Enterprise architects need to rethink their security strategies as they begin leveraging the Internet of Things (IoT). Taking advantage of the capabilities of embedded system connectivity depends on opening up enterprise infrastructure to a much larger set of devices, all of which have the potential to introduce new IoT security vulnerabilities.
"Many IoT devices and applications that will be deployed soon, will not be engineered using secure development best-practices, leaving vulnerabilities that can be exploited to capture sensitive data," said Brian Russell, an engineer who focuses on cybersecurity solutions for Leidos, a national security, health and engineering solutions company, and who leads the Cloud Security Alliance's Secure Internet of Things Initiative. "It's going to be important that IoT manufacturers begin to acquire the expertise needed to ensure security across the product lifecycle."
The tools used to manage and enable all phases of IoT security are very immature. Billy Rios, founder of Laconicly, an IoT security consultancy, said, "We don't even have tools to help us accomplish simple tasks, like finding where all of our devices are on the network or ensuring the device user accounts have robust passwords. The software security on these devices is horrible."
Hardcoded (backdoor) credentials, insecure protocols, weak authentication and data integrity are all extremely common. Forensics is really difficult. Rios explained, "Most organizations lack the tools and expertise to conduct incident and forensics investigations on these devices, so the devices are typically ignored when it comes to incident handling and forensics investigations."
Thinking outside the firewall
One big challenge is that IoT devices will bypass firewalls completely and create long-term connections to third party services, some of which aren't even outwardly known to the enterprise. Mark Stanislav, Sr. security consultant of strategic services at Rapid7, a security services consultancy, said "Enterprises deploying off-the-shelf IoT devices should be concerned about the level of network access those devices have, how much data they are transmitting, and what level of maturity the organization who builds the device has around information security."
If an IoT device were to be compromised, most organizations would have little hope of knowing what had occurred since there is very limited visibility into the inner-workings of IoT software and hardware. Many of these IoT devices would offer great capabilities for an attacker who is able to compromise a single device, and then work to move laterally throughout the network if not properly contained and segmented. "Data, whether video, audio, environmental or otherwise sensitive, can often be siphoned through a compromised IoT device and may provide criminals with valuable information to leverage over organizations," added Stanislav.
The biggest difference in protecting IoT lies in thinking outside the firewall, since IoT implies being connected to the public Internet. Daniel Kador, co-founder and CTO of Keen IO, an IoT analytics service provider, said, "The question is not how to prevent devices from being compromised - they will be. The question is how to deal with it once it happens."
Addressing the patch gap
As the enterprise identifies new ways to create business value from connected devices, it may be tempting to leverage devices that were never intended to be connected or updated. Lorie Wigle, vice president, IoT Security Solutions at Intel Security said, "IoT deployments often include connecting devices that were not originally intended to be on a network and hence do not have any security designed into them. And industrial IoT devices, in particular, have very long lives with uptime or availability as their highest priority."
This means that patching can be problematic or even inappropriate. Another security concern is that IoT servers are generally not in access-restricted machine rooms, which means physical security is a greater concern as attackers can prod and poke at them, insert USB sticks and press buttons in ways that IT cannot control.
Improving security assessment
Organizations need to evolve more Agile processes for assessing the sensitivity of IoT data that might be exposed in the wild, said Zach Supalla, founder and CEO at Spark IO, an open source IoT toolkit provider. IoT devices produce a lot of data, some of which is sensitive, and some of which is not. Applying appropriate security is somewhat trivial, but because a lot of applications are not sensitive, the biggest problems will be when the managers developing a product aren't sure what to secure and what not to secure.
In some respects, new IoT capabilities benefit from security through obscurity today. There are so many different specifications and protocols used that it is difficult for malicious hackers to create malware that can attack a large number of devices easily. Keen IO's Kador said, "We're in a pre-standardization phase right now, so it doesn't make much sense for black hats to spend much time here when they can focus on Windows exploits. But once we see standardization around IoT specs, expect a rising wave of exploits targeting those specs."
It's also a good idea for enterprises to take an inventory of their existing IoT vulnerability exposure. Laconicly's Rios said most enterprises don't realize that they already have a number of IoT devices in their environments. Smart environmental controls and energy management are extremely common. On any given corporate campus, there are a variety of sensors feeding information to smart HVAC, lighting, energy and access control systems.
Rios said he has come across a number of conference room availability appliances that show the conference room schedule in real corporate enterprises. What many don't realize is these devices are horribly insecure. It should be concerning to enterprise architects that many of these devices retrieve availability information from Exchange servers, which means they usually have a set of corporate credentials on them.
Resource constrained devices
IoT security can be more challenging to implement because it is leveraging extremely resource constrained device, said Spark IO's Supalla. A computer running a general purpose operating system like Windows or Linux will have no problem establishing an encrypted connection with another server. But a microcontroller inside a coffeemaker doesn't have the same resources and access to the same crypto stacks, and it also might not have access to enough entropy to generate truly random numbers for cryptographic keys. These are solvable problems, but they require thoughtful implementation and expertise.
Enterprises might consider leveraging IoT toolkits which can help ensure best practices in the ways that connected devices access APIs and enterprise systems. For example, Spark IO, helps engineers and organizations develop connected products where all of the low-level plumbing is already taken care of so the engineer can focus on the application. Security and scalability are built in so that they are not issues that the engineer has to worry about.
Enterprises should consider using the limitations of IoT devices to improve the security architecture with white listing technologies, said Intel Security's Wigle. Since IoT devices are not general purpose, think about deciding what applications and code can run on them rather than continuously updating what can't run on them. For example, Intel Security has more than 200 customers who build its white listing and change control solutions into their products.
Taking advantage of IoT security initiatives
- The Cloud Security Alliance is working with a number of security experts to define IoT Security Guidance for Early Adopters.
- Other organizations such as OWASP, Builditsecure.ly, WhiteScope, and I am the Cavalry have also begun to contribute significantly to helping organizations build a secure IoT.
- The Open Interconnect Consortium has both an open source platform, IoTivity and standards development underway.
- The Industrial Internet Consortium is providing security guidance for companies;
- NIST is working on security for cyber physical systems.
- Cisco provided a "Grand Challenge" for IoT security efforts recently.
- Intel Security also has a developer program for extending security management to other companies, called the Security Innovations Alliance, that allows solutions to plug into the ePolicy Orchestrator.
Rapid7's Stanislav said, "The biggest security strength of IoT innovation currently is the focus on standardization of firmware, APIs and software operating on these devices. In this nascent era of IoT, a Wild West of technologies create devices from thousands of vendors who share very little technological-DNA. While innovation is enabled through a lack of restraints on IoT device creation, it must ultimately change for sustainability and security maturity to occur."
What can we expect from IoT in 2015? Our expert weighs in.
Learn how CIOs can prepare for IoT
An IIoT plan is essential for manufacturers
IIC takes on Industrial IoT security