iconimage - Fotolia
The internet of things (IoT) is a comparatively recent invention. Ten years ago, we only worried about protecting our computers, and it was only five years ago when we needed to protect our smartphones. Now we need to consider protecting our fridges, heating systems and industrial machines in order to safeguard company networks.
The IoT is growing quickly. Researchers estimate that by 2020 the number of active wireless-connected devices will exceed 40 billion. These devices are becoming an increasingly attractive target for criminals, as more connected devices mean more attack vectors and possible vulnerabilities.
Once ignored, IoT security has now become an issue of great concern. Just last year, a US casino was compromised through hackers accessing its network through a smart fish tank. Over 10GB of data was leaked before the intrusion was detected and blocked. Likewise, smart fridges have been found to be part of botnets.
These are not isolated incidents. Colin Tankard, managing director of Digital Pathways, says: “People could go in and attack the heating and ventilation system, which is on the backbone of an organisation. From there, they could start to packet sniff what is on the network and find other machines or gain access to another system, simply because the systems are poorly secured and poorly managed.
“Each team involved in facilities management and network operations typically has visibility of each other’s systems; this creates islands of self-contained information. The problem is, should one system/group see an issue, it is only seen on their system. This lack of interconnected view is what hackers exploit.”
One of the core problems with IoT devices is that despite being network-connected, they were originally not considered a threat. And that is true when they are considered as separate entities, but when they connected to a wider corporate network, this network-connected device with weak security becomes a vulnerable point of the network and a risk to data security.
IoT devices are also always connected, always on and typically use a one-time only authentication, further making them ideal targets for network infiltration. “Once a hacker has gained access to the system and logged in, there are no secondary checks and often no event logs,” says Tankard. “From here they can install malware or any other monitoring software with no alerts being sent to the system console or, worse still, to any IDS installed within the organisation.
“Thus, the access goes undetected. These systems are not particularly intelligent outside of their intended purpose. They do not report on another hostile sensor being attached, or a change being made within the core system.”
Another issue is that network-connected industrial machines often run proprietary systems. Data packets from these industrial units will appear as anomalous commands by intrusion detection systems (IDS) and intrusion protection systems (IPS). Depending on the system’s settings, these can often be overlooked. Rigorous checking is required in case they are malicious.
Read more about IoT security
- IoT security risks need immediate action, says report.
- UK government sets out tighter security measures for IoT devices.
- By doing away with a central authority in IoT networks, blockchain technology can reduce the risk of IoT devices being compromised by a single point of security failure.
- Many IoT devices provide limited security, leaving the onus on your IT staff. Insignary’s Tae-Jin Kang outlines five steps to improving your organisation’s IoT security strategy.
- When everything from the coffee maker to the manufacturing plant’s robots to the electric grid is connected, shouldn’t security be IT’s primary concern?
“Some [machines and devices] do run odd protocols, and IDS would see that as an odd protocol and not know what to do,” says Tankard. “In the past, an administrator would look at that, see it was something like the old heating system and not investigate it further, so you have another potential exploit.”
Also, IoT devices are not replaced as often as computers. Once an organisation’s computer reaches its end of service – usually when the three-year warranty expires – the machine is replaced with a newer model. But for network-connected devices, replacement cycles can be much longer. For example, a typical industrial machine or heating system might be replaced every 10 to 15 years, during which time the warranty will have expired.
Support for these devices dwindles the older they get, as suppliers shift their focus from supporting legacy devices to promoting new products. Eventually, security updates and firmware patches stop, as suppliers withdraw support from legacy devices, assuming that such support existed in the first place.
Replacing older network-connected devices and machines is not possible, because the cost of replacing industrial machinery every three years would be prohibitive. Likewise, simply doing nothing would leave the organisation with vulnerability in its network.
The first thing organisations should do is ensure all IoT devices are properly updated and patched with the latest security updates that are available for the devices. Manually updating each device is simply not feasible due to the number of devices an organisation can expect to have. Equally, automatic updates can carry with them the risk of being exploited. The ideal solution would be to dry-run the update on a test device to check the update performs correctly.
Organisations should consider performing a risk assessment of the danger posed by a vulnerable update being installed for each of network-connected device and assess each update on a case-by-case basis. Also, this process should be incorporated into the organisation’s data protection strategy. “Businesses must have complete sight of where the device is located, how it is being used and the corporate access governance it includes,” says Stuart Aston, national security adviser for Microsoft UK.
As network-connected devices continue to be used beyond their service guarantee, and security patches become no longer available, organisations should deploy additional security measures by either implementing an infrastructure refresh of those end-of-service devices, or by ring-fencing them with further security measures to reduce the risk of a system breach.
This can become costly over time, so financial assessments should be conducted to determine when it is most cost-effective to replace legacy systems. “Organisations need to accept that there comes a point when [systems] will no longer be patched and updated,” says Tankard. “They have to double their efforts in looking after their system and make sure it is not being exploited or a vulnerability for them.”
Organisations should – as standard – encrypt their network, regardless of whether or not they have IoT devices connected. Commands and values should be encrypted as well. Devices should also be set up with secure sockets layer (SSL) connections, if available.
IDS and IPS systems can be installed to monitor networks continually, as well as focusing on the network gateways – the point at which two networks interact.
Networks can also be split into a series of sub-networks, with network-connected devices and machinery kept on a separate sub-network, thus restricting the flow of information. Naturally, data can still flow between the different sub-networks, but with properly managed gateways between the sub-networks, the danger of malicious access can be mitigated.
Network segmentation can impede efficiency and connectivity – one of the greatest benefits of wireless connectivity of industrial units is remote working – but with properly managed gateway security, this can be mitigated.
“All company-owned devices that are connected to our corporate networks are checked, patched and locked down as required,” says Scott Lynn, services director at IT services firm Agilitas. “Other devices are provided with a guest network connection to ensure the corporate network remains secure against external threats.”
When buying new devices, organisations should conduct thorough market research. This should not just focus on a device’s features and reliability, but also on the supplier’s reputation for data protection, the security of its devices and its after-sales maintenance guarantees. “A brand’s security reputation is one of our main priorities when we are evaluating new devices to deploy across the network,” says Lynn. “The risk to try new or less-respected entrants in the market is far too high in a business that delivers a global 24/7 operation.”
When new network-connected devices are first brought into a network, they should be checked for potential vulnerabilities. Any unused or vulnerable connections should be locked down and made safe, such as with SSL. “We record the firmware levels of all devices within our network as they are deployed,” says Lynn.
At the moment, there is no legislation or certification enforcing suppliers to provide adequate levels of security in their devices. ISO/IEC 27001 (Information Security Management) is the closest, but it only provides information about how good the supplier/manufacturer is at protecting themselves, not about the security of their products.
New code of practice
However, the UK government recently announced plans to introduce a new code of practice designed to improve the security measures of internet-connected devices. The Security by Design review was developed with support from the National Cyber Security Centre (NCSC) to address the gaping security holes in many smart IoT devices.
In the wake of several high-profile incidents of IoT devices being compromised, the past 12 months have seen greater awareness of the need for proper security protocols for network-connected devices. However, this still leaves us with a legacy of poorly-secured devices that will need to be monitored carefully for malicious behaviour in case they are compromised.
“The real network problems appear when IoT devices are neglected, as they become vulnerable and the data they transfer and services they provide is at risk,” says Microsoft’s Aston.
Only by carefully monitoring its networks and ring-fencing vulnerable devices will an organisation be able to protect its data adequately against unauthorised access. “I do feel things are getting better,” says Tankard. “The technology is getting there now, but you have 15 years of systems in place, and that is still a long time for these to be changed out.”