IoT Risk Management
The InfoSec Consulting Series #15
By Jay Pope
Shadow IT and the Internet of Things (IoT) both bring huge cyber security challenges to the CISO but can also enhance business productivity. IoT devices came to the forefront for all the wrong reasons as cyber-attackers continued to target them and use them in support of their attacks. IoT devices provide the ideal target for cyber criminals because they are connected to internal networks with their own IP addresses and form a gateway for communication with any other systems or devices connected to the internet. Despite their large and growing numbers, these devices remain relatively poorly protected and this makes them extremely easy and attractive targets. Analysts at the Gartner Group have projected that there will be roughly 21 billion IoT devices in use by 2020. In general, security needs have been overlooked in the procurement of these smart devices, because buying decisions are focused on business needs. Remote access is taken for granted and risk remains unassessed, leaving a direct route wide open into an organisation’s critical systems and valuable personal and business data. In this article we look at IoT Risk Management options.
IoT devices & Security
The big problem with IoT devices is that security seems to be an afterthought in their design in many cases, leaving them virtually unprotected. As they do not generally run standard operating systems, the manufacturers instead having opted for cheap solutions, the most commonly-used IT security tools are not relevant or not compatible with the limited amount of memory on-board. In addition, many do not have the ability to use firmware updates, meaning it is impossible to patch any security vulnerabilities as they become evident.
On the rare occasions that patches and security updates are made available from the manufacturer, many IT teams find them hard to keep track of. Existing business security tools which monitor device state simply do not see IoT devices in the network so none of the usual layers of cybersecurity, such as firewalls and endpoint security, provide adequate protection. New security schemes remain years away from large-scale deployment and will not protect existing devices, giving us the perfect storm of vulnerability to attack, with devices already perpetually connected and permanently insecure.
Recent IoT Compromises
Recent high-profile breaches were caused by DDoS attacks, using a network of compromised systems in targeting a single system by overwhelming it with excess traffic. Previously, the ‘botnets’ which came under the control of hackers had been collections of PC’s which were infected with malware. Now we see botnets being assembled from IoT devices including security cameras, wireless routers, digital video recorders, IoT controlled lighting, thermostats, and a whole host of other seemingly innocuous devices. This same method is being used to create “backdoors” for cyber-attacks with nothing to do with DDoS. Because malware can be propagated via an IoT device, it becomes impossible for any standard network security systems to spot these weak spots and prevent them being used for reconnaissance or data theft, the diversion of funds, or even destruction of infrastructure.
Who is Exposed?
This problem is everywhere because so many organisations use smart devices, and the biggest risk comes from not realising you are at risk! Manufacturing and healthcare industries appear to suffer from particularly broad exposure due to unprotected devices. The control of typical Manufacturing processes employs a plethora of IoT devices such as temperature sensors, smart water meters, pressure and viscosity sensors and an endless list of other system components which are wirelessly connected. In healthcare, there is an ever-growing list of IoT devices, including Diagnostic lab equipment, sensors used in intensive care, cancer treatment activity trackers, insulin delivery systems, pacemakers, advanced patient monitoring, RFID tags on medicines, blood gas analysers, portable x-ray machines and many more.
One recently identified type of cyberattack is referred to as medical device hijack or MEDJACK, which involves attackers building custom software tools to allow them to identify and compromise specific medical networks and IoT-connected devices. These criminals know that such devices are approved and therefore closed to the installation of endpoint security software. Neither Hospital security or IT teams can install software on such devices. Once a backdoor has been established to give illegal access to a hospital’s network, the perpetrators can be free to access information undetected.
IoT Risk Management
The tide has now turned, and defences are starting to come online using the knowledge gleaned from previous attacks. Best practices and supporting technologies for IoT risk management now offer far greater capabilities to begin to protect the formerly unprotected devices in our networks. A powerful strategy is known as network segmentation- this involves Micro-segmentation placed in line with all enclave traffic in a network which works to substantially reduce lateral movement. This also allows for the assignment of policies to the devices and users in the network to define who may talk to who and which resources can be accessed.
Because such policies use port, user, and IP addresses, they can bring automation for large-scale enterprise deployment. Micro-segmentation also stops attackers from misusing IoT devices as “slaves” in their botnet or as the backdoors to more sophisticated attacks. When combined with other new technologies such as MTD (moving target cyber defence), Micro-segmentation can significantly reduce the surface open to attack. This can put a halt to reconnaissance and the theft of network information used for planning attacks. This gives an extra layer of protection to IoT devices, including legacy devices already installed in a network, because IP addresses become obscured and therefore invisible to attackers. These new technologies allow you to protect the entire base of currently-installed IoT devices, in addition to accommodating practically any type of IoT device that you may want to add to your network in the future.
It is very clear that there is still a great deal of work to do when it comes to combating the cyber risks introduced using smart devices, and this applies to both businesses and consumer households. Recent experiences with IoT have been a retrograde step within IoT risk management but we can now move forward with a stricter mindset around their installation and security.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.