June 01, 2020//Tony Howlett
The internet of things, or IoT, is growing faster than a weed in the summertime. This catch-all name covers everything from your front door security cameras to factory floor control devices, often called the industrial internet of things (IIoT). As this technology expands and everything becomes networked, from our toasters to our gas pipelines, we are going to see more and more of these types of devices on both our home and work networks. And while it is creepy and annoying if a hacker takes over your home camera network or internet-connected refrigerator, if this happens at work, the results can be disastrous for your company.
With servers being closely monitored and desktops being patched on a more regular basis, hackers are finding it more difficult to gain a foothold in corporate networks. IoT devices, however, are often much more vulnerable to attack than general-purpose computers so they make an enticing target for hackers. Sometimes, even, the IoT devices are the targets, especially if they are IIoT on mission-critical infrastructure.
One casino’s payment systems were hacked after an IoT device used to maintain a large fish tank was exploited and used as a beachhead into its guest registration network. And, we can’t forget the giant breach at Target years ago, in which its credit card payment systems were hacked and more than 40 million customer credit card records were stolen after a lowly HVAC control system was exploited in a similar way. These devices, while bringing great convenience to our personal lives and efficiencies and cost savings to our businesses, can be a source of great insecurity as well. But they can be tamed: IoT devices need not bring greater risk to our systems and networks if we just practice the same level of security and controls we do with our non-IoT systems. The following is an analysis of some of the issues and best practices to deal with them.
IoT devices’ relative cyber weakness is due to several factors. First, IoT devices often have specialized operating systems. Unlike desktop or server OSes, these systems are less widely supported and not as well-understood by security professionals and the IT world at large. This means security flaws will be found less frequently and the patches for those vulnerabilities will be offered less often—sometimes not even at all. And even when patches are available for IoT devices, they may not be installed in a timely manner. There is no “Patch Wednesday” for IoT devices and unless someone carefully follows the vendor’s advisories, they may not be aware a patch exists at all. And just because a company’s security staff is aware their devices need patching, management might not be in a hurry to do it; if it requires taking key production equipment offline, that could cause pushback on update windows. Updates for IoT devices are often trumped by the steady need for patches on mainstream devices. So this can cause a dangerous stew of conditions, with IoT devices being ripe for exploitation from anyone who comes onto the network, including your third-party vendors.
Your first line of defense with it comes to IoT security should be strict network segmentation. You should already be doing this for desktop and server networks and development/testing and production environments. Adding protected VLANs to segregate IoT networks from other network elements shouldn’t be too difficult. And you might consider going beyond just VLANs and put in actual firewalls and other logical protections as well. You might even consider physical air gaps between these networks if they’re sensitive enough. Depending on the device, you can also block them from connecting to the outside world, or only allow it during specific time windows for maintenance and patching.
You should also practice the principle of granular least privilege for users needing to connect to such devices, especially for outside vendors. Don’t give your vendors VPN connections to your networks. Allowing them broad-spectrum VPN access can allow them to roam around your network, looking at other hosts which often includes IoT, some of which you may not even be aware of. IoT is terrible for the “rogue IT” problem; that is devices and services on a network that aren’t controlled or even inventoried by IT. At least if your vendors are walled off from full network access, they can’t find your IoT devices.
As mentioned earlier, patches for IoT devices are often hard to come by and even more difficult to install. However, that doesn’t mean you shouldn’t be looking for them and planning maintenance windows to put them in place. Keeping an inventory of your IoT devices right alongside your traditional IT inventories is a must in this IoT age. The good rule of thumb is anything with an IP address should be in there. Document the webpages to go to for patches for each and subscribe to any mailing lists that might alert you if a patch is available. And then get those patches in there, even if there is pushback from operations. The more mission-critical the device is, the more important it is that it be up to date on security patches. Otherwise, it could bring an outage or even worse a ransomware attack that takes the whole operation offline.
Along with adding your IoT network to your vulnerability management program, you need to incorporate it into any monitoring and auditing regimens, especially any traffic that is going out to third-party sites such as cloud or SaaS vendors. You may be unaware of all the data leaving your network, bound for vendor-controlled networks from IoT sources. This is especially important when it comes to privacy laws and understanding your obligations for that data even though it might not be controlled directly by you. Here, you might consider an integrated Vendor Management System that supports reporting on these kinds of metrics. It can provide a single source of truth for all vendor-related activities, including IoT. Having a single pane of glass for third-party activity can really help you get a handle on what is going on and give you an early warning when a potential problem is developing with your IoT networks. Being able to react before or during, rather than after an event can help keep it from becoming an incident.
The emerging IoT and IIoT worlds can be scary and threatening based on their rapid growth and all of the breach headlines. But a hyper-connected world is the future and not likely going away anytime soon. To get a handle on it, treat IoT and IIoT the same as any other service or device on your network and they become more manageable. They need the same controls, and diligence as you would give to a server or workstation on your network. Once you do that, your IoT problems can become IoT solutions.