The Internet of Things (IoT) has given us a plethora of exciting and helpful computer driven devices. But the state of IoT security remains a dumpster fire. As these devices appear in the workplace, businesses are often failing to consider the impact these poorly secured devices have on their carefully crafted cybersecurity programs. Every one of these devices represents a new attack surface for a cyber-attacker to exploit.
What kind of devices am I talking about? Smart TVs, conference room displays, whiteboards, and projection systems are often network connected these days. Electronic door locks, thermostats, sensors of all kinds, computer attached web cameras, and surveillance systems also are routinely attached to the network. Some IoT devices are showing up on the factory floor, and industrial control systems that used to be isolated, stand-alone systems are often connected to the network to provide for remote management. Even network printers, as they become smarter and more powerful are sporting some sort of Linux-based operating system, and lots of processor, memory, and storage. These printers are often devoid of any real security, and provide a pivot point for a network attacker.
In a recent report, titled “Benefits and Challenges of IoT in Business,” cybersecurity firm Kaspersky revealed that:
- “The use of IoT is already widespread across a range of business industries: 61% of organizations are currently using IoT platforms in their business.
- IoT use is even higher in the IT and telecoms industry (71%) and finance (68%)
- The growing rate of IoT increases the business need for data protection and prevention from
cyber-incidents. In the first half of 2019, Kaspersky researchers detected 105 million attacks on IoT devices through honeypots.
- Nearly three-in-ten (28%) companies using IoT platforms experienced incidents involving non-computing connected devices in the last year.
- The reliability of suppliers is no less important, with more than a third (36%) of companies giving third parties access to their IoT platforms.”
Considering the mounting number of attacks leveraging IoT and other connected non-computer devices, it is easy to see the importance of modifying the cybersecurity program to secure and account for these devices. Fortunately, there is help from the Industrial Internet Consortium. The IIC has published the Industrial Internet Security framework Technical Report. “This document is the first version of the ‘Industrial Internet of Things, Volume G4: Security
Framework’ (IISF). It initiates a process to create broad industry consensus on how to secure
Industrial Internet of Things (IIoT) systems.” It provides guidance and a security framework that addresses the issue of IoT, ICS, and SCADA systems.
There are issues that need to be addresses in any business use IoT deployment.
- Assessing IoT security – Some IoT devices have security certifications that describe the level of security built into the device. Make sure your certified devices meet the security level you need. Stay away from uncertified devices.
- Security built in by design – Any devices attaching to your business network need to be built with security in mind. You may want to add these devices to a segregated network segment or VLAN to quarantine them from your business network.
- Configuration issues – Change all default administrator and user accounts on these devices, and to disable remote access, especially insecure access methods like RDP and Telnet.
- Include IoT in network traffic analysis – If you are performing network analysis or using a SEIM be sure to include the IoT devices. Look for unusual traffic, especially outbound traffic to an attacker’s CNC server, and any traffic after hours. Cyber attackers are often in a different time zone, and work at times when your business is closed.
- Include IoT devices in vulnerability assessments – Often software-based vulnerability assessments, security audits, and risk analysis sessions exclude or overlook IoT devices. Include IoT in future assessments, since they represent a larger risk of compromise than traditional computer systems.
- Update software and firmware – Patching these devices is sure to be more challenging because at this point it is almost entirely a manual process. But keeping IoT devices up to date is an important part of overall network security.
- Third-party and vendor access – Certainly you are keeping an access list of third-parties, vendors, and contractor who access your network. Be sure to include third party access to IoT devices to the list.
- Read threat intelligence sources – Make sure security information about your deployed devices is reaching your inbox. A good list of threat intelligence and cybersecurity resources that I find useful was covered in an earlier article.
The use of smart devices in a business network requires extra consideration before deployment and during configuration, and additional oversight and vigilance when attached to a network. The security built into these devices has improved, but there is still a long way to go. Until then it is up to the cybersecurity professional to take the extra steps required to properly secure these systems.
- Kaspersky IoT in Business Report (PDF)
- Industrial Internet Consortium
- Industrial Internet Security Framework (PDF)
- WyzGuys – Trusted Sources for Threat Intelligence and Cybersecurity Information
- (ISC)2 Twin Cities Chapter