For years, we’ve known that Internet of Things (IoT) devices can come under attack as quickly as within five minutes of being connected to the internet. These events predominantly include large-scale scanning techniques to exploit IoT devices that are vulnerable to basic attacks such as default credentials.
Historically, hackers have used these attacks to create a network of devices to perform a distributed denial-of-service (DDoS) attack; for example, Mirai Botnet. However, the more recent Verkada breach demonstrates the risks associated with devices that perform sensitive operations. While this might not directly present a security risk to companies utilizing IoT devices, the methods hackers used to exploit these devices should demonstrate the significant threat surface introduced by implementing IoT into any organization’s network.
Why it matters
The nature of the exploits being leveraged in recent ransomware attacks must be properly understood to ensure that the IoT devices the business is currently or planning to utilize in their infrastructure are secure. The OWASP Top 10 IoT list claims the number one issue with IoT devices is “weak, guessable, or hardcoded passwords,” demonstrating that not only are IoT devices becoming more prevalent in the industry but they are also being deployed with unacceptable network security measures.
As stated previously, the risk of IoT devices aiding in a DDoS attack on another business does not present an immediate risk to the IoT device consumer, but it could severely damage the reputation of any company that does not properly employ IoT cybersecurity controls to prevent a compromise of the devices on their network. Furthermore, the compromise of these devices can result in a variety of issues including, but not limited to, tampering with critical safety monitoring equipment; disruption to sensitive operations, such as manufacturing; or even a widespread attack on medical equipment on the shared network. In addition to the risks posed by compromised IoT devices, there continues to be regulatory guidance around securing devices and ensuring user privacy as evident in the recent U.S. Executive Order on Improving the Nation’s Cybersecurity.
What to do
Companies have a tremendous opportunity to incorporate IoT within their business to improve the efficiency of legacy processes, collect and operate on real-time data, and leverage the data collected to develop additional business process improvements, such as preventative maintenance. Considering all the benefits IoT has to offer, one can assume that IoT devices are not going away any time soon and will even start to become a market differentiator. So, what can be done to ensure IoT device vulnerabilities do not present a security threat to the network in which they are being deployed?
- Conduct periodic device inventories: Device inventories should not only contain the type and quantity of devices, but should also include the hardware/firmware revisions, sensitive data being collected/processed, and the extent to which the device has network access. Additionally, the device should be evaluated against a list of known vulnerabilities to enable quick action if a vulnerability is discovered with a particular device.
- Network segmentation: The information gained from the device inventory helps demonstrate the extent of each device’s enterprise network access and potential segmentation. This data will allow users to begin to isolate critical infrastructure to prevent impact if a simple device were to be compromised. For example, any IoT device being utilized to monitor and ensure the safe operation of machinery should be isolated from a basic connected device such as a thermostat. These seemingly innocuous devices can be catastrophic to critical infrastructure if an insecure device is compromised and a threat vector is introduced to the broader ecosystem.
- Request device security documentation: Prior to procuring IoT devices, as well as throughout the device lifecycle, companies should feel empowered to consult the device manufacturers on the security posture of the devices being deployed onto your enterprise network. An OEM will likely not be willing or able to provide a full penetration test report considering the sensitive nature of the material, but in most cases will be able to provide proof of a third-party review in addition to the network security controls they employ by default. If security testing information cannot be provided by the OEM and the terms and conditions allow, the purchasing body should conduct penetration testing on the device independently.
- Managed solutions: There is an emerging market for tools designed to streamline the procedures outlined above. Companies should evaluate the use of managed solutions to dynamically conduct device inventory and monitor the security of the devices in real-time.
IoT devices provide significant benefits to businesses that are looking to improve their operations by implementing connected devices. However, the current state of IoT security is sub-par, to say the least. Before introducing IoT devices into a network, companies should evaluate the devices’ security, data collection practices, and network exposure. Additionally, the monitoring of IoT devices on a network is an ongoing process that should be evaluated continuously to stay up to date with the latest IoT risks and mitigations.
Learn more about Protiviti IoT services.
Connect with the authors:
Managing Director – Emerging Technologies, Protiviti
Associate Director – Emerging Technologies, Protiviti
Senior Manager – Emerging Technologies, Protiviti