IoT and Security What CISOs Must Know

Ubiquitous in nature and expansive in scope, IoT is vulnerable on many levels

In the ever-expanding world of the Internet of Things (IoT), consumers are inundated with ubiquitous smart devices— from talking voice assistants and smart watches to televisions and networked thermostats. A breach in this environment is merely an inconvenience, or at most impacts a few individuals. However, as the landscape of IoT broadens across critical infrastructure, industrial and manufacturing facilities, water, gas and energy sectors, a cyber incursion here can spell disaster.

Gartner, Inc. forecasts that the enterprise and automotive Internet of Things (IoT) market will grow to 5.8 billion endpoints in 2020, a 21% increase from 2019. By the end of 2019, 4.8 billion endpoints were estimated to be in use, up 21.5% from 2018.

Utilities were the highest user of IoT endpoints, totaling 1.17 billion endpoints in 2019, and are expected to increase 17% in 2020 to reach 1.37 billion endpoints. “Electricity smart metering, both residential and commercial will boost the adoption of IoT among utilities,” says Peter Middleton, senior research director at Gartner. “Physical security, where building intruder detection and indoor surveillance use cases will drive volume, will be the second largest user of IoT endpoints in 2020.”

Building automation, driven by connected lighting devices, will be the segment with the largest growth rate in 2020 (42%), followed by automotive and healthcare, which are forecast to grow 31% and 29% in 2020, respectively.

Distributed IoT Devices are Ubiquitous and Easily Compromised

Distributed IoT devices are numerous and deployed in very large-scale systems— and often they are “set it and forget it” with respect to device-level management. Many of them are intelligent devices, and except for being purpose-built devices or appliances, could rightfully be called “servers,” because they contain processors, memory, storage and networking, along with web interfaces for human configuration and application programming interfaces (APIs) for streaming (serving) data out to one or more systems and applications. These IoT devices may also perform control functions using one or more specific control message protocols— making them more unmanageable compared to traditional IT devices which leverage standard communications protocols.

The most looming risk factor for IoT assets isn’t just the expansion of these devices across the vast array of operational technology environments, but the age of existing industrial control systems (ICS) that have been online for close to three decades and have been added to networks without proper vetting or security precautions. A recent SANS survey on ICS and SCADA systems revealed that 69% of organizations considered the threats to their Industrial Control Systems— which often run outdated, legacy software— to be high or severe/critical.

It is this dangerous combination of aging ICS and new and advanced IoT devices that are daisy-chained on a network of digital and mechanical devices that make IoT devices easy and attractive targets for manual and automated cyber-attacks. The myriad vulnerabilities of IoT include these major issues:

  • The attractive nature of IoT critical functionality to those with nefarious intent
  • The ability to “steal” processing power once the root or admin access to an intelligent device is obtained. Once compromised, this processing power can run malicious software (malware) and perform the bidding of the hacker, especially acting as a “robot” or “bot” at the direction of a hacker’s command and control server.
  • The power of scale factors that leverage the hackers’ efforts. Thousands, hundreds of thousands, and millions of IoT devices can be compromised and connected to a hacker’s command and control server.
  • Even a small network of enterprise IoT devices is usually connected to a larger network, and so compromising a single device can act as a doorway to other critical targets. One device “punching through” a firewall can provide access to the corporate network.
  • IoT devices run 24/7 all year round in networked infrastructure that is out of sight of the users of the IoT systems the devices belong to. Thus, their attack surfaces are always available and visible to attackers, but the attacks are usually not visible to system users.
  • IoT devices generally don’t have enough processing power to run security applications like servers and workstations do. This means they don’t detect, and thus can’t block— or even report— malware infections. Device infections can last for years without device owners becoming aware of them.

While these are major cybersecurity risks associated with IoT devices that reside on the network, there are many others including weak passwords, the use of third-party services, outdated firmware, weak authentication where users and technicians use workarounds such as shared passwords and reused passwords, and the lack of strong end-to-end encryption procedures.

These characteristics make IoT systems high-value cyber targets because they are easier to compromise than other types of systems, and many such compromises are likely to go undetected.  The fact that IoT devices are unattended (rarely have user interaction) means that many types of device compromises will go unnoticed. Especially when the malware is designed not to disrupt the device’s primary functionality.

Attack Challenges and Threats

According to Steve Durbin, who is Managing Director of the Information Security Forum (ISF), the growing need for business leaders to improve and sustain the security of ICS environments has been brought into sharp focus by recent research raising significant concerns about cyber risk that has been well-publicized. These cybersecurity incidents and increased media coverage of ICS security vulnerabilities clearly demonstrates the urgency that organizations should now attach to improving information security across both ICS environments and the IoT.

“With so many organizations heavily reliant on ICS to support business operations, the potential impact of getting information security wrong can be catastrophic. Costs can be extensive, corporate reputation severely damaged, and lives put at risk,” says Durbin.

An intelligent device’s attack surface consists of all the ways that an attacker can attempt to gain unauthorized access to the device for nefarious purposes, including to steal information, disable one or more device functions, secretly use a device’s computing power, and control a device for harmful purposes. An attack vector is the path by which a live hacker or malware can gain access to the device.

Password weaknesses and firmware vulnerabilities are the two most common attack vectors for IoT devices. Unencrypted or weakly encrypted input and output data are sources of data that human hackers can use to find other means of gaining device access and causing harm.

The nature of these attack surface vulnerabilities involves class breaks, where the compromise of a single device enables access to an entire group of devices. This also allows simultaneous access to a large set of devices all at once, usually because there is no warning or alert about the initial compromise, but also because there is not enough time after the first compromise for the rest of the devices to have their passwords changed manually. Because it’s IoT and the device and application are closely tied, often the device password must also be added to the applications connecting to the device.

Additionally, lack of device authentication allows rogue (i.e. unauthorized) devices to connect to a network and secretly read network traffic to capture logon credentials and other information. Rogue devices may also relay and possibly alter communications between two devices that are unable to detect that they are not directly communicating with each other, commonly called a man-in-the-middle (MITM) attack.

Protecting IoT Devices

Protecting an IoT device involves reducing the device’s attack surface by eliminating or hardening points of attack, especially for three areas of vulnerability where compromises can result in class breaks:

  • Logon credentials
  • Firmware vulnerabilities
  • Digital certificates used for device ID and data encryption

The ongoing application of good cyber security practices is commonly referred to as cyber hygiene. High device count IoT systems are now attractive cyber targets because they currently have poor to no cyber hygiene and are easy to secretly compromise at scale.

Fortunately, organizations looking to create sustainable cyber hygiene can now rely on automated methods that can also act as the “database of record” for compliance and corporate governance.

Ready to get started? Viakoo is here to help.

Share this