To avoid hivemind thinking that IoT devices are secure by design and/or have security features enabled by default, compensating controls should map to the key challenges with IoT security today. IoT deployments promise unique ROI for monitoring, diagnostics and analytics, and enable new business models. However, they lack scalable central management, reveal rudimentary access controls, and often leave swathes of frivolous data vulnerable.
Meanwhile, evidence suggests that threat actors are doing their homework; Scanning for CVEs in target environments quickly and focusing on techniques to maintain undetected access to systems and devices. In many cases they masquerade as legitimate users, and specifically target malware to dwell in systems and produce specifics outcomes.
Manufacturing and energy continue to be leading targets from known threat actor activity, however, targeting of healthcare and commercial facilities is on the rise. These distinct sectors have one thing in common—the widespread adoption of internet of things (IoT) technologies, often from vendors that serve and service multiple sectors and use cases.
There are numerous ongoing efforts by government agencies and industry groups to scope and scale IoT security. Many are advancing to adopt best practices that can be extended to the secure lifecycle of devices, depending on business priorities and security needs of end users.
With increased focus on botnet traffic and identification of IoT vulnerabilities, Nozomi Networks has a unique perspective on the scale of the problem. We have the experience to help address the challenges of complex network connectivity and secure deployment of IoT devices, to strengthen our customers’ security postures.
The Challenge
With the addition of IoT and analytics technologies for business outcomes security concerns arise for IoT hardware, software, interfaces, data storage, and applications. Beyond network security gaps, IoT hard-coded passwords and internet interfaces with remote access and end-user credentials are frequently targeted.
Many critical infrastructure sectors are moving to adopt new levels of connectivity between systems, networks, and devices. Operating across distributed locations, they are simultaneously implementing increasingly complex SCADA architectures and IoT deployments to streamline operations. The propagation of automated hacking and botnets are a constant threat to the fidelity of IoT devices.
This connectivity and its associated security concerns now extend to networked cyber-physical systems, IT/OT integrations, building automation, and the push for software-defined performance indicators, efficiencies, and investments.
IoT devices are increasingly being deployed in critical infrastructure networks:
- To monitor critical functions, diagnose potential issues, analyze and report on machine and environment status updates
- Closely connected to real-time controllers that measure the temperature of a cooling system, the efficacy of a safety system, or the pressure in a pipeline
- As controlling elements incorporated into Building Management Systems (BMS)
Some are added to networks without change management procedures, configurations, and security concerns addressed. Should they accidentally be misconfigured or intentionally sabotaged, there may be dire consequences, including potential impacts on health and human safety. The size and scope of these devices will make it increasingly difficult to manage and monitor them effectively.
Many security researchers agree that focusing on the security of individual devices is not a practical long-term solution for IoT security. It is often the case that patches are either unavailable, difficult for vendors to develop, or impossible to install. Additionally, quantum computing presents a potential roadblock to the future of IoT encryption.
Estimates indicate that before the end of 2023 there will be up to 3.2 billion 5G IoT devices connected on the internet. 5G represents a threat multiplier to the future of IoT devices and ecosystems. The bandwidth allocated to a 5G device can reach as high as 1 GbPS. The underlying hardware, often ARM64 based, has the potential to be effectively leveraged to generate concerted Distributed Denial of Service (DDoS) attacks.
In the Weeds
The primary attack surfaces of IoT devices are their default credentials over SSH. When a system is targeted, the attacker, typically via another infected IoT device, will attempt an average of 40 passwords for a handful of usernames. Other common attack surfaces of these devices include UPnP, HTTPS, and its underlying packages of java and various source code modifications.
These systems and variations tend to remain unpatched long after a patch has been released. That’s because most IoT devices are “headless” and are not set up for automated updates without the owner or user agreeing to a risk-based statement within the end-user license agreements.
Once the attacker has gained entry, they will check to determine the underlying operating system to decide which payload to install on the system, often to deploy a botnet attack. The server hosting the malware will likely be from a hard-coded IP address within the attacker’s script.
To obfuscate the payload, many IoT botnets use naming conventions for their payload that are common processes such as ‘ntpd’—the network time protocol daemon—in combination with using packers and cryptors to thwart deep packet inspection engines.
Once the system is infected, it immediately changes the default credentials before setting out on its intended objective to infect other machines. These IoT botnets can grow to have hundreds of thousands of controlled devices under their helm, and their primary focus is to perform DDoS attacks against targets, to great effect.
Compensating Controls
Security solutions must go beyond merely identifying and understanding all critical elements in an IoT/OT network. They must include deep understanding of all potential risk scenarios and proactively go about monitoring for such activities. With the potential for IoT deployments to be hijacked for nefarious purposes, their adoption requires both a clear ROI and a security plan.
Ephemeral desires for efficient operational expenditures must always be tempered by the very real financial, and potentially physical, harm that may result from a cyber incident. Risk tolerance, therefore, must balance the benefits of IoT, automation, and efficiency with the need to also monitor operations with security solutions purpose-built for digitized, cyber-physical environments.
At the end of the day, decision makers deploying IoT are inundated with data but lack actionable intelligence to make sense of an often bleak and complex cybersecurity picture.
Nozomi Networks’ Suggested Four Main Compensating Controls:
- An asset management mechanism with real-time data, to include IoT devices, capable of providing network security engineers with zone and network location data, lifecycle, and patch information.
- A firewall capable of isolating or killing connections identified by the monitoring solution, such as those identified as being malware-associated or anomalous.
- Utilizing a monitoring solution that can integrate IoT with network access control (NAC) products, and expose the greatest potential risks in real-time. For example, one that directs the NAC to place critical or vulnerable IoT assets into dedicated VLANs—capable in a DMZ configuration.
- A process for network security engineers to follow to patch the highest risk and most vulnerable assets first, to reduce overall risk exposure and increase resilience.
Security research into products and devices, reverse engineering of malware, common vulnerabilities and critical weaknesses, and mounting tactics, techniques, and procedures of threat actors bubble up to a seemingly insurmountable outlook. However, progress in cybersecurity is dynamic, constant, and incremental. When it comes to a distributed IoT incident, monitoring can quickly work to identify, protect, detect, respond, and recover from a potentially devastating outcome.
