As clouds gather in the public and private sectors, the Internet of Things (IoT) – and all the devices it brings – has organized into a hurricane-sized force that challenges evolving security strategies. Earlier this year, researchers developed a Stuxnet-like malware proof-of-concept attack which they claimed could infiltrate critical infrastructure and potentially disrupt the power grid.
The attacks, however, didn’t target power plants or energy producing facilities, but instead focused on leveraging high-wattage IoT devices such as air conditioners and heaters to cause sudden generation tripping, disrupt grid restarts, line failures, cascades, and increase demand from the systems, all of which could result in outages or even blackouts, according to the “BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid” report.
The attacks highlight the growing threat IoT devices can provide and the need for resilient and pervasive cloud security to protect the networks often tasked with operating these devices.
Because it’s possible threat actors may look to exploit, and not just test, these types of attacks, controls are already in place to minimize damage.
“Nation-state actors would benefit from a coordinated IoT attack on high-voltage usage devices, but we already have controls in place to deal with these events on the power grid,” says Joseph Kucic, chief security officer at Cavirin. “They are referred to as brown-outs or rolling brown-outs that are periodically implemented during heat waves to address massive spike voltage increases. These attacks are best suited for a targeted individual to disrupt normal activities to allow time for another activity to be executed.”
For example, Kucic says, an attacker could increase all household appliances voltage usage to cause circuit breakers to shut-off power and distract the victim from accessing his banking accounts while someone else does a wire transfer.
“This would be similar to someone getting your attention while someone else picks your pocket,” Kucic says.
While some researchers don’t agree taking control of connected home devices is a risk to the long-term reliability of the electric grid, researchers like Joe Weiss argue the lack of cybersecurity on process sensors is a serious threat that could pose a significant threat.
Weiss says cloud security assumes sensor input from IoT devices is secure and authenticated though neither is.
“There are no design requirements for IoT devices to include security,” Weiss says. “Additionally, security increases the cost of IoT devices that are meant to be very cheap.”
In addition, he says, there is no security in existing processors, sensors, actuators and drives. As a result, Weiss says large-scale attacks against industrial and commercial infrastructure could cause major equipment damage from insecure IoT devices. These attacks could result in power grids being down for nine to 18 months.
Weiss notes neither network anomaly detection nor threat hunting can detect malicious or even unintentional sensor issues that could occur before sensor values become Ethernet packets.
Experts agree. Justin Jett, director of audit and compliance for Plixer, called the act of considering cloud applications and IoT devices trusted assets when deployed on the corporate network “a fundamental flaw that the industry has widely adopted.”
Jett notes cloud applications and IoT devices are often deployed onto the network in a similar fashion which creates additional weakness and many IoT devices communicate with providers that are in the public cloud.
“As an example, an IoT thermostat very likely communicates to a cloud server to provide updates and to control the device remotely,” Jett says. “If the IoT security is robust, but the cloud security is significantly lacking, the entire system is vulnerable.
Instead, he says, these devices and cloud applications should be treated as security vulnerabilities from the beginning and the devices should be deployed with a least privilege approach.
Jett adds cloud applications and IoT devices only perform a small set of tasks so when one of the devices shows behavior that deviates from the set tasks, security and network teams should be alerted and should take corrective action against the violation.
“The biggest near-term challenge is their growth in numbers and the proliferation of applications,” says Ashley Stephenson, CEO of Corero Network Security. “I expect their deployments to outpace our efforts to secure them in the next few years.”
Stephenson added IoT devices will remain a growing threat in the foreseeable future. The threats are made worse by vendors’ inability to properly patch vulnerabilities in IoT devices.
Jett says IoT designers and developers should consider the enabling ability to update firmware in the device’s design phase. But the lack of government oversight and consumer pressure on manufacturers make it unlikely that such security considerations will show up in future devices in the near future.
“This challenge is not unique to IoT devices,” says Sanjay Kalra, co-founder and chief strategy officer at Lacework. “There is an exponential expansion in the use of technology and software system.”
Kalra added there’s a critical need for security to get more involved into the development cycle of systems, and software embedded on devices and that IT teams and DevOps teams can no longer think of security as a compartmentalized aspect of building applications.
Until developers start taking security in their devices more seriously, the onus will fall on information security teams to secure them in the cloud networks that control them. Tim Erlin, vice president of product management and strategy at Tripwire, says security teams should be aware of three types of cloud projects.
“Those that security knows about, those with which security is actually involved, and those with which security is neither involved or knows about,” Erlin says. “Information security teams must be involved in cloud adoption within their organizations, but involvement shouldn’t equate to becoming an obstacle.”
Erlin added that it’s important that security enables safe adoption of cloud capabilities. To address these threats, Jett says organizations should consider the addition a threat surface of using a cloud-based application or service and understand the need to monitor it closely for atypical behavior outside of what is normally expected from it.
Despite extensive monitoring, teams can’t prevent everything.
“Misconfigurations will happen. APIs will get hacked. Passwords will get stolen,” says CipherCloud CEO Pravin Kothari says, adding, “Even as we saw in the exposure of data in the Salesforce Marketing Cloud recently, even encrypted data in the application database can be exposed and potentially breached. Given all of these new attack vectors and risks, the best practice is to move to end-to-end encryption.”
Kothari says this can be acquired using cloud security brokers, as described by Forrester Research, otherwise known as cloud access security brokers (CASB), a term used by Gartner Research, ESG and others.
“These brokers encrypt and protect the data in the cloud continuously from the moment it is loaded up into the cloud, to the moment it is retrieved and used by an application or an end user. This is the industry best practice and the use of CASB can mitigate or substantially reduce all of the risks inherent in moving to the cloud,” Kothari says.
Best practices aside, researchers do fear cybercriminals will exploit the poor security measures for catastrophic attacks.
“Data leakages and data poisoning are the two worst type of attacks as they can be done over a long period of time with the ability to detect being very difficult if designed and implemented correctly,” says Kucic. “The best way to prevent these very damaging attacks (it destroys trust) is to not allow them to happen in the first place. IoT security can be addressed by isolation and secondary authentication and access controls.”
Kucic emphasized that cloud security requires continuous security and proactively monitoring anomaly data changes to prevent these attacks.
Exposed IoT devices can also lead to DNS amplification attacks as inexpensive IoT devices could be used en masse to create a distributed denial of service (DDoS) attack, Jett says. “While there is no clear way to prevent these types of attacks completely, properly configuring DNS to eliminate the use of unsecured recursive resolvers will significantly reduce the threat surface that can be leveraged to perform such attacks,” Jett says, adding there are projects currently online that allow users to check if there are open resolvers in their IP space such as the Open DNS Resolver Project.
Kothari added that DDoS attacks that exploit IoT devices can successfully threaten critical infrastructures.
“IoT devices are easily compromised, and the very large numbers of these devices across all of our networks provide a compelling opportunity for attackers to drive denial of service attacks against any target,” Kothari says. “Because IoT devices are geographically distributed and their numbers are so high, current solutions in the market to DDoS attacks cannot adequately defend against these potentially massive botnet-based DDoS attacks.”