The rise of the Internet of Things (IoT) presents new security challenges and risks. Ahead of his appearance at PrivSec Global, Arun DeSouza answers questions on how to ensure your IoT strategies are up to date and effective.
1. How / why did you become interested in IoT security?
I read the crime novel “The Steel Kiss” by Jeffery Deaver a few years ago. The bad actor here hacks a variety of devices like elevators, microwaves, cars etc. via the Internet with severe ramifications. This book was an eye opener for me as it brought home the danger of unsecured IoT devices.
At present, in the manufacturing industry, we have entered the era of Industry 4.0. Companies are leveraging IoT devices at scale to increase manufacturing efficiency, reduce cycle time and enact cost savings.
The Internet of Things (IoT) can be a game changer. However, the explosive growth of the IoT brings a variety of risks as IoT devices manifest many flaws.
Global privacy regulations such as the General Data Protection Regulation (GDPR) necessitate that enterprises develop a holistic, coordinated IoT security strategy.
The GDPR comes with potential fines up to 4% of revenue for data breaches or privacy violations. In addition to bottom line impact, company brand and reputation and reputation are also at stake if the security and privacy risk nexus of the IoT is not managed.
2. Have there been any significant attacks against IoT technologies or is it currently just a potential threat?
There have been multiple cyber-attacks against IoT devices with resultant compromises across both the enterprise and personal IoT arenas.
A few examples are as follows:
- An internet connected fish tank was hacked and valuable data was exfiltrated
- An Amazon Echo reportedly eavesdropped on one family’s conversation and “accidentally” sent the private conversation to the device’s contact list
- The Mirai Botnet or Dyn Attack was enacted via a vast botnet of IoT devices infected by malware. The ultimate result was a massive Denial of Service attack on internet connectivity with significant downtime for a great many geographically distributed users
- Hackers also hacked a Jeep and took control of the steering in one instance and brought a moving jeep on a highway to a dead stop I another. This was enacted by exploiting a “zero day” vulnerability and/or unpatched software
In addition, there have been various other IoT security incidents involving cardiac devices, baby heart monitors and computer webcams. The ramifications range from data loss, downtime up to bodily harm.
3. What IoT devices are considered most susceptible to risks?
A wide variety of smart IoT devices including but not limited to the following are susceptible to risks:
- Security & Web Cameras
- Power Plugs
- Coffee Machines
- Fish Tanks
- Wi-Fi Printers
- Fax Machines
- Medical Devices
4. Why would a hacker or an organized group want to target IoT devices; how would an attack like this fit into cybercriminals’ business plans?
Cyber criminals can exploit IoT devices for a variety for purposes such as:
- Ransomware. Distribute ransomware to extract payments
- Data / Intellectual Property Theft: Exfiltrate confidential data or proprietary designs for financial gain
- Denial of Service: Activate a DOS attack to cripple services (nuisance, political statement etc.)
- Ecosystem Compromise: Attack an extended supply chain to further own ends
5. How straightforward is it to hack an IoT device, what is required?
This depends on each device and the state of the security. The complexity can vary.
e.g., A $60 device was used to hack cars
It is not to say that all devices can be hacked easily all the time
6. To what extent are the security issues related to the IoT devices themselves, or the mobile apps that control the devices?
Security issues could be linked to the devices, mobile apps controlling them as well as the networks such as WiFI used to connect the devices.
7. Are there repeated vulnerabilities being found within IoT devices and if so, what are they?
Vulnerabilities manifest in IOT devices include but are not limited to:
- Absence of or weak software update mechanisms
- Lack of or inadequate device and data encryption
- Potential for credentials to be stored on devices
- Poorly designed Application Programming Interface (API) security
8. Why is it crucial to secure supply chains and partners?
Supply chain security is mission critical. There have been a number of major supply chain-initiated attacks such with Target and Marriott, Recently, the Solar Wind attack targeted the customers of compromised organizations. The risks of a data breach from a supply chain attack include but are not limited to:
- Operational downtime
- Impaired fulfilment
- Loss of trust / reputation
- Penalties or fines
- Bottom line cost impact
- Intellectual property loss
9. What can users do to protect their IoT devices?
Users can protect their IoT devices by using some or all of the following steps as feasible:
- Avoid using default settings on devices
- Check and modify device security and privacy settings
- Deploy unique and different passwords for each device
- Implement Virtual Private Network (VPN) on devices (e.g., phones)
- Leverage strong encryption for Wi-Fi access (e.g., WPA-2).
- Segment home networks between family and visitors
- Subscribe to and deploy updates for device firmware timely
- Utilize two-factor authentication such as biometrics (e.g., phones)
10. What should IoT vendors do to prevent data being compromised?
IoT security vendors must commit to taking the appropriate steps to protect their devices including but not limited to:
- Provide a strong delivery mechanisms to update the operating system and patch vulnerabilities
- Leverage encryption at the device level and for data/communications in transit
- Leverage cloud based federated device authentication – eliminate use of static local credentials
- Design and implement secure API channels between the devices and the cloud
- Promote device identity lifecycle management
11. Why does this seem to not be taken as seriously as other cyberattacks?
This is due to a lack of awareness and the dichotomy between enterprise and personal IoT. Further, at the enterprise level, in many cases IoT devices are deployed by the Operational Technology (OT) engineers. There is very often a lack of alignment between OT & IT. At a personal level, it is very easy to buy IoT devices. Yet the average consumer is now aware of the security and privacy risk nexus of the IoT due to incidents such as the Amazon Echo above or smart TV’s “spying” on private activities.
12. What are the next steps in growing IoT security?
The following are some of the steps which can be taken to evolve IoT Security.
- Working Groups: Working groups such as by the Cloud Security Alliance (CSA) are needed
- Standards & Frameworks. Development, agreement and adoption is essential. The CSA IoT Security Controls Framework is one such framework
- Alliances: Vendors should work together to adopt standards and frameworks leveraging the “The Power of Federation”
- IoT Functional Networks: Networks of like function IoT devices which connect via bridgehead gateways for delegated security are on the horizon
- Laws & Regulations. The USA’s recently enacted IoT Cybersecurity Law is currently applicable to government organizations only. However, this is also a driving force for the National Institute of Standards to build out IoT Security standards and guidelines. Ultimately, this will help influence enterprises to adopt these best practices.
13. Do you have any strategic principles for building an IoT security program?
Leverage a layered security architecture for enacting proactive control strategies for IoT devices. Key dimensions needed to enact this strategy across the OT & IoT arena are:
- Device Visibility
- Policy Definition
- Behavior & Risk Analysis
- Policy & Standards Enforcement
The following “Magnificent 7” IoT Security Guiding Principles may be used as a framework to develop an IoT strategy.
A. Characterize: Identify and classify assets and stratify them by business value and risk
B. Demarcate: Implement network zones with a clear demarcation between IT and OT networks
C. Understand: Visualize and identify threats and vulnerabilities across networks inclusive of devices, traffic, etc.
D. Unify: Control access by users and devices across both secure wireless and wired access
E. Adapt: Leverage Zero Trust principles to enact adaptive control schemes in real time
F. Converge: Develop explicit third-party access and risk management protocols including Privileged Remote Access, which are particularly relevant to OT networks to strengthen the security architecture
G. Beware: The following root causes have led to IoT device security issues in the past. Keep a proactive eye out (Static credentials, Unpatched and unencrypted devices, API security gaps)
14. What are some IoT security best practices you would recommend?
- Ensure IoT devices are patched and updated
- Enact secure device authentication and registration
- Leverage cloud based federated identity
- Encrypt device communications and data
- Verify the security of API channels in use
- Enlist and participate in industry working groups
- Build strong partnerships across the enterprise ecosystem and especially between IT & OT
- Communicate and evangelize IoT strategy and security policies
- Utilize training & awareness including gamification techniques to enable end users to be the “first line of defense”
Arun DeSouza is Chief Information Security & Privacy Officer at Nexteer Automative
Arun DeSouza will be on a panel discussing ‘The Internet of Insecure Things’ at 1.15pm on March 24 at PrivSec Global,