The computer industry seems to prefer playing catch-up when it comes to security. When PCs and servers came onto the scene, they were wide open to viruses. It took years for basic safeguards to be developed, promoted and adopted. And mobile security has only recently begun to get attention after a few well-publicized mobile malware attacks.
You would think by now the lesson would have been learned — design security into new technologies from the get-go to avoid huge problems down the road. But once again we're headed down the same perilous path.
Security Taking a Back Seat in IoT's Exponential Growth
The Internet of Things (IoT) seems destined to repeat the errors of the past by throwing out functionality with great rapidity, standing aside idly to let its vulnerabilities be exposed, and only then plugging the holes with some kind of Internet of Things security fix. But by then, it may be too late.
Why? The headlong rush toward an IoT world is in full swing, and it's easy to understand what all the fuss is about.
The IoT enables the automation and real-time synchronization of business processes and devices that were formerly inefficient due to their inability to continuously adapt to environmental variables, inputs and shifts in demand. The permeation and propagation of the IoT holds the promise of convenience, precise response to real-time events and far better resource allocation.
“IoT devices assist businesses in real-time responses to supply-and-demand market effects, they empower patients and healthcare professionals to continuously monitor conditions, and they enable electric grid operators to adjust the production, flow, and cost of electricity according to real-time market demands to ensure the most efficient, resilient, and cost-effective solution,” says James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a Washington DC-based cybersecurity think tank.
Internet of Things Security Concerns Loom Large
But with hundreds of companies rushing to create whole new markets, security is lagging badly. Even where responsible market entrants incorporate best practices, they are assailed by cut-rate competitors who slash costs in part by skipping even the most basic security safeguards.
Last year’s DDoS attack on managed DNS provider Dyn brought the danger into sharp focus.
“As was shown in the Dyn attack, we appear doomed to repeat the mistakes we made with PCs and mobile devices in IoT,” says Tom Byrnes, founder and CTO of ThreatSTOP. “Once again, cost reduction has made security an afterthought, if a consideration at all, with predictably disastrous consequences.”
However, the IoT makes this exponentially worse than it was with PCs and mobile devices because of the number and importance of connection points, and the fact that they are not directly interfacing with users who might notice something amiss. The Mirai botnet event showed criminals and nation states how easy it is to use IoT sensors and devices as drones.
The Importance of IoT Security
Intel predicts 200 billion IoT devices will be online by 2020, which is approximately 26 devices per person. But that may be a conservative estimate, and the potential vulnerabilities are troubling.
“Most IoT devices and sensors lack any form of security or security-by-design,” says Scott. “Without layered security of the IoT microcosms, hacktivists can disrupt business operations, cyber-criminals can compromise and ransom pacemakers, and cyber-jihadists or nation-state sponsored threats can compromise and control the grid,” to name just a few of the potential IoT security attack scenarios.
Scott urges that serious attention be given to securing IoT devices according to best practices. That starts by making security a fundamental part of the design of any IoT-related systems, devices, sensors or equipment. If such steps remain a low priority for the next few years, we don’t have the luxury of mirroring what occurred with the mobile phone, server or PC markets — adding security gradually after the fact. There will rapidly be too many IoT devices out there to make that an achievable goal.
Think of it like this: there are millions of cars on the road that need faulty airbags replaced. Yet despite the vast number of car dealership networks on the planet, most simply can’t keep up — there are backlogs of many months everywhere. And that’s just dealing with a scale of millions. Once you leap up to the hundreds of billions, it becomes impossible to address so many individual points.
“Every IoT device has inherent vulnerabilities and exploitable weaknesses resulting from a culture that sacrifices security in the design process in favor of meager savings and in the rush to market,” says Scott. “The overwhelming preponderance of insecure IoT devices in the future will render security an impossibility in the future.”
IoT Device Security Vulnerabilities
Tom DeSot, Chief Information Officer at Digital Defense, believes it is inevitable that as more smart thermostats, refrigerators, medical equipment and a myriad of other IOT devices come online, the number of attacks will rise steeply. These attacks could be large in scale, or in many cases could be tailored into a targeted attack at an individual or business — suddenly the toaster in the staff café or someone’s personal fitness band is being used to infiltrate the entire network.
What kind of vulnerabilities are we talking about? Some of the primary vulnerabilities that exist today are hard-coded usernames and passwords in firmware, in tandem with the inability of the user (whether it is a person or a company) to update the password. Additionally, there may be services running such as a web server that acts as the user interface that can fall out of date. This leaves the user with no way to update it and exposes the device to external influences.
This isn’t just vendor scaremongering aimed at selling more software or systems. IoT security attacks are real and on the rise. Last fall, for example, Mirai and other malware leveraged routers, CCTV cameras and home DVR units into DDoS botnets that nearly took down parts of the Internet.
It’s hard for many people to understand the scale or extent of the problem. No longer is it one PC, one laptop or even one company. Energy sector sensors can be compromised to inflict harm to critical systems or to facilitate lateral movement within the network. Pacemakers, insulin and morphine pumps and other medical devices can easily and remotely be compromised to harm patients. What this adds up to is that lives can be lost, cellular networks can be taken down, and entire chunks of the web can suddenly go offline.
“One research team even developed a worm capable of laterally spreading throughout a city to each and every IoT device and enabling the attacker to control the devices,” says Scott.
Internet of Things Security Challenges
Major challenges clearly lie in our path if we are to realize the promise of an uber-connected world while maintaining Internet of Things security. First and foremost, the industry has to overcome its tendency to place adoption ahead of security. Campaigns have to be run to raise awareness that IoT devices need to be secured. Plug-and-play, default settings, and wide-open devices are not conducive to a secure environment — yet they represent the bulk of current IoT products and services.
To make matters worse, many if not most IoT devices lack the computational power or battery life to host security applications. This prevents the implementation of holistic layered security solutions. That said, any effort to implement sensible IoT security can’t be used as an excuse to raise costs dramatically. That will inhibit the technology rollout and will likely cause a backlash against IoT security safeguards.
“We need to develop cost-effective IoT devices that incorporate security-by-design rather than cheaper and less secure alternatives,” says Scott. “While that may save a few dollars in the short-term, it puts the public and critical infrastructure at risk of losing millions of dollars and valuable data in the long-term.”
Further challenges surround legacy devices and the lack of platform standardization that makes it very difficult to ensure holistic security.
“With old devices lasting longer than ever before, there are many devices currently in use that do not support new standards,” says Sam Rehman, Chief Technology Officer of Arxan. “Hackers will always see legacy devices as a prime choice of entry.”
Security Requirements for the IoT
There are a number of IoT security best practices users can follow now.
The proliferation of so many potentially insecure devices necessitates certain steps and a sensible layout of basic safeguards. IoT devices should be segregated from the rest of the enterprise network using VLANs or other technologies such as firewalls, suggests DeSot. This helps ensure that should one or more IoT endpoints become compromised, they do not lend themselves to acting as a pivot point into other parts of the network. Additionally, if the IoT device has the capability to turn off services (web servers, etc.) then the business should do so if they are not needed for the everyday business function of the IoT device.
Scott points out the key aspect to address is hardening the security settings and layering IoT security solutions onto devices. They should only be accessible as necessary by the minimal number of trusted devices, traffic and personnel. The device should be penetration-tested, should support encryption, and should require strong, complex credentials (and multi-factor authentication for some devices) for remote administration. Activity should be logged, analyzed in near real-time, and automatically acted upon when necessary. Devices themselves should be physically secured, regularly updated, and technically compatible with other systems.
“At the simplest level, companies should be incorporating security-by-design throughout the development and production process,” says Scott. “Consumers should be only purchasing these more secure and resilient devices that were developed according to NIST 800-160, they should be hardening the default settings, and they should be protecting the devices behind layers of security solutions from reputable vendors.”
Education is another part of the equation. Before purchasing and installing IoT devices, the IT department should ensure they are aware of the IoT security vulnerabilities that the technology presents in order to make the decision as to whether the risk is worth the reward of having the device. Once they make the decision to purchase the device, they should implement it in such a fashion as to limit connectivity to the outside world to avoid increasing the attack surface of their network, says DeSot.
How to Secure the IoT
Scott lays out several aspects of sensible IoT security:
- Purchase IoT devices that incorporate security-by-design according to NIST 800-160 and that are capable of hosting a native security layer
- Know what devices are on the network and know the roles, functionalities, capabilities, restrictions, and vulnerabilities of those devices
- Limit the number of IoT devices and the number of remotely accessible devices
- Harden all default settings to correspond to cybersecurity best practices
- Institute layered defenses that monitor, regulate, and react to traffic passed between IoT devices in real time. Artificial Intelligence (AI) and Machine Learning (ML) solutions are examples of layered defenses that can detect anomalous activity or traffic and immediately segregate the potentially compromised device while also notifying personnel to the issue
- Actively monitor and critically assess the IoT microcosm according to the risk appetite of the organization, information shared through trusted networks pertaining to threats and device vulnerabilities, and the current threat landscape.
“Change the default username and password on devices, segregate them from other parts of the network, and disable unneeded services to lessen the attack surface and prevent them acting as a pivot point to be used in attacks against other parts of the network,” recommends DeSot.
These safeguards and best practices are not just good ideas. They are already an essential aspect of enterprise security.
The problem is that few IT departments have realized it to date, which leaves them vulnerable to being blindsided by a new threat vector for which they are badly unprepared.
“History is repeating itself, and the problem we had with Trojaned end-user PCs will look like child’s play” in comparison to the problems and damage IoT security attacks will create, says Byrnes.