Smartphones, smartwatches, smart fridge, smart tv, but what about smart security? Organizations realize that IoT (internet of things) security is rapidly becoming the new frontier for their security ecosystem.
With swaths of employees bringing in their smart devices to work and a new office cafeteria boasting a host of new internet-connected microwaves and kettles, hackers are exposing the security flaws one device after another.
Few can deny the convenience that IoT devices have offered us in the past decade, but fewer still realize the damage they can cause if not designed with security in mind.
What is IoT Security
The internet of things, a term coined by Kevin Ashton in 1999, simply describes what we would consider any internet-connected device; the more technical definition is as follows:
“Sensors and actuators embedded in physical objects are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet” – IoT Analytics
IoT security, therefore, is the protection applied to or provided for IoT devices. This security could be the active protection of sensors and actuators or the network to which the device is connected.
At first, this may seem a little complicated, but the cybersecurity architecture does not vary significantly from standard or traditional means. One thing is certain; there is no one-size-fits-all approach to IoT security or cybersecurity for that matter.
To understand IoT security, one must understand IoT vulnerabilities; they are, after all, the weaknesses hackers will be attempting to exploit.
Like IoT security, vulnerabilities don’t fit a typical mold, and often every device will have a particular quirk that may need addressing. An example of this would be phones, everyone today is rocking a smartphone, but not all smartphones are created equal. A security patch that can be applied to the iPhone IOS will almost certainly be ineffective for an Android phone of the same caliber.
This is one small but a powerfully obvious example of the complexity IoT devices bring to the security environment. It only gets more complicated as you begin to discover the kinds of devices that have gone “smart.”
Having said that there are some vulnerability “areas” that can be bracketed and targeted when developing a management framework, and those are:
- Device to device: devices will often “talk” to each other, and this can be both a good and bad thing; it depends on what they are talking about. Knowing these communication channels means you can apply certain security techniques on the device’s end (discussed in a later section).
- Device to endpoints: this vulnerability area is when IoT devices will communicate with traditional network endpoints, like computer terminals and servers. Unwanted packages can be uploaded from the device to the endpoint and weak channels can be exploited for various means.
- Device to network perimeters: IoT devices can and will often take advantage of weak network perimeters. This could mean that the organization’s firewall is not configured correctly or is entirely nonexistent. Often these devices “out-of-the-box” are not configured with security in mind and will default to open ports, which are extremely easy to exploit.
- Device to the cloud: IoT devices rely heavily on cloud services. It is easier for IoT devices to communicate through the cloud. But cloud services, like many new technologies, are seldom designed with security in mind, making this a key area of vulnerability.
Once the organization can identify the vulnerabilities associated with the IoT devices attached to its network, it can begin to implement a security framework. Essentially, IoT security boils down to the active management of IoT devices on an organizational network. In a later section, we will explore some potential IoT security solutions and how they can be implemented in a vulnerability management framework.
Before looking into vulnerability management, there is a vital first step that every organization must take, and that is to identify the IoT network.
Identify the IoT Network
Most information systems are comprised of a multitude of devices and endpoints. In most cases, traditional cybersecurity methods are applied to the base level information system, which includes computer terminals, servers, data channels, and staff.
IoT devices are an extra layer of complexity that is added on to the overall information system. However, many of the same methods of security can be applied to this layer. Most security audits will begin with a simple inventory, and IoT security is no different. You can not know what to protect if you do not know what you have.
In the area of IoT, most of the inventory capacity, if not all, will be made up of physical devices. It is vital that the organization is meticulous with this inventory, as any device left unchecked could pose a serious threat down the line.
Some of the devices that are commonly found in office environments that are considered IoT devices are:
- Printers, copy machines, and fax.
- “Smart” devices
- Watches (employees may carry them)
- Kitchen utensils (kettles, fridges, microwaves, etc.), most likely only modern offices would be fitted with such devices.
- Keycard readers (maybe intranet or internet-connected)
- Surveillance technology like cameras.
- Building environmental conditioning units (air filtration etc.)
Bad actors can potentially exploit all of this and more, so the organization must know what they have and how it is used. Many organization won’t even know that an IoT device is even connected to their network
A simple hardware inventory would suffice, giving a picture of how many IoT devices are in operation.
There are many techniques that an organization can employ when conducting an inventory. We have outlined some that are pertinent to IoT devices below:
- Software assistance: there is software that can be used that will scan the organizational network and return a list of connected devices. Most routers will also come with an inbuilt dashboard that will showcase the connected devices. The only drawback is that devices that are not connected will not return a value, but they might still pose a security risk.
- Physical Check: the organization can always employ the traditional technique of clipboard in hand and write down all the devices that come in and out of the office, higher a specialist is recommended for a full physical check.
- Audits and auditors: many cybersecurity organizations will run both software and hardware inventories as part of the consultation or implementation package. The use of a specialist will surely boost the accuracy of an inventory and the information provided can be actioned upon.
Once the organization has a solid grasp on the IoT inventory, it can begin to explore possible IoT security solutions, which we examine now.
IoT Security Solutions
As mentioned in a prior section, it is essential to realize that IoT security does not have a one-size-fits-all approach, cybersecurity seldom does. However, this does not mean that there is no starting point and there are security use cases that can be applied to various IoT networks. In this section, we’ll discuss some security techniques and methods that your organization can employ today, given a proper IoT device inventory.
- End-to-end device encryption: if the organization has some autonomy over the devices that are used on the network, or if the organization itself issues them, it is paramount that end-to-end encryption is applied. End-to-end encryption means communication between IoT devices are secured at the device level. This method of encryption stops hackers from intercepting communications that are in transit. Many prominent messaging services like Watsapp, Viber, or Telegram utilize this type of technology for their messaging services.
- IoT testing framework: A testing framework should be implemented as part of the security policy. Any potential device should be tested against a security framework and should only be used if it passes specific security requirements.
- Banning vendors that don’t pass: any vendor that does not design devices with security in mind should not be allowed to access organizational networks.
- Greenlight list: Any vendors that pass the security requirements can be added to a greenlight list, where employees may use personal devices (with correct security configs) from the vendors, or office spaces are allowed to be fitted with devices from these vendors.
- IoT security analytics: employing a security analytics tool that is tailored to IoT security can help in detecting threats and vulnerabilities in the IoT environment.
- IoT authentication: similar to multi-factor authentication for passwords, IoT authentication, adds an extra layer of security in the information ecosystem. Authenticating IoT devices means that hackers can not create “clones” or valid devices or device bots that can attach to the organization’s networks.
These are a few of the potential security solutions that can be adapted to various scenarios and environments. The solution will be one that is right for your organization’s infrastructure, but one thing that should be done regardless is keeping updated on the IoT security landscape.
The wider cybersecurity community will often post updates on new vulnerabilities and solutions for IoT devices and your organization might be using these devices so information must be updated and communicated.
IoT Vulnerability Management Framework, Ongoing Security
Once all previous information discussed in this article is known, a vulnerability management framework can be implemented.
The framework is the active protection of the IoT environment. An inventory of the ecosystems is made, solutions are discussed, and vulnerability management begins.
The framework can consist of:
- Security policies outlining allowed and banned devices
- Security configurations for all allowed IoT devices
- Updates on vulnerabilities and patches of all connected devices
- Threat and vulnerability scanning for the IoT infrastructure
The above-named elements are some of the more general procedures that should be mapped in the vulnerability management framework. Each organization will have some elements specific to them, which is why it is recommended you hire the help of a specialist.
IoT Security Policy
It is fundamental that an IoT security policy is implemented if there is going to be any longevity to a vulnerability management framework. The policies are usually broken down into two overarching areas: people and things.
The people side of the policy should mainly dictate the kind of IoT that is allowed in the organization’s network. Most employees will be taking a smartphone to work, but at the same time, these devices are of least risk as they have already had well-developed security configurations (most big-name brands will at least). Most personal devices outside of company approved laptops and smartphones should not be allowed to connect to organizational networks, this should greatly reduce risk.
On the other side are the company devices. These devices should undergo an onboarding procedure. Only vendors that design their devices with security in mind should be considered.
How Can RSI Security Help
Threat and vulnerability management is an involved process that sits within an evolving threat landscape. With a growing IoT environment, threat vulnerability management is only going to become more complex.
We can appreciate the convenience that IoT devices bring to our organizations and lives, but we must remind ourselves that lax security design brings high risk to the business.
However, it is possible to have the best of both worlds. Don’t let the risk supersede the convenience. Contact us today, and couple the comfort that IoT networks bring with peace of mind for your security ecosystem.
Our threat and vulnerability management will ensure the best for your IoT security and more.