Smart TVs in conference rooms. Brainy heating and air-conditioning systems. Internet-connected light bulbs. Intelligent devices controlling manufacturing processes. Smart watches and fitness devices everywhere.
These are just a few of the things you’ll find in the enterprise Internet of Things (IoT) landscape, a landscape in which almost every physical object, it seems, has plenty of smarts and connects to networks -- and leaves enterprises vulnerable to hacks and data breaches.
The issue of IoT and security had its moment in the sun in July, when two hackers remotely took control of a Jeep Cherokee that was driving at 70 miles an hour on the highway. They wirelessly turned the wipers on and off, turned the air conditioning to full blast, switched the radio to a different station, and then disabled the transmission so the Jeep slowed to a crawl on an interstate highway.
The hack was done to publicize the IoT dangers faced by cars, and it had its effect -- 1.4 million vehicles were eventually recalled and had their systems patched.
Unfortunately, the issues around IoT security and the enterprise can’t be as easily resolved as recalling autos and patching their computing systems. The big questions for enterprises are: How (in)secure is the enterprise because of the IoT devices spread throughout businesses? How easily can they be used to hack into company networks? And what can enterprises do to protect themselves?
In this article, we’ll look at the dangers, identify the most significant ones and offer advice to IT on how to protect against them.
Is there really an IoT security problem?
Let’s start off with the basic question: What kind of IoT-related dangers do enterprises face?
Andrew Hay, Senior Director of Security Research for OpenDNS Security Labs, says, “The biggest problem we’re seeing are consumer-focused devices like webcams and smart TVs that when they were manufactured were tested for security, but only when running in a non-critical environment. They weren’t tested for enterprise-level security. It’s alarming because in enterprises these devices are getting access to corporate networks. They're able to beacon out to the Internet and the enterprises just are treating them like toys. They're not looking at them with the same security as BYOD mobile devices. They're considered toys and gadgets.”
Chris Rouland, Founder and CEO of the security company Bastille, adds that often, enterprises don’t even keep track of all the wireless devices in their offices and facilities.
“I'm certain that every enterprise has wireless emitters in their environment they're not aware of and that are completely insecure,” he says. “The problem is that we haven’t had that watershed moment for IoT devices like the Melissa virus in 1999.” In that year, Melissa became so widespread -- including on Microsoft and Intel networks -- that it raised people’s consciousness about the importance of protecting enterprise computers and networks against viruses.
The two types of IoT dangers
In general, enterprises face two primary IoT threats -- from IoT devices specifically manufactured to work in businesses, and those manufactured mainly for consumers. You might expect that the dangers posed by consumer devices are greater than those posed by devices build specifically for enterprises. But a number of security experts say that isn’t the case.
Marc Blackmer, Product Marketing Manager for the Cisco Security Business Group, explains, “There's a lot of hype, I think, around something like a Nest (smart thermostat) or something like a smart TV,” being security risks in enterprises. But a larger problem is posed by the complexity of industrial-grade IoT devices and an incomplete understanding of their dangers, he believes. He says, “We're too busy worrying about what our fridge is doing. We may miss the fact that there are now more routable protocols within industrial networks. You've even got companies managing industrial equipment from smart phones.”
As an example, he points to an attack on an oil pipeline in Turkey in 2008. The pipeline was monitored by IP-connected surveillance cameras designed to protect facilities. Ironically, the attackers exploited the cameras’ vulnerabilities to break into the network controlling the pipeline. Once inside, they planted malware and remotely gained control of industrial controllers at pipeline valve stations. They then blew up the pipeline by changing the oil pressure. They also remotely shut off pipeline emergency systems so that pipeline owners weren’t immediately aware of the attack.
Another serious problem is posed by outside contractors who are connected to enterprise networks, but don’t have the same security systems and rules in place as does the enterprise. Their devices may not be secured and can be used to compromise a corporate network.
Billy Rios, director of threat intelligence at cloud security firm Qualys told the New York Times, “Remote access to these (enterprise) systems is really common and integrators are almost always on the corporate network.” A study by Qualys found 55,000 heat, ventilating, and air conditioning (HVAC) systems connected to the Internet -- and in most cases, the company says, those systems contained basic security flaws that would allow attackers to get into enterprise networks.
John Pescatore, a security expert with a long career including stints at NSA and GTE who is now Director of Emerging Security Trends for the SANS Institute, says that enterprises are generally good at managing threats posed by computers, mobile devices, and PBXs -- things that are generally considered the traditional domain of IT departments. But they have problems when non-IT devices and systems connect to their networks.
“An enterprise moves into a new building, and the HVAC system or the elevators, or the video cameras are on the same network as they are, and those things are not necessarily protected. That's the starting point. You can't even hope to protect yourself if you can't even detect what’s on your own network.”
The threats of consumer IoT
All this doesn’t mean that consumer IoT devices don’t pose threats to enterprises. They do. Security experts warn that the flood of smart devices such as TVs, cameras, wearables, and more will cause serious security breaches in many corporations.
Perhaps the most comprehensive study of how widespread these dangers are was done by OpenDNS. Its “Internet of Things in the Enterprise 2015” report analyzed network traffic from approximately 50 million consumer and enterprise users in more than 160 countries, and its findings were disturbing. It found that “Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital ‘My Cloud’ storage devices, various connected medical devices, and Samsung Smart TVs continuously beacon out to servers in the US, Asia, and Europe -- even when not in use.” Smart TVs, it found, appear to be communicating “with legacy infrastructure that uses an untrusted security certificate, opening this avenue of communication to several well-known attacks.”
OpenDNS found other dangers, including that the IoT infrastructures to which the devices communicate are susceptible to attacks, including Heartbleed and FREAK. (For more details about the report, see the story “Two surveys show IoT dangers are prevalent in enterprises.”)
There’s also a little-known IoT danger that Paul Paget, CEO of the security firm Pwnie Express, warns about: Tiny, inexpensive programmable processors with built-in Wi-Fi that can be left behind in a corporation and “weaponized” in order to attack an enterprise network. One such device is the VoCore, which is, in the words of its manufacturer, “A coin-sized Linux computer with Wi-Fi” and sells for $20. A Pwnie Express report, titled “The Internet of Evil Things” warns that “With some knowledge of how to properly take advantage of its full capabilities, the VoCore can be used to compromise an entire network. Even an inexperienced user, however, could leave a sizeable security hole in a network’s defenses by simply plugging the device into an Ethernet jack.”
Advice for securing against IoT
Given all that, how can enterprises handle the IoT security threat? Here’s what the experts advise.
Find all IoT devices on your network -- and off it. It’s this simple: You can’t protect against things that you don’t know exist. Find all the devices connected to your network, including not just traditional IT devices, but also smart TVs, thermostats, employees’ wearables, and more. But that’s only a start. You’ll also need to look for Wi-Fi hot spots that don’t connect to your network, such as hot spots employees might have set up on their own, and devices like VoCore or others. You also should identify devices using cellular data.
If you don’t have the capabilities to do this yourself, there are a number of companies that provide these services. OpenDNS can track network activity and tie it to individual devices on networks. SysAid offers network-discovery tools for finding all devices on a network. Pwnie Express and Bastille look beyond the network, and find all wired and wireless devices in offices whether or not they are connected to the network. HP and Cisco each provide a wide variety of security services that start with discovering devices on a network, and then add security layers on top of that.
Examine network authentication and access rights. What rules govern which devices are allowed to connect to your network and what rights they have once they’re connected? There’s a good chance that these rules and rights haven’t been changed to take into account IoT devices. Now is the chance to examine them, with an eye towards the IoT world. For example, should employee smart watches be allowed to connect to the network, and if so what kind of access rights do they get? How about thermostats? Light bulbs? HVAC equipment?
Lock down external connections to your network. What external services, networks, and contractors connect to your network? Do companies such as your HVAC contractor have access to it? How about connections from your facilities department or manufacturing plants? They might have IoT devices that can cause problems. Mark Hammond, Security Practice Manager for Cisco Security Solutions says, “Part of a comprehensive security program is third-party risk and vendor-risk management. That's understanding all the vendors that are working with an organization, where data is flowing between those organizations, and putting into place security controls.” So conduct an audit and harden the connections by establishing rules about what contractors can access and how they can access it.
Establish security standards for all IoT devices. The SANS Institute’s John Pescatore advises, “Starting with the procurement cycle, you need to think about security,” for any device with connectivity. That doesn’t just mean IT devices. There are now smart refrigerators and smart light bulbs in addition to smart thermostats. So security standards need to be set for everything coming into an organization. Unless something meets those standards, it shouldn’t be allowed in. Pescatore notes that consortiums of device makers are working on setting security standards. A good resource for finding about them is the OWASP Internet of Things Top Ten Project.
Rethink the role of IT in security. Experts say that one of the most important things that enterprises need to do in an IoT world is rethink the role of security throughout an organization. An enterprise typically is organized along functional lines, with the facilities department responsible for buying and maintain things such as heating and air conditioning systems, the manufacturing arm handling all equipment for manufacturing, including control equipment, and IT in charge of computers, BYOD devices, and the network. In an IoT world, this can cause problems.
Sarah Lahav, CEO of SysAid Technologies, says, “Today, if you’re buying a computer or want to bring your own device into the company, you consult with IT. But if you’re in the facilities department and you want to buy a thermostat, you don’t call IT or the company’s chief security officer. In the age of IoT that has to change. There needs to be enterprise-wide security rules.”
Different enterprises will handle the change in different ways. Some may put many types of devices under IT’s aegis, while others may expand a Chief Security Officer role so they are involved in setting purchasing and security requirements for all devices in a business, not just in IT. But one way or another, Lahav says, the reorganization must take place.
Go back to the basics. Cisco’s Marc Blackmer says, “From my perspective, you can't forget about the basics. People worry, ‘What are we going to do about the refrigerator?’ But it all comes down to risk analysis and risk management. If you really break it down to what it is, it is device connectivity. We've been dealing with that for a long time. We can't lose sight of that…. The solution is to implement the security controls that need to mitigate the risk, and then repeat that cycle. Without that understanding, it's just a big, scary space where you're just shooting in the dark.”
This story, "IoT security threats and how to handle them" was originally published by ITworld.