If you would like to read the first part in this article series please go to Securing Your Network in an Internet of Things (Part 1).
In Part 1 of this article, we examined some of the characteristics of the emerging phenomenon known as the Internet of Things and discussed the need for a new way of approaching the security challenges that it brings.
The current state of IoT security
Going back to the Tripwire report that was mentioned in Part 1, the company sponsored a study that was conducted by Atomick Research of IT pros and CISO, CIO and director-level executives across several critical infrastructure industries in the U.S. and the U.K., along with remote workers who are employed in those same industries. Some of the survey results were surprising – and more than a little troubling.
Telecommuting has become increasingly popular in an uncertain economy as companies recognized that it could save money by reducing the need for physical space (and in many cases, equipment costs as well since many at-home workers use their own personally-owned computers and devices). Employees like it because it gives them more flexibility and saves them money that would be spent on gasoline or other commuting costs, reduces clothing costs, parking, expenditures for lunches and so forth.
It’s a win/win situation – except perhaps when it comes to security. When employees work on premises, companies have more control over what they connect to the corporate network (although with the BYOD trend, that control is not nearly as tight as it used to be). When employees work at home, they’re connected to both their home networks and the corporate network, so we need to take a look at what other devices share that home network and how secure those devices are.
Most home networks have printers and routers attached to the network. Many also have gaming consoles and video equipment, such as smart TVs. More and more now have home security devices and surveillance cameras connected. Some have already gone all out and plugged in (or wireless connected) new IP-enabled household appliances such as washers, dryers and refrigerators.
The Tripwire report finds that remote workers have an average over eleven IoT devices on their home networks, and almost a quarter of them admitted to connecting at least one of those IoT devices to their company networks. But it’s not only employees who are telecommuting or bringing BYOD devices in that pose a risk. We can expect to see plenty of company-owned IoT devices directly connected to the company network, as well.
The problem with all of these IoT devices is that they aren’t as easy to secure as more traditional computing devices. Some may have very limited configuration capabilities. In many cases, the vendors don’t issue regular security updates when vulnerabilities are discovered, the way traditional software vendors do.
The really scary thing is that in the study, sixty-seven percent of the executives who were surveyed said they expect to be forced to adopt IoT devices despite security risks, in order to improve business efficiency. Yet the IT professionals who participated in the survey overwhelmingly displayed a lack of confidence that even those IoT devices that are already on their networks are secure, with fewer than twenty percent saying that they have confidence in the secure configuration of newer and less common IoT devices.
Most telecommuters access company email or corporate documents from their home networks. According to the survey seventy-five percent said they do, and that number rises to more than eighty percent for larger companies (those with annual turnover of half a billion dollars or more), so while the general assumption might be that small businesses are more at risk from IoT on home networks, it appears that enterprises are very much at risk, as well.
Some employees might not even realize that they’re connecting IoT devices to their networks. Many of the devices plug into the USB port of a computer in order to charge the battery (think smart watches and fitness bands as just one example). USB exploits are common, so it’s not unthinkable that malware could enter the computers through this attack vector and from there, infect the company network when the computer connects to it.
You might think enterprises would have a handle on this problem and have security mechanisms in place to deal with IoT. According to the survey, that’s not the case at a significant number of companies. Twenty-one percent of IT pros and twenty-three percent of the executives admitted that they really don’t know; they said they have no visibility into the levels of protection against IoT related threats that current exists on their networks. Only thirty percent of the IT pros think their organizations is technologically capable of assessing IoT device security.
This paints a rather pessimistic picture of the current state of IoT security, but also inspires the question: What can organizations do to allow the inevitable incorporation of IoT devices into their network environments without putting those networks at risk?
Best security practices in an Internet of Things
As the IoT grows, so do the security challenges and the privacy concerns. The U.S. Federal Trade Commission (FTC) has put out guidelines for vendors that are developing and marketing IoT devices, the first of which is to design security into the devices from the beginning instead of attempting to tack it on later.
This is probably one of the most important issues; personal computers were originally conceived and designed without much thought to security, since the first systems were standalone and often weren’t connected to even a local network, much less a global one. Software and hardware vendors have been playing catch-up on the security front ever since the Internet “happened,” and frequently with less than optimal results. It’s essential that we not repeat that same pattern with IoT.
IoT devices differ from traditional computers in that these embedded systems usually have very specific and narrowly limited purposes. That means they need – and have – more limited system resources and much simpler interfaces. This makes them more user-friendly but also makes them less open to complex configuration changes by users that might make them more secure.
Because these IoT devices don’t have large amounts of extra storage space, memory and processor power, adding strong security to them can be problematic. Encryption, blacklisting and other security mechanisms often require storage space and/or memory/processing capabilities that are beyond what the device has built in. Unlike with a typical computer, you can’t easily just “open the box” and add more of these resources. That’s why security must be considered from the beginning of the design stage.
The strategies that we use to protect our networks from current threats will also be useful, to a large degree, in protecting against IoT related threats – however, we have to recognize that physical control over these devices is often much less than what we have over traditional systems and plan our security measures accordingly. A multiple layered defense in depth security strategy will be even more important than ever.
IoT vendors must also realize that they are selling the software on which the device runs as well as the device itself and that they have a responsibility to their customers to respond to vulnerability reports and keep the devices up to date in the same way traditional operating system and application vendors do.
There are many companies that are seeing a business need here and rushing to fill it. The IoT security crisis presents a challenge for both long-established companies and new startups. For example, Verizon has launched a managed certificate service that’s aimed at IoT devices, in an attempt to expand their enterprise business. The service issues digital certificates for large IoT deployments to verify the identities of the devices. Bastille Networks, a startup, is offering solutions that use radio-frequency emissions sniffing to monitor IoT devices in an office.
Is your network firewall adequate to protect the IoT devices behind it? Unfortunately, probably not. That’s because many of the IoT devices use their own protocols that are not the ones you see on your network with traditional computers. Thus the devices themselves need to have host-based firewalls that can handle those protocols and detect malicious payloads in the packets that use them. To protect your network in an Internet of Things, you’re going to need security at both the device and the network levels.
Many IoT products are sold by smaller companies that may not have the budgets and capabilities to build in security while keeping prices down to attract more customers. Security vulnerabilities have been discovered in many IoT devices, from fitness trackers to smart light bulbs.
Awareness is the first step in protecting your organization’s resources from hackers who get in through the back door of IoT devices. One of the most important steps that you can take is to ensure you have adequate monitoring of your network so that you know what devices are connecting to it and avoid the “surprise IoT” that’s mentioned in the Forbes article above. Excellent change management and control is more essential than ever in a world where literally everything is on the Internet.
Summary
The Internet of Things, like most technology developments, will have its good and bad consequences. It’s difficult to provide specifics for securing IoT devices because there are so many different ones, performing so many different functions and using so many different protocols. The key is to stay on top of what devices are connected to your network and to ensure that there is adequate security at both the network level and the device level. Don’t make the mistake of thinking that because they’re not “real computers,” they don’t pose a threat.
If you would like to read the first part in this article series please go to Securing Your Network in an Internet of Things (Part 1).
