These days, an organization’s technology stack isn’t merely computers and servers. The Internet of Things (IoT)—a catch all term for the many different devices that have sensors or software that connect them to the Internet—has carved out a foothold in every industry. Hospitals are filled with devices that monitor patient status, farmers are using sensors placed in the ground to obtain data about soil, and utility plants rely on SCADA systems to keep things running. However, while IoT has undoubtedly enabled great progress, it has also brought with it new challenges. The safety of IoT is all too often an afterthought for many organizations. In this blog, we’ll consider the security implications of IoT devices, and lay out a path to following best practices and reducing risk.
Why Are IoT Devices So Difficult to Secure?
From a purely statistical standpoint, every new device represents a new threat vector, increasing the potential probability of a successful attack. Embedded software on endpoint devices may contain vulnerabilities that can be exploited using malware. From there, devices can be used as part of an attack chain that eventually leads threat actors into more critical parts of the IT environment. Alternately, these devices can be used as bots to execute denial-of-service attacks. Unfortunately, most security products only protect a fraction of such devices or require an agent to be installed in order to monitor them. Far too much of the IoT, including high-end devices, go unwatched.
A surge in such attacks against critical infrastructure prompted the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) to put out an advisory urging organizations to secure all internet-accessible operation technologies and control systems. Their words of warning are clearly warranted, but how does one begin to safeguard all of this technology? The following six steps provide guidance on how to realistically secure their IoT devices in a way that is manageable long term.
1. Have a Plan of Action.
Security is not something that should be done ad hoc. Establish a phased strategy with tasks delegated to the appropriate people. For example, a good place to start may be an audit of your infrastructure to create a list of what devices you have, and find out if any shadow IT devices are present on the system.
Other items to consider adding to your action plan include:
- Disconnecting systems that don’t need internet connectivity
- Creating a backup process
- Identifying system and operational dependencies
- Determining who has the authority to make key decisions
- Scheduling regular backups of important resources
- Periodically putting your incident plan to the test
2. Educate Your Employees.
Employees often unwittingly put their organizations at risk, simply by carelessly opening an email. Phishing is still an incredibly successful tactic, luring people into opening a malware laden attachment or entering credentials into a spoofed website. Running a social engineering pen test can help identify who is particularly vulnerable to phishing attempts. From there, these employees can be taught ways to identify phish, and why they should be cautious about opening links or attachments, particularly those that come unprompted or from unusual sources.
The increase in remote work has also brought attention to the need for employee education. Home routers may be misconfigured or unpatched. Deliberate and unintentional connections are being made to the organizational network—personal laptops, tablets, and any other wifi-enabled device in an employees home could be yet another attack vector to exploit. Since none of these devices are under the security team’s control, education initiatives that demonstrate best practices are critical, along with regular reminders to update their systems.
3. Limit Access as Much as Possible.
Organizations often find out once it’s too late how many people had access to critical data and systems, like SCADA. Excessive privileges make it easy for threat actors to gain control. Instead of having to find a privileged account to gain access, they can simply use any credentials they are able to steal. Making sure you provide appropriate access goes a long way in mitigating risk and improving the overall security posture of your organization.
Managing permissions can be difficult to do manually, and is best achieved through Identity Governance and Administration (IGA) solutions. Such tools enforce the principle of least privilege, granting access to only those who absolutely need it in order to do their jobs.
4. Always Apply Security Updates.
Ignoring or postponing a security update is never a good idea, but many attackers have been able to successfully breach an environment using a known exploit that already has an available patch. However, as more IoT devices join the infrastructure, it becomes increasingly difficult to make sure everything is up to date, let alone stay aware of vulnerability advisories and patches. Sporadically implementing patches is not sufficient or structured enough to ensure you’re fully aware and patching all of the different security weaknesses in your network. It’s important to take the time to establish a process for patching and updates to make sure it doesn’t fall by the wayside.
One of the fastest ways to find out what vulnerabilities may be affecting your system is by regularly scanning it with a vulnerability assessment solution. These scans can give an organization an idea of what security threats they may be facing by giving insights into potential security weaknesses present in their environment.
5. Regularly Test Your Systems.
The best way to know your IoT security strategy is by putting it to the test. Penetration tests evaluate an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls and gain unauthorized or privileged access to protected assets. By exploiting an organization’s infrastructure, pen testing can demonstrate exactly how an attacker could use IoT to gain access to sensitive data.
Additionally, penetration tests can validate remediation efforts and verifying that any measures taken to improve security are working. For instance, you can determine the status of newly added patch. While it may be identified as being present by a vulnerability scanner, it may not be working because the system wasn’t rebooted. Periodic testing makes certain that organizations can stay one step ahead by uncovering and fixing security weaknesses before a threat actor uses them to their advantage.
6. Consider Solutions that Detect Compromised Devices.
Finally, since many IoT devices don’t have traditional antivirus, focusing on prevention is not enough. Realistically, the challenge is not simply a matter of keeping threat actors out, but also quickly finding and removing those that have made their way in.
The longer an infection lives in a network, the more damage it can do. Swiftly discovering threats using tools like Network Traffic Analysis (NTA) solutions help to minimize damage. Additionally, by monitoring traffic, NTA solutions can monitor different types of devices. For example, many NTA solutions are OS agnostic, monitoring traffic from both Linux servers and Windows workstations.
Intelligently Incorporating IoT
Though it can be daunting to think of the potential security threats that IoT may bring to their environment, this doesn’t mean organizations should hesitate to incorporate it. As long as you take the steps need to make sure you’re properly prepared for risks, you can enjoy all of the benefits such incredible technology has to offer.