The Internet of Things (IoT) includes devices using network connectivity such as consumer, industrial, health care and critical infrastructure systems. In 2016, attacks against vulnerable IoT devices featured prominently in the daily news headlines. Hundreds of thousands of IoT devices were used to build botnets and wage some of the largest DDoS attacks against organizations ever seen, with traffic volume exceeding 1 Tbps in some cases. In other news, connected consumer devices ranging from teddy bears to webcams and home routers were found to be vulnerable with active compromises that exposed consumer personal information. The fact of the matter is that cyber attacks against or leveraging vulnerable IoT devices are rapidly increasing.
IoT and other embedded systems are often manufactured without the same security standards and level of due diligence as other computer systems. They may come with default passwords that are infrequently changed by consumers. They may not have strong security around authentication for remote management and updates, and in many cases entirely lack the ability to be remotely managed and patched. In the enterprise setting, it is common to hear stories of corporate networks with more unmanaged and non-standard devices connected than managed and compliant computer systems. This may include unmanaged appliances, both corporate and employee purchased IoT devices and other industrial control systems (ICS) and operational technology (OT) such as building/factory automation. All industries are affected, as non-IT departments incorporate more automation into their processes, such as HVAC systems, badge readers, security cameras and factory robotics. The trend is only increasing, as interconnected IoT devices become more ubiquitous and commonplace, affecting the consumer, organizations and critical infrastructure.
Corporate security teams often have very little visibility to these non-traditional systems, which are connected to the corporate network. These systems are often ignored or never inventoried, so the risk is not well-understood. These endpoints may be widespread on the corporate network, with no proper controls or segmentation to prevent them from being compromised, or prevent them from being used in attacks against other corporate systems. Further, these systems may require connectivity to internal and external resources, which makes it difficult to monitor and restrict traffic, and the lifecycle for replacing these systems may be much longer than with traditional computer systems.
The first step an organization should take is to enumerate all endpoints and IoT devices which are connected to the corporate network. Knowledge of networked devices and their security posture will allow security controls to be applied in a prioritized way in a coordinated and risk-based mitigation strategy. Because IoT devices may be widespread on the corporate network, there may not be a quick and simple solution to securing them, but enterprise security standards should be developed and employee security awareness training should raise visibility to the threat posed by IoT devices and the importance of adhering to security standards and processes.
In some cases, it may be possible to change default passwords, and harden IoT and other non-compliant systems to reduce the risk of compromise. The best practice, offered by many CISOs, is to be use network segmentation to manage the risk posed by systems that cannot be hardened, patched or managed. As time passes and more of these devices are connected to the corporate network and integrated into business processes, it becomes more difficult to simply isolate or disconnect them if they are adding business value. In the corporate environment, ignoring the problem is no longer an option. Dedicated resources are required to assess and develop a business-aligned strategy for mitigating the risk of IoT and other non-compliant systems.
As a starting point, reference the Center for Internet Security (https://www.cisecurity.org) “Internet of Things Security Companion to the CIS Critical Security Controls” (direct link: https://is.gd/WSELop).