This will have drastic implications on security as IoT devices are widely known for being woefully insecure and ripe attack surfaces for cybercriminals looking for a way inside systems.
“Because it’s all embedded devices, it’s up to the manufacturer to go ahead and distribute patches or firmware updates in order to secure the device. That’s a problem because these are inherently security flawed devices,” said Jonathan Langer, CEO of IoT security company Medigate.
“The pressure for solutions is coming from two directions: One is much more pressure on manufacturers to step up their game in terms of security, and the other is regulators pushing for this as well as the user. But the manufacturers are slowly moving. At the same time, the users themselves are also beginning to procure solutions or demand solutions that protect their network as well.”
Here are five tips from IoT security experts about how to keep your enterprise protected.
1. System-wide protections, visibility and asset maps
IoT devices have become increasingly common in factories and manufacturing facilities in the last few years, creating headaches for security teams trying to keep a variety of devices protected.
Langer said companies that use IoT devices heavily should have security systems designed specifically to protect environments populated with smart tools. These kinds of systems will understand the behavior of IoT devices, know what patterns to look for and block and prevent undesirable behaviors from continuing.
“The first basic thing I’d do as an enterprise is get visibility. I need to understand what IoT devices are connected to my network. IoT devices are perceived as something the IT department is in charge of, but employees can bring in connected refrigerators or security cameras and plug it into the network,” Langer said, adding that those kinds of devices “introduce risk into the network.”
Sean Peasley, IoT security leader for Deloitte Cyber, suggested companies create asset maps that list out all of the connected devices as well as all the third-party vendors, hardware, software and critical areas so that weak spots can be mitigated and watched.
For factories, Peasley added that there can sometimes be friction between the people using the devices on a daily basis and the security teams or IT departments managing them. IoT security requires company-wide collaboration and synchronization to make sure all endpoints are secured properly.
SEE: IoT security: A guide for IT leaders (TechRepublic Premium)
2. Watch out for malware and ransomware
Etay Maor, chief security officer at IntSights, said attacks on IoT devices like Mirai should make any enterprise terrified of what could happen if connected devices are not protected. Mirai is a kind of malware that exploits IoT devices and repurposes them in large-scale DDoS attacks.
Both Maor and Peasley said IoT devices, particularly those used at enterprises, are difficult to protect because they usually stay on 24 hours a day.
“IoT devices are pure gold for an attacker because these devices are usually never off. It’s not like your laptop that you turn off, so these devices are almost always on, so DDOS attacks or cryptojacking attacks on them are effective,” Maor said.
“Usually the problem with IoT devices is it feels like we make the same mistakes we made a decade ago. People want to be first to market and have the best features, and security in a lot of cases is overlooked and so they come out in an unsecure fashion.”
Langer added that ransomware attacks are common because hackers can hijack a device, shut it down and force enterprises to pay a ransom to restore it or throw it away and buy a new one entirely.
This can become extraordinarily costly for organizations that rely on smart devices as critical parts of their business. IoT devices are vulnerable soft targets that cybercriminals can easily attack and hold hostage in ways that can even endanger employees.
SEE: Special report: The rise of Industrial IoT (free PDF) (TechRepublic)
3. Network segmentation and firewalls
One key to keeping your system safe is network segmentation and firewalls to make sure that not every device provides access to the entire system. Oftentimes cybercriminals use IoT devices as entry points to an entire system, so keeping some segmented is key to making sure hackers don’t get too far.
“Attackers are using IoT for lateral movement. They go through these devices in a network and try to reach an entry point or a segment of the network with valuable information. That east-west lateral movement is the most difficult. Cyberattackers are taking advantage of the vulnerable nature of the IoT devices to pivot or propagate within the network,” Langer said.
“Today it’s very much apparent that segmentation is really a foundation of a network security system and that every enterprise has to be aware of.”
Peasley noted that because many enterprises, especially manufacturing companies, are running dozens of devices all from different companies, it can be difficult to manage each. Many devices need to be patched or receive security updates from their makers, giving third parties continual access to your system. This can be dangerous for both sides, and security teams have to make sure devices provide limited access to the rest of a system.
“Companies need to know who has access to their environment. Are you certain about what you’re utilizing and are you sure they don’t get compromised and allow an adversary to get in?” Peasley said.
SEE: Securing IoT in your organization: 10 best practices (free PDF) (TechRepublic)
4. Understand the threat landscape
Maor said understanding the landscape of threat actors and security flaws is key to protecting IoT devices within your system. He cited one example where cameras were hacked into because they were still protected by default admin passwords which were easy to break.
There are now portals where you can search the web for connected devices and endlessly test out passwords or usernames to break into devices. Security teams, as well as cybercriminals, can now see what devices are publicly available and test out usernames or passwords.
Some websites even give you ways to see which IoT devices will be vulnerable to specific kinds of attacks, essentially becoming one-stop shops for hackers looking for easy marks. Maor said printers are some of the most common devices that lack proper security protections and while the consequences may be as miniscule as someone printing things from your home, this kind of access to your system can have dangerous ramifications.
“I can take advantage of this and attack you with stuff like this and I’m only showing you the very lax stuff. I can show you connected MRI machines or any other device you can think of in this database. I’ve found cinemas that have all kinds of devices and some of them are vulnerable. This is easy stuff,” Maor said. “This is just out there. This is not nation-state stuff.”
While websites like these can be terrifying, they do give security teams valuable insight into how attackers view networks and vulnerable endpoints that have the potential to be exploited.
5. Check with the manufacturers
It has taken a while, but manufacturers are finally starting to realize that they play a critical role in the security posture of the devices they create.
Peasley, Maor and Langer added that most devices are not built with security in mind but in recent years manufacturers have been forced to make an effort to provide some amount of protection for certain devices.
“When the manufacturer writes and codes the software, they can do so in a manner that is security oriented. This means there is the right way to write secure code. There is a process and tools to do things like penetration testing. The other thing they can do, and more importantly, is they can create a process in which after they deploy their devices, they have the opportunity to update their firmware,” Langer said.
“Even if I sell you the most secure IoT device in the world and I’ve done all my penetration testing, one day later some hacker will find a new vulnerability that exposes that device, and the only way to remediate that vulnerability will be through a security patch. Companies have to have a process in place to remediate it remotely.”
Some manufacturers are now prioritizing secure coding and are making the patch update process more robust as they work closing with security researchers. But security is not their priority, and there are still relatively lax regulations around securing devices.
SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (TechRepublic Premium)
Peasley noted that it can be difficult to deal with patches for systems that run 24/7, and many enterprises are running on outdated software or hardware that may not be compatible with every patch. This can create a nightmare scenario for security teams managing dozens–if not hundreds–of devices.
It can be very costly to upgrade systems but the cost of a breach may be even greater, Langer added. “Every IT director and CISO needs to get educated around IoT. It’s a foundation of the responsibility that you have.”