IoT Security: Trickier Than You Think

In the new digital economy, access to data is critical. Meeting the shifting demands of consumers, monitoring and managing critical network and system components in real time, and creating algorithms to extract meaningful information from the Big Data these devices can generate are all necessary to compete in the new digital marketplace. Part of this digital transformation is the adoption of IoT devices and networks, which continue to be deployed in networks at an unprecedented rate.

Of course, adding dozens, or hundreds, or even thousands of new devices to a network carries a lot of implications, not the least of which is security. The challenge is that IoT describes a wide range of devices and connectivity methods that many organizations may not be fully prepared to secure and control.

Here is a brief overview of IoT from a security perspective

IoT devices are inherently insecure

This past year we have seen a number of major cyberattacks targeting IoT devices, such as Mirai, which used compromised IoT devices to create a massive botnet that was used to take down a huge section of the internet. The reason for this is that many IoT devices were never designed with security in mind. Many run on firmware that can’t be patched. An alarming number have had backdoors hardcoded into them. And many are clientless or headless, meaning they can’t be updated.

What this means that any IoT security strategy has to take into account that the devices themselves may be vulnerable.

Which IoT – Consumer or Commercial?

IoT means a lot of things to a lot of people. Part of the problem is that it is a very broad term that encompasses a wide variety of technologies. IoT can be broadly broken down into two camps: consumer and commercial devices. Consumer IoT includes such things as TVs, DVRs, home security systems, appliances, lights, printers, and watches, while commercial IoT, on the other hand, includes devices such as monitors, sensors, inventory tags, RF-enabled IDs, valves, switches, and devices on the manufacturing floor. There are also hybrid segments being developed, such as IoMT (Internet of Medical Things), which includes things like patient monitors, infusion pumps, and assessment tools, and IoT solutions being developed for Smart Cities, such as street light controls, electrical meter reading, emergency services coordination, traffic management, and agricultural water monitoring.

Today’s networks often include a combination both commercial and consumer devices. Often these are divided into consumer and consumer-like tools deployed in the IT network, and industrial solutions and tools deployed in production environments and newly connected OT (Operations Technology) networks. While each comes with its own security implications, those connected to industrial control systems or critical infrastructure often require especially hardened and segmented security.

Connectivity challenges

Security challenges go far beyond the devices themselves. IoT devices connect to the network in a variety of ways, and each requires its own security strategy.

Wired, Wireless, and Cloud:

Mobile IoT devices use a variety of methods and protocols to connect to the network. Stationary IoT devices, such as HVAC, security systems, or things like printers are located inside the network perimeter, and are often hard-wired directly into a network port. While the majority of security is currently deployed at the network edges and access points, devices and aggregators connected directly into a switch port or network hub often have free access to the internal network. Network controls and pervasive security strategies need to be employed to ensure that devices connecting to the network behind the firewall are secured and monitored.

WiFi:

A number of IoT devices connect to the network using WiFi. This is the connection method most folks think of when they think of IoT. That’s likely because this is how the IoT devices we are most familiar with, such as TVs and gaming/entertainment systems, connect to our networks at home. Wireless access points require integrated security in order to inspect traffic, as well as high performance in order to accommodate the increasing number of devices simultaneously connecting to the network.

Bluetooth:

A lot of IoT devices, however, use other methods to connect to the network. Bluetooth-enabled devices, for example, connect through receivers plugged directly into the network. Securing these devices requires establishing and maintaining Bluetooth security protocols, security gateways such as firewalls deployed inside the network perimeter, and segmentation-based security to isolate IoT traffic from the rest of your network.

RF Devices:

Many other IoT devices, especially those deployed inside an OT network, are RF-enabled and connect over low-power wireless personal area networks. These devices tend to use either IEEE 802.15.4e or Zigbee as their primary connection protocol, and run across a wide variety of network standards, such as 6LoWPAN, ANT, DASH7, EnOcean, Insteon, ISA100.11a, MiWi, NeuRFon, WirelessHART, WiSUN, LoRaWAN, Sigfox and Z-Wave.

These devices can vary in their frequency of connection and the type of data they collect and transmit. Many of these devices can also be quite chatty, which can create additional challenges in terms security overhead for securing large numbers of connections, managing simultaneous connections, and inspecting potentially high volumes of what can often be superfluous traffic.

Ad Hoc and Peer-to-Peer Networks:

IoT devices don’t just connect to the network. Increasingly, they also connect to each other. Things like swarm technology and advances in AI can lead to devices creating their own ad hoc networks, allowing them to generate and deliver more robust data. It also means that an infection can spread quickly through an IoT network. Of course, since security can rarely be deployed directly onto these IoT devices, it is imperative that security be deployed at the network gateway to provide deep inspection to ensure that these devices haven’t been compromised or are being used to deliver a denial of service attack on your internal infrastructure.

Three Steps to Securing IoT

Most networks with an IoT strategy are using multiple methods for connecting these devices to the network. Securing these IoT devices and networks, regardless of the connection methods being used, requires three things:

1. Distributed Security

Despite claims to the contrary, the network perimeter is not dead. Instead, we now have a network of many edges, which means that traditional methods of security that employ an isolated security device at the network edge, or that direct all traffic through a single network security chokepoint are no longer effective.

In addition to traditional security gateways, networks require high performance wireless access points with integrated security in order to protect and secure WiFi access at scale. Hardware ports need to be hardened and monitored. Policies securing different RF access methods and protocols need to become part of your security strategy. Cloud security needs to see and secure IoT devices and traffic. And all of it needs to be part of a single, unified security strategy.

2. Segmentation

IoT devices and traffic represent a real risk to your organization. They need to be automatically identified at the point of access, segmented from the rest of the network, monitored and tracked along their data path, and inspected when they cross network zones for aggregation or analysis. 

3. Integration, Correlation, and Automation

Finally, as networks become increasingly elastic and distributed, it is essential that security visibility not be compromised.  Traditionally isolated security devices are no longer a viable option. Distributed security tools, whether in the cloud, at new access points, or deployed deep in the network, need to be woven together into a holistic security fabric strategy. This architectural approach enables clear, end-to-end visibility, centralized management and orchestration, and the consistent distribution of coherent security policies. Devices that can see and share threat intelligence can then automatically coordinate a response to any detected threat.

Such an approach allows security to span the network regardless of how much it expands and contracts, and can automatically accommodate new functions and ecosystems as they are added, such as cloud environments or IoT networks and protocols.