Let’s get serious about IoT security
- 12 October, 2016 01:42
No one doubts anymore that internet of things (IoT) devices pose a huge security threat, as a recent massive IoT-fueled DDoS attack made clear. But what many enterprises have yet to wake up to is that major structural changes are needed, involving IT and C-level executives above IT. IoT is a new and different kind of threat that can’t be effectively battled in an old-fashioned way.
From an enterprise’s perspective, there are three sides to the IoT threat: 1) being attacked by an IoT army from around the world; 2) allowing enterprise-owned IoT devices to participate in such an attack against others; and 3) allowing your IoT devices to attack your own company. Making structural changes to your business will do nothing to help you defend against the first scenario, but it could make a profound difference in blocking attack scenarios two and three.
The structural IoT problem is that many of these devices are being purchased and approved far away from IT or the CISO’s team. Consider door locks and light bulbs purchased by Facilities, or beacons purchased by Operations or Marketing. Cases have been reported where penetration testing of a network — which is how a cyberthief might start testing for weaknesses prior to an attack — unintentionally released the IoT locks of doors at headquarters. IoT light bulbs have also been made to flicker in a way that broadcast messages to someone watching a window.
As IoT touches devices that have historically never needed IT approvals, this problem needs a fix. Mission one: Train all employees in all departments what constitutes an IoT device, since manufacturers will use very different marketing terms. Mission two: Require that IT or the CISO’s office approve all of them, without exception.
One huge problem with IoT devices is that some house internal communications capabilities, such as a tiny antenna, ostensibly so that the devices can call home to get, for example, firmware updates. Although self-updating devices might seem great to a facilities manager, they open the door to two-way communications that can bypass all network security monitoring controls.
Yes, other monitors can track all independent wireless signals detected anywhere on a corporate campus, but with most campuses flooded with smartphones, tablets, wearables and wireless laptops, that may not always be a practical defense.
There’s another issue involving oversight. Moving from regular devices to IoT devices often means a much higher price tag. And while that will almost certainly mean additional oversight (a.k.a. micromanaging), it’s oversight from the perspective of cost, not security. A company’s division general manager — or assistant treasurer or some other business manager — won’t be thinking security when dealing with seemingly innocuous items, and that is one of the first things that has to change.
“From a purchasing standpoint, that maintenance guy who usually buys the 55 cent light bulbs is now buying $40 light bulbs,” said Thomas Pore, director of IT/services for Plixer, a security vendor that specializes in incident response. “But, clearly, security is not in the thought process.”
Pore stressed that there are clues that executives can be trained to recognize. If the device has its own antenna, for example, “4G is going to be labeled all over the box.”
But what if the device is using satellite communications. “OK, satellite-based? No visibility, none,” Pore said.
Similar to the way that companies were forced to change their security thinking when printers and scanners started getting their own IP addresses, they need to change purchasing and oversight procedures to cope with the IoT. This is nothing that CIOs or CISOs can do on their own — and many executives would probably view any such move suspiciously, as a power grab. This kind of change has to come from the CEO — or, at the very least, the CFO, who does ultimately control the approval on all purchases.
Changing approval processes and adding a lot more (costly) training is never a fun recommendation to make. But unless you want to be done in by your own light bulbs and door locks, you’re going to have to do it.