Lack of Built-in Controls, Manageability & Patches Remain Stumbling Blocks
The Internet of Things (IoT) and the Industrial Internet of Things (IIoT) present tremendous promise for the future of how enterprises will do business. They offer the productivity-enhancing benefits of a network of smart devices that can communicate with one another via the Internet, handling tasks with precision and consistency that humans cannot match. Plus, intelligent use of these devices, which are proliferating rapidly in enterprises, can save lots on money at the same time.
Unfortunately, there are huge security risks to integrating IoT and IIoT devices into a network. Many of these devices have no built-in security and operate outside of the IT security perimeter — meaning they create serious vulnerabilities that can be easily exploited by hackers. IoT devices such as copy machines, HVAC systems, VoIP phone systems, and intelligent subsystems can be breached in less than three minutes, according to a report from ForeScout [note: link opens a PDF].
To make matters worse, many organizations have no plan or procedures for safely incorporating and monitoring IoT devices into their networks.
The Top IoT Security Risks Facing Enterprises:
This is probably the dominant challenge for enterprises. Most IoT devices come with default passwords that are rarely changed. When hundreds or thousands of devices share the same default password, this an attacker’s dream come true.
Lack of Manageability
Few IoT devices are designed to easily support updates and patches. Unfortunately, it’s only a matter of time before an exploit is developed to compromise any number of devices. Without the ability to remediate vulnerabilities, enterprises simply cannot respond effectively.
Direct and Indirect Internet Connectivity
When a device is connected directly on the Internet, it is immediately attackable and exploitable once a vulnerability is disclosed. Since most IoT devices are Internet connected, the scale of an infection could be massive.
To make matters worse, many devices enable remote access without requiring any networking setup and lack a formal admin process that would include validating credentials. They relay data through a vendor-controlled server. This approach is common for devices that handle small amounts of data, such as fitness trackers, light bulbs, thermostats, etc. However, this approach raises privacy and security issues as device data is controlled by the makers of the devices. If an attack penetrates a vendor’s server it could result in a massive data breach.
Other devices, such as cameras, use a different approach for remote access. Called “hole punching,” it allows outside users to establish connections to devices inside the network. Unfortunately, this approach can be even more dangerous as inside users may be completely unaware that their devices are using open connections to the Internet.
Since hackers will target the weakest link in an enterprise’s attack surface to compromise the perimeter of an enterprise, virtually any type of IoT device poses a potential security risk, including printers and coffee makers.
In addition, many IoT devices use ports that are exposed to the Internet — which can be used by attackers to bypass firewalls. Once inside the network, they can move laterally, look for devices vulnerable to remote code execution, install malware or backdoors, etc.
Locking Down IoT
Given the inherent security weaknesses of IoT and IIoT devices, particularly when they are connected to the Internet, one of the most effective security measures is to implement a non-IoT access control mechanism, ideally a Virtual Private Network (VPN).
A VPN can isolate a network from IoT devices and their security weaknesses. While operating and maintaining a VPN requires a fair degree of technical skill, using one is imperative.
Another best practice, though not as effective, is to update software to ensure that known vulnerabilities cannot be exploited. This is often easier said than done, since many IoT vendors fail to provide patches even for actively exploited vulnerabilities. Furthermore, many IoT devices lack the basic ability to receive and apply updates.
Governments Can Force Change
The Internet of Things Cyber Improvement Act of 2017 proposes a minimum standard of security for devices to qualify for federal procurement. The legislation would require the following commitments from vendors:
Their IoT devices can be patched.
Devices don’t contain known vulnerabilities.
If a vendor identifies a vulnerability on a device, it must disclose it to an agency, explaining why the device can be considered secure notwithstanding the vulnerability.
Devices use standard protocols.
Devices don’t contain hard-coded passwords.
While the bill may never become law, it does provide all organizations, not just federal agencies, with a solid framework for evaluating the security posture of products during the procurement phase.
However, until manufacturers of IoT devices incorporate strong security into their products, the only reliable way to keep devices from compromising an enterprise is to use network topology to prevent attackers from interacting with such devices.
About Dr. Srinivas Mukkamala
Dr. Srinivas Mukkamala, co-founder and CEO of RiskSense, is a recognized expert on artificial intelligence (AI) and neural networks. He was part of a think tank that collaborated with the U.S. Department of Defense and U.S. Intelligence Community on applying these concepts to cybersecurity problems, and a lead researcher for CACTUS (Computational Analysis of Cyber Terrorism against the U.S.). He holds a patent on Intelligent Agents for Distributed Intrusion Detection System and Method of Practicing.