The Internet of Things (IoT), made up of special-purpose devices designed to do a particular job well, presents a significant problem for security professionals. Several of their traditional approaches to security won’t work. Fortunately, it’s not all doom and gloom. We can use a three-step strategy for dealing with security and IoT.
First, we need to understand the nature of the IoT problem. Second, we need to invest effort in finding IoT endpoints and enumerating their weaknesses. And third, having found them, we need to look at them in the context of our own organization, our network, and our risk tolerance, so that we can clearly identify appropriate controls.
Understanding IoT – Consumer, Medical and Industrial
IoT devices fall into three major areas – consumer, medical, and industrial. Consumer IoT devices are packed with features. We see smart TV’s, smart refrigerators, even smart lightbulbs. They compete on price, and the first thing that’s cut to reduce prices is security. Indeed, some, like devices with always-on microphones, seem to be designed to defeat security and privacy. For some chilling examples of how weak these devices are, see this article from KrebsOnSecurity.com.
While consumer devices are consciously marketed to be “futuristic,” the medical sector takes current, well-understood and previously isolated machines and connects them to the internet. Those who design and use medical IoT devices focus on medical outcomes, generally paying little attention to the network vulnerability of these newly-reachable assets. In fact, the health care industry can be resistant to even modest security constraints, concerned that a security control could stop the medical device from doing something and harm a patient. This is well-motivated but overlooks the negative side -- patients also need to be protected from the bad actors out across the network.
Industrial IoT has its own distinct pressures. The economics of generating power or running a factory brought devices online that were never designed for the internet. Traditionally, these devices ran in an environment completely separated from the internet. Known as OT (Operational Technology), rather than internet-connected IT (Information Technology) they were run by different people, with different techniques and concerns. Connecting these big, mostly immobile systems to the online world exposes them to a new category of smart attackers.
These different domains – consumer, medical, and industrial IoT – have different market drivers, different kinds of devices, and very different organizational politics around controlling them. Still, they’re all designed for special purposes and are extremely inflexible. This means a major fraction of the standard security playbook has to be rethought.
Finding IoT Devices and Their Vulnerabilities
The second step in the strategy is finding IoT devices and their vulnerabilities. Standard techniques like software agents or scans don’t work. None of these IoT endpoints is built for adding a new piece of software – even a security agent that could help limit damage or restore service after an outage. Scanning, a standard practice for traditional computer endpoints, doesn’t work for IoT devices. They can crash outright if subjected to the kind of deep interrogation we usually apply. Even worse, if you find a vulnerability on a regular computer, the solution is a patch, but you can’t patch typical single-purpose IoT devices.
There is some promising innovation in ways to uncover vulnerable IoT devices. It follows two main approaches – inventory based, and passive traffic based. An inventory-based approach is best for industrial IoT. It recognizes that large industrial plants have small numbers of relatively immobile devices that can be tracked -- for support purposes if nothing else. Since these industrial controllers and machines can’t be patched, this approach has you identify the relevant vulnerabilities by knowing your devices and keeping a growing list of known defects and weaknesses.
Inventory-based approaches don’t work for the less-controlled medical world, or totally uncontrolled consumer space. In those areas, it’s unreasonable to assume that endpoints will be tracked in a highly accurate inventory or follow a universal standard to announce themselves. Instead, a passive traffic approach is called for, watching the behavior of endpoints on your network. These passive solutions include products that try to identify traffic fingerprints that look like, say, insulin pumps or smart TV’s, rather than laptops or smartphones.
Understanding IoT Devices in Context
After we find our IoT endpoints, the third step is to map them in context, so we can understand risk and separate acceptable patterns from bad ones. It’s not enough to have a list of them, we have to know where these fragile and risky devices are located and understand who could access them, and what an attacker could reach from a compromised device. This is particularly challenging in medical IoT. Many medical IoT devices are mobile. This means their network connection changes routinely. Imagine what happens if an insulin pump is erroneously connected to the guest WiFi network, instead of a private segment for sensitive medical equipment. This kind of technological mistake, caused by haste in an urgent medical environment, isn’t likely to be caught by the kinds of checks and balances that hospitals have learned to use in operating rooms.
Knowing how and where IoT devices are connected is also key to controlling access to them and protecting them. We need to divide networks into segments or zones, policing what is allowed to go from one zone to another in much the same way a bank branch is physically divided into customer space, tellers, and vault. In a world where IoT devices add new risks and new failure modes, something will inevitably go wrong. Segmentation is a way to make your devices more resilient in the face of unintentional exposures and attacks. With segmentation, you can be confident that when the inevitable incident starts, contagion won’t spread from the air conditioners to the medical devices or the power systems.
IoT is a challenge that must be addressed head on; it’s disruptive to security as usual. That said, organizations can use this as a call to action, and a reason to put new focus on segmentation and resilience – old ideas that are up to the minute.
Edited by
Ken Briodagh
