There is a well-known joke among security professionals:
Q: “What does IoT stand for?”A: “Internet of Threats.”
Sadly, this joke is our reality.
An estimated 20.4 billion Internet of Things devices will be deployed by 2020, according to Gartner, in what some have dubbed “the fourth industrial revolution.” These connected devices are being manufactured to streamline everything we do. Smart fridges will be capable of ordering groceries when we’re running low, for example, and smart desks will alert us when we’ve been sitting too long.
While there is vast opportunity for IoT to improve both our personal and professional lives, there’s an equally vast opportunity for bad actors to exploit vulnerabilities in connected devices.
Most of us, without thinking twice, assume that privileged access and configurations around our current IoT devices will stay the same; however, failing to acknowledge or scan for new developments could be a fatal mistake.
Overlooking new security measures that would further improve security for IoT devices could result in exposure to malicious attackers and the growing cybersecurity threat landscape.
In the world of manufacturing — where shaping up and shipping out the next best product as fast as possible is the name of the game — security is commonly, and disturbingly, an afterthought.
How Unsecure Is Your IoT Device?
One of the biggest security concerns, when it comes to IoT devices, is unauthorized access. Unbeknownst to the everyday user, each device can act as an entry point into a network. Leaving them unsecured could create a large and unmanageable attack surface.
The Mirai botnet malware attack, which struck two years ago, showed just how high IoT risk really is. To carry out the attack, hackers gained access to millions of routers and IP cameras through hardcoded default passwords, like admin/password or root/1234.
They then created a botnet leveraging the hijacked cameras to conduct a coordinated DDoS (distributed denial of service) attack that rendered much of the Internet inaccessible on the United States’ East Coast.
More recently, VPNFilter malware targeted IoT devices, infecting SOHO (small-office-home-office) routers through well-known software vulnerabilities.
The malware hijacked network flows going through the routers and featured a kill-switch capable of destroying the routers’ software.
“Who cares about SOHO routers?” you might ask. Well, these devices are used by critical infrastructure, such as the energy sector. Imagine the impact this kind of malware could have on the U.S. if it could shut down energy grids.
What would transpire if IoT-connected vehicles, such as smart cars, were the victims of an attack? Imagine hackers taking control of the wheel to steer a car off the road or remotely steal a vehicle from its owner.
The potential ramifications of compromised IoT devices could be detrimental to both our online and physical safety.
As these examples show, IoT devices have the potential to create a high-risk security environment capable of widespread, crippling damage — not to mention a complete headache for security executives and their teams.
Managing Your IoT Devices Like Employees
So, how do security professionals safeguard their business from IoT cyber risks? They should start by treating each IoT device connected to their network as an employee, by incorporating them into existing identity management processes and applying the following best practices:1. Give devices an identity: To achieve this, you must first embrace a different mindset. View IoT devices not as pieces of technology, but rather as privileged users who have access to sensitive information. By assigning a device and identity and provisioning them appropriately, their activity can be monitored and managed throughout their whole life cycle on the network.
2. Apply device governance: Once each device is given an identity, you should apply policy-based authentication and access control. It’s easy to deploy an IoT device and forget about it, but the reality is that these devices are a conduit between the internet and your environment, making them an easy attack vector for unauthorized users to gain access to sensitive corporate information.
Device authentication and access should be governed and routinely revisited during the full device lifecycle — through software updates, bug fixes, new firmware, routine maintenance and diagnostic improvements.
3. Employ the principle of least privilege: Just as you would only give an employee the minimum access to data and systems they need to do their jobs, businesses need to limit the access of their IoT devices.
Employ firewalls and permissions to safeguard against unauthorized devices obtaining proprietary or privileged information. For example, your smart printer doesn’t need access to the CFO’s income statements folder. The less access you give an IoT device, or employee, the less damage either could bring to the enterprise.
4. Manage device passwords: Similar to users, IoT devices contain passwords that grant them authentication to systems, files and data. Best practices for managing user passwords — such as requiring routine resets and multifactor — also apply to IoT passwords. These passwords must be updated routinely and closely managed to protect the vital information they store.
5. Monitor the device: Devices should be monitored 24×7 to identify unusual activity, check for necessary patch updates, and confirm each device is still in the right network segment. Machines are highly predictable, and abnormal behavior can be a clear giveaway if there is an unauthorized user controlling the device. Without the right monitoring processes in place, these abnormalities — and thereby potential malicious actors — can go undetected. Managing IoT devices as employees, as part of your identity and access management processes, is the best way to ensure any access is kept in check and potential threats or anomalies are monitored.
Although there can be thousands of IoT devices connected to a network at once, it takes only one poorly managed machine to inadvertently breach an organization.
As more of these devices join the network, businesses that employ these best practices can work to eliminate IoT as a threat, and begin to realize the productivity potential it was designed to bring them in the first place.