There is no doubt that the world of the Internet of Things (IoT) is here to stay. Consumer grade products such as TVs, speakers, toys, wearables, appliances and much more continue to flood the retail space offering enticing features to consumers. Concepts such as Smart Homes and Smart Cities are continuing to gain popularity and adoption. Smart Home technologies include internet-connected thermostats, garage doors, and lights while Smart City devices include weather and traffic-monitoring devices and parking meters. At the same time, IoT is continuing to gain traction in business due to its inherent ability to provide rich supplies of data. We have seen this in healthcare, retail, manufacturing and other spaces allowing businesses to set themselves apart from their competition. We simply cannot argue the benefits that IoT brings to consumers, businesses, and society; however, we must also accept, avoid, and mitigate potential risks and vulnerabilities that these new technologies present.
In a world where everything is connected, the vulnerabilities and attack surface is potentially unlimited, providing an enticing space for bad actors to operate. The world of IoT Security is gaining increasing levels of visibility as seen by California's legislature recently passing SB-327, which is designed to require Internet of Things (IoT) and other "connected device" manufacturers to implement security features into internet connected devices. California Governor Jerry Brown signed the bill into law on September 28, 2018 (Cooley LLP,Kristopher Kleiner and David Navetta)*. A common vulnerability seen in many IoT devices, especially consumer grade devices, is the lack of hardened operating systems as well as the number of available security patches, increasing the vulnerability of the device. In addition, many IoT devices are often being configured with public IP addresses with little to no authentication in order to provide easy remote access and administration of devices. The issue that this presents is that tools such as Shodan https://www.shodan.io/, a web-based search engine used to search for devices on the internet using a variety of filters, are making devices simple to find. Shodan gives you the ability to search for a specific type of device such a SCADA device or IP camera, allowing you to filter your search based on geographic area and other criteria. The results return a list of devices labeled by their public IP address and a wealth of other additional information/metadata that can be used to potentially exploit devices. This makes it easy for bad actors to crawl Shodan until a device that matches a set of vulnerabilities is found and can be exploited.
IoT Security Strategy
The good news is, with proper security most IoT devices can be safely adopted by consumers, businesses, and society. Like any other technology a good IoT security posture starts with a strategy.
A good starting point when looking at your IoT security is to start at the device. When considering IoT devices it is imperative to look at the hardware and software as well as availability and frequency of patches. Many legacy devices have traditionally not had the capability of receiving security patches, increasing their vulnerability; however newer devices are being manufactured with this in mind. Keeping an inventory of IoT devices and life cycling them when they no longer meet your security requirements is imperative protection. In addition, basic but crucial is keeping your IoT devices password protected. It is truly astounding as to the number of IoT devices and systems on the internet that are not using any form of password protection.
Another key focus area for IoT security is the use of Network Segmentation. Segmentation is already used in a vast number of networks today as a method of separating and protecting different types of traffic from impacting the other. In the case of IoT, if the network is designed into secure segments then IoT devices can be isolated from traditional IT devices. In the event that the IoT devices are somehow breached, then only the devices in IoT segment of the network are impacted and the zone can be put into a quarantined state and remediation can be taken without impacting other production network devices.
Visibility is another important aspect of IoT security. When deploying IoT devices, especially into business settings, adding visibility through the use of application and network visibility tools allows for even greater device security. Vendors such as AppDynamics (Cisco), ForeScout, Fortinet, and others have developed solutions that customers can leverage to improve their IoT device visibility. Providing visibility on the types and quantity of traffic coming from your IoT devices and network can help in the quick detection of potential threats, such as botnets, that may compromise your IOT devices.
It is important to be mindful that while the device itself may not be critical to your business, the data behind it is often critical to ensuring the confidentiality, integrity and availability of your business assets.
Proper IoT Security can be achieved through three basic practices; device security, network security and segmentation, and visibility. These practices are engrained in ePlus’s approach to Reducing Your Attack Surface. ePlus leverages partnerships with leading technology providers and couples that with deep technical knowledge and experience to provide a comprehensive approach to improving network visibility, access control, and network segmentation, with the ultimate goal of reducing your attack surface.If you have any questions or are interested in learning more about IoT Security please reach out an ePlus Account Representative.