Lately, when Internet of Things (IoT) security shows up in the news, warnings about overly connected Christmas toys or the hacking of an unfortunate consumer’s NEST home system make the headlines. These stories are based on the consumer level.
However, the IoT can be just as prevalent, and much more difficult to secure, in a corporate environment.
Consumer Devices & Legacy Equipment
As we noted last August, consumer devices are often brought into a company and plugged into the network infrastructure by employees who fail to notify their IT departments.
Connected TVs, BYOD, and Alexa devices all provide potential side-doors to attack organizational networks. However, just as often, IT teams may be asked to secure legacy equipment with serious security flaws.
In 2013, the Department of Homeland Security issued ICS Alert 13-164-01, regarding hard-coded passwords in ventilators, drug infusion pumps, surgical devices, and other various types of equipment.
How many hospitals and clinics still use these devices, and will ask their IT teams to protect them in 2020?
IoT: Government and Private Sector Breaches
In 2018, over a half-million routers were hacked, supposedly by Russia, in preparation for a botnet attack on the Ukraine. Just a few weeks ago, we covered the Iranian hacker password spraying attacks on US infrastructure-related companies.
While these specific attacks may be sponsored by nation-states — as the vulnerabilities are publicly revealed — private attackers will be sure to pursue those same vulnerabilities.
A similar understanding by California regulators had led to the passage of an IoT security bill that took effect on Jan. 1, 2020.
Unfortunately, HelpNetSecurity believes that the regulation “contains poor definitions, requires confusing and incomplete security baselines, and lacks any concrete penalties.”
While this will allow most vendors and organizations to ignore the new regulations, you can be sure that other government entities will pass their own regulations in the near future.
Sadly, the main issue is that you cannot rely upon manufacturers to provide a strong solution. Researchers at Keyfactor recently discovered that 1-out-of-every-172 active encryption certificates were built with insufficient randomness.
This means it is not difficult for the encryption to be broken. With hundreds of millions of devices in use, the number of potentially vulnerable devices is enormous.
Which Devices Need to be Monitored?
Even determining which devices to monitor can be difficult.
When you sit in an office, it’s easy to see printers, routers, security cameras, and other common devices that require your IT team’s attention. Yet many manufacturers add assembly-line machines, SCADA systems, and many other industrial control systems that aren’t as readily apparent.
To further complicate the situation, some engineers have begun to celebrate the advantages for 5G-connected industrial equipment, which provides high-speed wireless communication throughout plants.
Martin Bally, CISO for American Axle and Manufacturing, noted that some manufacturing vendors are offering to bypass the corporate environment to monitor these 5G-enabled SCADA/ITS devices directly.
While the direct monitoring might make a plant manager’s life easier, the vendor has just punched a hole into the organization’s network.
Will the plant manager inform his IT department about this new vulnerability, or will the manager assume that the vendor will cover any security issues?
Honeypots and Other Security Techniques
In such a complex environment, it can be difficult to stay ahead of every issue. Fortunately, some creative vendors use innovative techniques that suggest some additional steps for organizations to try.
Panasonic created two specially built honeypot sites that expose their IoT devices to the internet. The company uses that data from the huge numbers of attackers to categorize each type of attack, then builds more robust device defenses.
Recently, SecureWorld detailed some of the interesting results from the attacks on Panasonic’s cameras, refrigerators, and TVs. Since the deployment of the honeypot two years ago, Panasonic collected data on 179 million attack cases and 25,000 different malwares!
Of those different malwares, 4,800 were specifically designed to attack IoT.
Of course, not every organization can afford to create a honeypot and monitor hundreds of millions of infrastructure attacks. Still, there are several security advantages suggested by Panasonic’s honeypot sites, including misdirection and prioritization.
Most businesses, educational institutions, and government entities have already identified their most critical assets, and microsegmented them, or even segregated them from the computers that can access the internet.
With that type of set-up, a honeypot can be set up on the network segment most accessible to the internet. That way, attackers will spend their time pursuing the honeypot instead of segregated resources buried deep inside the network.
This misdirection buys time for your team to detect attackers, and it provides an opportunity to set off red flags as attackers explore the honeypot.
Additionally, when building out your network, there are thousands of different types of attacks to consider.
The Right Network Support
Where do you put your resources and priorities?
Examining the way attackers explore a honeypot provides valuable information regarding your most glaring vulnerabilities and the most frequently pursued attack vectors.
We have the resources and expertise to supplement your in-house resources.
We can help your organization to detect, isolate, and protect your IoT devices — from your multi-function WiFi capable printer, to your legacy assembly-line machine controlled by Windows XP-based software.
We maximize your return on IT by providing solutions unique to your company.
Ready to get started? Complete the form below, or call us at 412-349-6680.
Building networks and partnerships, we are by your side!