Remember when, three years ago, several Mirai botnets hit DNS provider Dyn and caused part of the Internet to be unreachable for most users in North America and Europe? For a moment there it really seemed that IoT security would become an indisputable necessity.
Unfortunately, that did not happen, and security professionals and consumers are left trying to minimize the dangers of insecure IoT and industrial IoT devices as best they can.
The problem with IoT devices
IoT devices are often connected directly to the Internet and they are rarely hardened against unwanted access and compromise. They often use obsolete protocols like Telnet. Many legacy IoT devices that are still being utilized either cannot be updated or the vendor no longer supports the device, while new vulnerabilities are discovered every day. Finally, detecting that their IoT device has been compromised is difficult for most consumers and, occasionally, enterprises.
It’s no wonder, then, that botnet masters now prefer to target IoT platforms instead of Windows machines.
“Pentesters who specialize in IoT have told me that they’ve, so far, never tested a device that they were were unable to penetrate and take over,” Bob Carver, Principal Cybersecurity Threat Intelligence and Analytics, Verizon, told Help Net Security.
However, some are harder to hack than others.
For consumers, the general advice is to stick to known brands that have a reputation of supplying their products with operational and security updates, and to implement these updates as soon as they are provided.
Enterprises, though, should do much more than that: test before deployment, continuously pentest and remediate discovered vulnerabilities, verify patches, configure and harden devices against attacks, and more.
“If involved with industrial IoT, organizations should consider joining a consortium of vendors where credentialing of systems are required to take place. Or they might consider partnering with a vendor that has been developing a secure IoT ecosystem, credentialing all parts of the IoT ecosystem for reliability and security,” Carver noted.
The enterprise and IoT security
Privacy and how to protect that privacy will be an issue that affects both individuals and organizations/businesses. The former will want their personal and other data safe when traversing networks, the latter will want to keep their proprietary corporate data secure every step of the way.
“With the massive proliferation of IoT devices, we’ll have to start treating all IoT as part of an ecosystem, with security and reliability issues to be addressed for it all and not just for each individual device,” Carver opined.
“IoT devices are not only connected together, but may be connected to the cloud, databases, edge networks and other devices. Not only do they need to be secured individually, but every network connection, cloud, data and edge network must be secure and reliable.”
Security updates must be provided over the air or the network – there should be no shipping of devices to manufacturers for updates. Verifying the authenticity and security of these updates is also a must. “Systems should be designed securely preventing cybercriminals from breaching and updating systems with malicious code,” he noted.
The data that travels through the IoT ecosystem must also be secured. No clear text – it should be encrypted or sent via virtual tunnels so that MitM attackers can’t view it and get their hands on it.
Organizations must also start thinking about security, privacy and reliability in real-time and find ways to implement and perform real-time protections/corrections.
All this and more is especially important for organizations providing and securing critical infrastructure.
“Those involved in protecting critical infrastructure who had the foresight to start cyber resiliency program years ago may do well fending off future attacks. Those that only recently started such a program may not fare so well,” he added.
Legislation and regulation
Another thing that we’ll need in the long term is IoT cyber security legislation and regulation.
“There needs to be a law to determine who is going to be responsible for the security of IoT and who will be required to take appropriate action when things go wrong. At present no one is taking responsibility. There needs to be a delineation of responsibility between the owner of the IoT device, its manufacturer, the ISP and the government,” Carver opined.
In October 2018, California Governor Jerry Brown signed into law a bill that requires manufacturers of internet-connected devices sold in the state to “equip the device with a reasonable security feature or features.” The UK and Japan have also made commitments to address IoT cybersecurity and develop guidelines and regulations for manufacturers and industry stakeholders.
It is encouraging, he says, that the U.S. Congress has been making attempts to place IoT cybersecurity bills into law.
“Some security professionals have attempted to put in place a cybersecurity ‘Underwriters Laboratory’ seal of approval for devices, but there hasn’t been any political will to implement this. It’s also difficult to put it into a written policy of what is considered ‘good enough’ for that seal of approval,” he noted.
“One good suggestion regarding commercial IoT devices would be for buyers to require, in their purchase contract, security updates from the manufacturer for a specified length of time (e.g., 5 years). If vulnerabilities are discovered after that time period has passed, the device should either put out of service (end-of-life) or the vendor can be paid for providing additional vulnerability patches.”