Securing the IoT – a CYA Guide for CIO’s
On Friday, October 21, 2016, web services all but stopped for a time for customers of Dyn, a cloud-based Internet Performance Management (IPM) company based in Manchester, NH. For hours, Dyn, who’s platform is designed to improve operations of web services (both applications and infrastructure) for its clientele, and its customers were targeted with one of the most complex distributed denial of service (DDoS) attacks that the internet generation has ever seen. And while Dyn and its targeted customers – which include six of the top 10 Entertainment companies in the Fortune 500, struggled to figure out what was happening to them and how to stop it, a series of similar attacks in other regions occurred as South Korea, India, Spain, Brazil and the U.K. also experienced major outages Friday.
The attacks used the internet of things (IoT) connected-devices such as “smart” appliances and other internet connected devices commonly found in businesses or homes like DVRs, routers, printers, vending machines and cameras, as soldiers to carry out the attack. To do so, these hacked IoT devices created “botnets” to overloaded websites by sending them more than 150,000 requests for information per second. While the identity of the attackers is not known at this time, similar attacks have happened.
About a month before the Dyn attack, on September 19, a security news site went dark for more than a day following an attack of what was believed to be a record 620 gigabit-per-second denial of service attack from routers, security cameras, or other Internet of Things devices. And shortly after, a similar attack on a French Web host peaked at a staggering 1.1 terabits-per-second.And while these attacks are often nothing more than cyber-vandalism, the recent 2015 Presidential campaign and election, and comments by a Presidential candidate on Russian Hacking has led to speculation of a State-sponsored activity. Back in 2008, the Russian intelligence agency is known as FSB enlisted Russian cybercriminals to mount a similar cyberattack on the Republic of Georgia in a prolific example of State-sponsored cyber warfare. Eight years later, there are far more devices hooked up to the internet, and available to be used in bot-nets for DDoS attacks making events like the one experienced by Dyn the new norm.
The internet of things has led us to a point in time where the pure number and types of devices connected make it nearly impossible to know if networks are secure. Just a week before the Dyn attack, the US Computer Emergency Readiness Team (CERT) warned of the dangers of DDoS attacks powered by botnets made of IoT devices. But that’s not the first warning. Security experts have warned of the potential risk of large numbers of unsecured devices connecting to the Internet since the IoT concept was first proposed in the late 1990s.
But it wasn’t until December of 2013 where a researcher at Proofpoint, an enterprise security firm, discovered the first IoT botnet. According to Proofpoint, while the majority of the botnet was made up of unsecured computers, more than 25 percent of the botnet was made up of devices other than PCs or servers, including baby monitors, smart TV’s and other connected devices.
The rise of heterogeneous networks in IoT with multiple manufacturers, operating systems, firmware versions, and application types makes traditional device management virtually obsolete. And the lack of unified standards does nothing to help the problem. What’s more, most security approaches appear reactionary and consistent with ones taken for the PC-Server era in the early 1990’s.
For end-user controlled devices, it’s not easy to know if routers, DVRs, and other Internet-connected devices are infected. Most come with only a minimal control panel, and it’s not possible to use antivirus software to scan them for infections. And consumers or enterprises may have a mix of devices that are controlled by the hardware OEM. For a consumer it could be a connected car or major appliance. And for the enterprise, it could be something like an elevator or industrial pump being monitored.
Depending on the type of attack being carried out, devices may show no sign they’re taking part in a crippling DDoS attack. And all the end users can do is to change default passwords or “pull the plug” on the devices. Of course, a connectionless router or modem won’t be of any use. With no easy remedy for the growing epidemic of infected devices, people should be prepared for attacks that have the ability to disrupt ever bigger swaths of the Internet. And just like the energy crunch caused by deregulation in the early 2000’s crippled California ISPs and datacenters, IoTbased attacks could cause brownouts or blackouts where a DDoS may be focused on a data center or ISP with so much traffic that it takes down an entire region.
What Can Be Done?
The first step to solving any problem is admitting there’s a problem. And for several years, one of the most widely debated topics at IoT conferences is the subject of security. Admission. Halleluiah! So that means we’re moving down the path to solving the problem, right?
Not so fast.
The main problem with security of IoT is the very components that make up IoT – the devices, the networks, and the applications in addition to the sensors and embedded subsystems. While everyone agrees that security is a must, there is less consensus is how best to implement security in IoT at the device, network, and system levels.
Network firewalls and protocols can secure and manage the high-level traffic moving through the Internet, but how do we protect embedded endpoint devices that usually have very specific, defined missions and limited processing power?
While there is no “silver bullet” that can effectively mitigate every possible cyberthreat, layering security at every level is the key to maintaining a secure environment.
So what are the steps to take?
Complete a network audit. IoT is where Information Technologies meet Operational Technologies.
- Do you know how many devices are accessing your network?
- Who are the manufacturers?
- What operating system do they use?
- What does the network look like?
- What are the LAN components?
- What are the WAN components?
- Who are the service providers?
- Do you have any short range or PAN components accessing the network or Internet?
- What sensors and gateways exist?
- What are the applications running?
- What applications are in development?
- How do they interact with cloud services?
- How do connected devices connect to back-end systems?
Document everything and create a schematic so you have a view both physically and logically
Next, do a risk assessment.
Assess the vulnerabilities of each IoT element. Aside from the endpoints themselves, consider the implications of the networks and service providers involved in the solution. Are you using the correct and most secure protocols? What about the security of the applications and databases and 3rd party cloud systems with which your solution may interact.
Diagram information flows, determine worst-case scenarios and determine the value of the data from individual IoT devices. It’s important to gauge both the value and the sensitivity of data that IoT devices generate and communicate. What happens if an IoT device fails or is compromised? Can IoT devices and data be isolated? Is there liability or exposure? In these instances, parallel networks may be the best option. For example, HVAC sensors and systems should be separated from your firm’s core IT networks and applications. You want to minimize outside exposure to your “crown jewel” databases.
Secure the connected devices, the network, and the information whether it is in motion or at rest.
While traditional IT security solutions deal primarily with protecting sensitive information from misuse, theft, or corruption, securing information from hundreds or thousands of innocuous endpoints may not make the security director’s top 10 list. Because sensor data may have little value to by itself, IT staff may see little need for security protections.
But the value of the sensor data is in the eye of the beholder. It could be a sensor for a high-value asset. Or if aggregated with thousands of other sensors, may be a new revenue stream. It is vital to protect all data using existing available controls, such as data encryption, network monitoring SIEM solutions, intrusion detection or prevention systems, firewalls, and the like.
In addition to securing the data at the device level, this data needs to be protected both in motion and at rest. Best practices in network and cloud management need to be followed. The use of VPNs and encrypted links may be necessary. Additionally, cloud services must be routinely audited and patched to ensure integrity.
Beyond data protection, IoT deployments introduce the need to consider device-related risks because of how they interact in new ways with the physical world. Could a compromised device impact critical infrastructure? As a result, operational security threats, as well as information security concerns must be thought through and addressed.
Finally, align IoT strategy and security
Over the past decade or so, organizations of all sizes realize that business strategies and IT strategies must be tightly aligned. And nowhere is it more important than when it comes to IoT initiatives. IoT is the most transformative shift in history. Sometimes called the 4th Industrial Revolution, IoT strategies involve collaboration between IT and business units.The effectiveness of an IoT deployment can be undermined if your
The effectiveness of an IoT deployment can be undermined if your organization doesn’t have complete buy-in and support from the top down. And regardless of management desires, IoT initiatives can be at risk if the organization isn’t fully engaged in the effort from the bottom up.
Best practice – Testing Software for Security Vulnerabilities before Deployment
Depending on one’s perspective or one’s place in the IoT ecosystem, security is a network, system, or desktop/ endpoint-device centric. Most security vendors as well as IT professionals approach security as a during-deployment or post-deployment practice. It’s almost like a band-aid or sunblock. Apply liberally once the pain begins.
But if you look at things from the perspective that the Device, Network, and Application are all equal and that building solutions with a goal of a secure solution in mind, addressing vulnerabilities before exploitation becomes critical.
But testing takes time and adds cost to any project. Understanding the high-level benefits of security testing is relatively easy to understand from a technical and project management perspective. Testing can validate a system’s conformance to pre-defined security requirements and to identify potential security vulnerabilities within the system.
However, obtaining the real cost benefit or ROI of security test activities is a difficult task. Instead of seeking a hard ROI on testing, organizations need to look at a combination of business benefits that are difficult to measure, until a security failure occurs.
These benefits include reduced project costs, organizational reputation or brand protection, reduced litigation expenses, or regulatory requirement compliance. And identifying and addressing software security vulnerabilities before product deployment assists in accomplishing these business goals.
The final word.
The concept of the Internet of Things is relatively new. And because the idea of networking cars, cameras, appliances and other objects is foreign to most device manufacturers, security has not always been considered in product design. What’s more, because the new connected devices include a completely new component – the network, OEMs can get confused and overwhelmed, hope for a secure network, or even worse, believing most networks are secure because of industry standards.
So IoT products are often sold with old and unpatched embedded operating systems, software and applications that need an update and that are riding on unsecured networks.
Even worse, purchasers often fail to change the default passwords on smart devices, allowing hackers to exploit multiple devices at once.
While a layered approach to IoT security is essential to dealing with today’s unique and changing threat landscape, what we’re all waiting for is a changing of the guard. Perhaps one day soon we’ll see new and automated solutions for security which are preventative and proactive in nature that move beyond the band-aid.
Until then, enterprises and service providers alike can use the framework provided in this paper as a best practices guide to security.
- Complete a network audit.
- Do a risk assessment
- Secure the connected devices, the network, and the information whether it is in motion or at rest.
- Align IoT strategy and security.
- Test software for security vulnerabilities before deployment
Any of these tasks can be done at any time. And like the shampoo bottle says “rinse and repeat,” these, too should be done again and again. And while there may never be a security nirvana, remember this equation.
Best Efforts + Best Practices > Best Intentions. It’s in your Best Interest.