Asset availability and serviceability are critical to manufacturers, so when it comes to providing security for the Internet of Things (IoT)—that fast-growing array of monitoring and control devices connected via the web—one might assume the manufacturing and distribution (M&D) sector is outpacing everyone else. All too often, however, that’s not the case.
With more than 30 billion IoT devices expected to be in service by 2020—and as many as 75 billion by 2025—IoT security has become an urgent concern. Many manufacturers today find themselves struggling to provide adequate security for Internet-connected cameras, sensors, monitors and control devices.
In one recent survey by IoT security technology provider Great Bay Software, 42% of the IT security professionals polled said they expected IoT devices to pose a risk to their networks within the next year. At the same time, though, 43% said their companies had no current plans for accurately classifying all the IoT devices on their networks—a fundamental first step for any IoT security initiative.
IoT Devices’ Special Security Challenges
IoT devices present special security challenges because they differ from conventional computers in several important ways. They are highly specialized and usually small, both in physical size and computing capacity. They generally have relatively limited memory and processing power, and they are delivered in a basic, easy-to-use initial configuration that leaves any additional security up to the owner.
Nevertheless, IoT devices are genuine computers—many even operate on Windows-based platforms or other widely used operating systems such as LINUX. Their architecture and operating conventions are familiar to hackers, who have mastered and automated ways of exploiting their vulnerabilities. This is especially true if the underlying platform is older and no longer supported with regular patches and security upgrades, or if it is not even capable of being patched due to memory size or other restrictions, which often is the case with IoT devices.
The good news is that leading cybersecurity organizations are focusing considerable attention and resources on IoT security issues. For example, the National Institute of Standards and Technology (NIST) recently released updated IoT security guidance to complement its widely used NIST Cybersecurity Framework. Similarly, the SANS Institute offers a version of its Top 20 Critical Security Controls that is tailored to IoT issues.
Although tools such as these incorporate their own unique organizational structures and terminology, all such frameworks have some basic features in common. For example, virtually every sound cybersecurity defense strategy begins by addressing two fundamental concerns: visibility and control.
Visibility: The First Element of an Effective Defense
You can’t secure what you don’t know you have, so an effective IoT security strategy must begin with a comprehensive inventory of all networked assets. In addition to known and authorized devices, the inventory also must capture unauthorized or previously unmanaged devices, such as security cameras, monitors, machine sensors and other devices that have been plugged into the company’s network by employees or vendors without the IT department’s knowledge or participation.
These unauthorized devices usually are not installed with malicious intent, but they nonetheless are potential gateways and threat vectors for attackers. One of the largest data breaches in history took place after an HVAC vendor replaced conventional heating and cooling controls with new smart thermostats that were connected to the Internet through the host company’s network.
In an M&D environment, identifying seemingly innocuous devices generally requires either a physical inspection of facilities or the use of network profiling technology that can scan systems to detect and identify devices. Good asset management practices dictate that all such inventories also should be validated through ongoing and sustainable processes.
In addition to an inventory of physical devices, the security team should have clear visibility into network usage patterns and behaviors in order to recognize suspicious activity. Establishing a baseline of network activity including log-on and traffic patterns and then updating this baseline periodically to reflect changing circumstances is recommended.
Control: The Second Element of an Effective Defense
The second element of an effective IoT security strategy involves extending the security capabilities of the individual devices as well as adjusting the organization’s network architecture, operational and management practices, and security protocols. Several practices merit special attention:
Implementing segmentation. IoT devices should not be grouped with other devices such as PCs and servers on the organization’s network. Instead, they should be isolated into a separate virtual local area network (VLAN) or subnet and locked down via access control lists (ACLs). Any IoT devices that rely on common Internet connections or public-facing servers should be secured behind a combination of firewalls, switch ACLs, or other access controls. The same principle applies to vendor access points.
Configuring firewalls and proxy devices. Firewalls and proxy devices must be properly configured to identify and block malicious traffic. In many instances, it might be advisable to add dedicated proxy devices that provide an additional layer of security features and further isolate IoT devices from the rest of the corporate network.
Changing default configurations. Whenever possible, the passwords, ports and protocols that IoT devices use should be changed from their default configurations, which hackers commonly use in malware attacks. Changing these device configurations also might necessitate changes to system operating and maintenance practices, so all changes must be thoroughly documented and, in certain circumstances, reviewed with a vendor.
Updating and installing patches. Every IoT device’s firmware should be updated to the latest version, which incorporates all current bug fixes, vulnerability fixes, and mitigating or compensating controls. Updating firmware is a fundamental cybersecurity best practice; nevertheless, it often is neglected.
Logging and monitoring. All IoT devices should be integrated into the corporate network’s current logging solutions. Usage patterns and activity levels should be monitored constantly for signs of unusual traffic or abuse.
Performing regular security assessments. Regular security assessments are important for both visibility and control. Consultant or vendor reports should include the raw output and data from all scans and inventories, along with risk-based analyses with business impact statements that allow you to prioritize projects and make the most of limited resources.
Discovery and Response: The Last Lines of Defense
Visibility and control are the core elements, but a thorough IoT defense strategy also must address two other critical components: discovery and response. Up-to-date cybersecurity intelligence, coupled with effective detection systems and training, can shorten the time that attackers can operate undetected within a network environment, cause physical damage, disrupt or distract business operations, or access sensitive data. Then, once an attack is detected, effective incident response procedures can help contain the damage and enable a faster return to normal operations.
But these vital last lines of defense cannot be executed effectively without first giving adequate attention to visibility and control. With billions of IoT devices going into service over the next few years, M&D organizations need to move quickly to be sure they are adequately addressing these essential strategic elements.
Kiel Murray, CISSP, GPEN, GWAPT; Chris Reffkin, CISSP; and Chris Wilkinson, CISSP, CRISC, are with Crowe Horwath LLP, a public accounting, consulting, and technology firm with offices across the globe.