Security for IoT – Did you already patch your fridge and watch?
When talking IoT, most people (I mean the non-tech nerds), think about smartwatches, fridges, intelligent TVs, home control devices, kids’ toys that can interact with some intelligence… in general any internet-connected personal device for personal or home use.
But IoT (Internet of Things) in a larger interpretation is not limited to only personal devices with internet connectivity. These smart devices are also used in enterprise environments, like manufacturing, traffic control, waste control, heating systems, drinking water systems, radar systems, electricity generation, and distribution…
Then ‘simple’ IoT becomes IIOT, Industrial Internet of Things.
This also includes ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) systems. SCADA is the more global term for control systems architecture that is used to collect, forward, process, and visualize the measurement and control signals from various machines in large industrial systems, where ICS is rather the collection of control systems and instrumentation, bit more the technical part.
The common denominator is that both IoT and IIoT (ICS/SCADA) are booming business and these devices are more and more internet-connected these days. It’s so convenient to talk to your devices, have the latest updates, and have a remote control.
Hackers and cybercriminals know that too.
What’s the issue?
Criminals do know it already for a while. One of the most notorious events is the massive DDOS attack on the Internet DNS system, October 2016. DDoS is a Distributed Denial of Service, where a bunch of infected IoT systems was turned into ‘bots’, combined into a botnet. A botnet is a sort of army of zombies under the control of hackers. I don’t want to go too much in detail, but in October 2016, they have used to overload the internet DNS system, which is one of the core systems that handle the internet naming system (allowing you to use names, instead of these cryptic IP numbers to find a website or system).
And the use of IoT only has grown since then. But security has not really kept pace with the growth, on the contrary.
Huge commercial pressure for vendors
What’s the issue with IoT security? The use of IoT devices is very attractive and novel, it has a huge wow factor for people, having these smart and intelligent devices, talking to them, making your life easy.
But as this is a hot market, it’s essential to quickly conquer this market (be the first) at a very cheap price.
And ‘at first sight’ security costs money.
Note: why ‘at first sight’? Well, if your device gets destroyed, breached or hacked, the cost of data loss, commercial, and more important reputation damage, the cost of the damage is multiplied 2, 3 to 10 times the cost of initial security investment. But you’ll only know afterward if it happens. And that’s a risky calculation: hoping it never will happen.
Because in cybersecurity there is one golden rule: it’s not ‘if’ you get hacked, but ‘when’. Sooner or later you’re the next victim.
The IoT market never learned the lessons from the enterprise systems, taking security seriously.
And the current statistics of cyberattacks show that badly designed and badly secured IoT systems are easy targets for cybercriminals…
IoT devices not managed like enterprise devices
Another part of the story is the management of these devices by the owners. In many cases IoT devices have different and limited interfaces, they are shipped with a fixed software or device system, never meant to update. And if you want to apply security patches these interfaces are not easy to use, let alone updating these devices with the new versions, via hard cabling… not a fun job.
Just let me ask you a few questions to pinpoint the issue.
How frequently do you apply the lasted updates, security fixes and antivirus updates to?
· your laptops and PC’s
· your smartphone
· your smart TV, your smartwatch, your fridge,
Let me guess, the answers:
· Sure! “weekly, monthly” …?
· Oh … if forced by the manufacturer… once every (half) year?
· Ehh…. ehh… … Not?
Even for IIoT (the industrial version), updating these devices is not that simple. Many of these devices service critical enterprise components you can’t simply shut down or update whenever you want.
So, IoT and IIoT are two distinct sides of the balance… and regular IT infrastructure is in between.
Cybersecurity turning point
Hackers and cybercriminals know that too.
The good news is that also the legislation has picked up this discrepancy between the demand for security of regular IT infrastructure, and IoT.
The EU NIS directive has been launched to raise the security of the critical and public infrastructure. And also, the Cyber Act (which is the cybersecurity sister of the GDPR), is in place that establishes an EU-wide cybersecurity certification framework for digital products, services, and processes.
Note: you can find more about the CyberAct over here: https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act
Implementing IoT Security essentials – the Pareto principle
But, meanwhile, the cybercriminals are finding the loopholes in the systems.
Please keep in mind that this battle will never be over, due to the increasing adoption of (I)IoT the interest of cybercrime for this area only grows. If the interest grows, the budget and the persistence of cybercrime will only grow.
What can you do about it to keep you safe and secure?
Keep your systems up to date
Rule number one is always: keep your systems up to date. Patch your systems with the latest version, as soon as they are available.
Please be aware that also hackers and cyber criminals follow the news, if new patches or issues are announced, they will start abusing it on unpatched systems. Most of the hacks are executed against unpatched systems.
The good news is if you patch your systems, the likelihood you get hacked drops significantly.
Security by Default
Rule number 2: change the security defaults.
Change the system default security settings, change default passwords. And if possible change the default user names.
For most systems, it’s fairly easy to find the default settings, the default users, and the default passwords on the internet, as many manuals are published on the internet.
Rule of thumb: Consider your system already hacked.
How would you protect your system, your data, and other connected systems?
Make sure if your system is breached, that a hacker cannot move to other systems and grow his power using the information (s)he found. (In technical terms this is called a lateral movement, for your reference, if you wish to dive into the details…)
Defense in depth (layered security)
- The best protection against the “assume breach” situation is “Defense-in-depth”, or layered security.
- Instead of focusing the security on one single system (like the IoT device), you better make sure that every single component in the operational chain is (sufficiently) protected. If one of the layers is breached, the other layers have sufficient protection to limit the damage:
- Physical protection
- Functional segmentation (separate public and internal data)
- Network protection and network segmentation
- Data flow protection (only allow data flows really need
- System protection (including continuous patching, antivirus, antimalware…)
- Software security
Do the testing yourself
One of my mentors and teachers said: do the network testing and monitoring yourself, otherwise someone else will do it without your permission.
Know your system, plan some penetration testing on a regular basis: a few times a year, on system changes, and when implementing new systems.
If you don’t, a hacker will… and before you know it (s)he will break your system, leak data, … or worse.
Security by Design
In IoT this is the difficult part, make sure the system is designed and built using SSLDC principles (Secure Software Design Lifecycle). If you’re buying or acquiring systems from a vendor, ask for it… and in enterprise environments, you should really have the right to audit, to make sure that the system is being designed and deployed in the most secure way.
Some useful references
ENISA (EU Agency for cybersecurity) has some interesting reference you can use to secure your IoT, ICS, and SCADA systems:
Lots of security frameworks were initially not designed for IoT, but can apply the same principles. A good example and useful guideline is the CIS controls Top 20 published by the Center for Internet security. The Center for information security has an important collection of security advisory for IoT too. Check it out:
- CIS Controls: https://www.cisecurity.org/controls/cis-controls-list/
- CIS spotlight on IoT: https://www.cisecurity.org/?s=IoT
And if you want some help from the International Standards best practices: check for the ISO27030 or ISO27400 (still in development)
- Internet of Things – How Will Cybersecurity and Data Privacy Shape the Future of IoT? (https://insights.pecb.com/how-will-cybersecurity-data-privacy-shape-iot/)
Don’t be an ID-IoT, protect your IoT.
Director & Managing Consultant @ CyberMinute, Managing Consultant @ Quest for Security