed] IT to provide access to heat and air sensors for their provider. What are the possible issues with providing the vendor with access to our internal network? To me, that raises so many red flags… Can we possibly isolate the pathways to those sensors in such a fashion as to provide [the third party with] access, but does not allow their traffic to traverse our network? Should we restrict said access to a limited number of systems within the vendor's network – possibly just the one gathering the data?"
The big lesson, as Mario put it: "Before making any proposed changes to a secure environment, walk through it. Get out of the shoe box you're in and look back inside. Use the 'what if' mindset to examine all possible angles of what might result from this change. See if your proposal covers those possibilities and protects you should something happen."
Audit Your IoT Infrastructure
Essential to this forward-thinking view is auditing all of the actual and potential connections to and within your network. Understand each device, understand each system, and understand the relationships among them. Extensive third-party penetration testing of both hardware and software may prove vital. This is especially important because of the proneness of certain embedded systems – not originally designed for connecting to a network – to latent IoT vulnerabilities.
Considering your infrastructure and your network traffic – especially in real time – is essential to achieving this advanced understanding.
"[Look] across the different protection points," Lucchini advised the Summit audience, "and…if [you] can understand what's going on with the network traffic…then you can triangulate in on the threat."
Indeed, experts advise building network zones and tracking the corresponding interactions.
"We watch for behaviors," said panel participant Stephen Dodson, chief technology officer of anomaly detection firm Prelert. Dodson offered a quick laundry list of red-flag-raising network events, including peer-to-peer activity, contacting a website with a bad reputation and "logging in to your [workstation] while your phone says you're three continents away."
All of this monitoring and tracking may entail building up your systems – and staff – to handle the data storage and analytics necessary to implement and maintain these security measures. Alternatively, outsourcing may be necessary.
"Often, traditionally, if you're looking at all the data that's flowing across your network...you need to be an expert, you need to be a data scientist, and you need to be able to store all this data," Prelert told Summit attendees. "There [are] not many companies that can afford that level of expertise and that sort of personnel."
Panelist Ralph Zottola, chief technology officer of research computing at the University of Massachusetts, told the audience that his organization uses special security software that allows his system administrators to better see malicious activities on their networks. "[W]e…have a lot of tools and we're getting a lot more information," he said.
Joe Stanganelli is a writer, attorney and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.