Twitter: @SecurityMonahan
Everything is smart these days, and that needs to include security
In one form or another, the Internet of Things (IoT) has been around since the 1950s. It started out as electromechanical remote monitoring and control for large-scale systems. Those electromechanical systems evolved into electronic systems, which were then connected to wired private networks and then to the Internet.
It took two things for the IoT to explode onto the scene to become the phenomenon it is now. The first was wireless communications, which was needed to give the devices the true freedom to be anywhere or do anything. The second was high-density commodity computing power: small integrated circuits capable of driving a wide array of sensors by delivering both the processing power and the storage to collect and store all of that data. All of these trends benefitted from advancements in networking, data centers and the cloud to transport and store all this new data. Plus, better decisions can be made using the significant enhancements from Data and Analytics to process this new information.
That convergence of technology created capabilities for managing lifestyles and environments as never before. The boom in smart home monitoring systems is a prime example. Today it is nearly an $80B industry with no end in sight to its growth.1 So, clearly, success isn’t an issue, but security is.
Why are IoT devices so insecure?
Insecurity may sound ironic since the primary purpose of home monitoring systems is, of course, security. These systems are no different than other home automation systems such as thermostats, DVRs, refrigerators. The electronics are still evolving, but most are built with cost savings in mind. As a result, embedded security is minimal to nonexistent. Remember the Mirai botnet and Distributed Denial of Service (DDoS) attack? Hackers used default passwords on security cameras and other home devices2 to escalate privilege and gain access and administrator control.3
Smart electrical grids are getting zapped
Another IoT area growing at a breakneck pace is smart electrical grids. Power companies are investing billions of dollars to deploy remotely viewable and manageable electrical grid components.4 Smart meters are especially hot items, as they reduce the need for meter checkers because usage can either be tracked online or via drive-by. Other components such as transformers, capacitors and relays can also be monitored remotely for operational efficiency and indicators of problems, or for proactive maintenance purposes. Whether a reported increase in breaches5 can be directly attributed to the increase in IoT is arguable, but surely there is a relationship since the greater presence of remotely accessible equipment increases the attackable surface of the grid.
Industrial IoT security isn’t industrial-strength
Industrial control systems (ICSs) are also a major target for cyberattackers. These ICS systems monitor and control the operations of industrial processes across a myriad of industries, from automotive manufacturers to steel mills, transportation fleets and from utilities to food processors. They can manage virtually any process in a plant, including assembly, product conveyance, oven cook times, component mixing and many others. Once again, as these systems are exposed to the Internet, they become hacking targets. For example, the Petya attacks on operating technology (OT) systems in June 2017 caused Maersk shipping to halt for two days costing the company an estimated $300 million6.
What all of these IoT systems have in common is the need for far better, built-in internal security and control. Virtually all of these devices can be exploited by either an attack on identity or an attack on a code vulnerability.
So, where do we go from here?
Clearly, both manufacturers and operators using OT equipment need to be more committed to protecting embedded devices. Primary importance is to gain visibility into what is connected to the network. Next, mitigation strategies should be put in place to isolate communications to and from these devices. In most OT equipment, of utmost concern is to “do no harm,” so passive techniques should be used to monitor the network to make sure that devices perform as they should. Next, for those select devices that are suitable for more active security, more control techniques can be performed. For example, the principle of least privilege (dynamic network segmentation) should be applied to reduce the attack surface, because a device that can’t be reached can’t be compromised. Even compromised devices in a properly segmented network can be contained. Equally important is policy-driven enforcement for connections and communications, which enables network administrators to monitor IoT and other devices for communications that are out of the ordinary. Most control systems have a very limited need for communication and when an attack happens, it deviates from the normal pattern of operation. If something is outside that pattern, it can and should be isolated and investigated quickly.
IoT expansion is a good thing. But as with any new trend or form of technology, it increases our need for diligence in security.
1 Frost and Sullivan report, “Investing in Financial Technology & Consumer Digital Technology Companies, Pg. 7
2 http://www.securityweek.com/mirai-botnet-infects-devices-164-countries
3 http://www.welivesecurity.com/2016/10/24/webcam-firm-recalls-hackable-devices-mighty-mirai-botnet-attack/
4 https://energy.gov/oe/information-center/recovery-act-smart-grid-investment-grant-sgig-program
5 http://money.cnn.com/2014/11/18/technology/security/energy-grid-hack/
6 https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html