Protecting Internet of Things (IoT) endpoints from malicious cyber threats has become a significant issue now that networks of connected devices are being deployed in every market from retail to critical infrastructure (CI), but for embedded devices in particular, the challenges of adding comprehensive security remain the same as always. Resource limitations, legacy devices, and weak or non-existent defenses in the interior of IoT networks all pose problems for IT administrators and Chief Information Security Officers (CISOs) alike. Here, Andrew Howard, Chief Technology Officer of Kudelski Security, a managed security services and cyber security consulting firm that recently launched an, provides tips and advice for good cyber hygiene in the age of networked devices.
What are some of the strengths and weaknesses of endpoint protection mechanisms today in the IoT?
HOWARD: It might help to set the stage for why the challenge of endpoint protection is such a tough problem. The reason is that a lot of IoT devices aren’t typically on standardized technology.
If I look at the number of operating systems (OSs) being used across the IoT community it is a very big number, whereas if I compare that to the laptop OS environment, a huge percentage is either Windows or Mac – I’d be willing to bet it’s in the 98 percent range. The IoT distribution of OSs is everything from the real-time operating systems (RTOSs) to Windows to Linux, and all kinds of flavors across those different variants. So, I’ve got all of these different OSs out there and all of these different hardware configurations, and IoT devices also tend to be low power and small in size. Not exclusively, but that tends to be a common theme in IoT devices, especially the ones that are deployed in the hundreds, thousands, and tens of thousands. Certainly, once you get into the bigger volumes, they tend to be lower power and don’t require full-time AC, or they use a battery.
For that reason, you don’t see ubiquitous endpoint protection technology being available to IoT device manufacturers. If you’re building a device, it’s not like you can just go to iotendpointprotection.com and download the latest antivirus solution or an intrusion detection system or whatever type of protection mechanism you’re looking for because they just don’t tend to exist. And, if they exist at all, they tend to be OS-specific.
A secondary problem is that the fairly low processing power of IoT devices means that the ability to do on-device log analysis or on-device network analysis is usually fairly limited. For that reason you don’t find ubiquitous solutions, and instead find a lot of people trying to either home brew a solution or just not deploy it at all. You’re lucky if a lot of these IoT devices even run the right type of network security protection, such as host-based firewalls, etc.
The big weakness in this whole space is the lack of a ubiquitous solution, and a lot of device manufacturers have no idea what they’re doing because they think an IoT device looks like a laptop or a typical IT endpoint, which is just not the case. When you start talking IoT, you have other threat vectors that might not exist for the typical laptop. As an example, whereas a laptop tends to be accompanied by a user, physical access for an IoT device is very concerning since it may be deployed out in a field. So I need to be very worried about what someone can do when that device is physically accessed more so than with a laptop or a desktop or a server.
The key is that the typical IoT device is not necessarily analogous to the typical endpoint, yet we tend to have typical endpoint thinking when it comes to securing IoT devices.
Given the diversity of IoT devices, does endpoint protection need to be implemented at a particular layer of the stack or at multiple layers throughout disparate systems?
HOWARD: In an ideal world you’d have a defense in depth, layered approach at every layer of the application stack, as well as at the physical layer of every device. So along the entire network, end-to-end, every device would have its own defensive mechanisms and its own protections. The reality is, though, that’s just not typically the case. You’ve got to be selective about where you put these protections in place for the reasons I mentioned earlier.
The methodology that is often preached around the IoT is “protect the data.” Protecting the data first and having a data-centric mindset will buy you a lot of good will from a defensive perspective. Then, after you protect the data, you start talking about making sure that the device does no harm. This is about making sure the device isn’t brought into a botnet and used by somebody else to do very bad things, or misused in such a way that it could hurt a user or a human or the brand of the company that built the device. Once you’ve protected the data, it’s about ensuring that the device operates as intended and when expected.
One particular area of concern when defending IoT networks is the presence of legacy devices. How should organizations managing older systems approach securing them from modern threats?
HOWARD: We often run into networks with legacy devices that are incapable of meeting current security requirements, either because they can’t be upgraded or they just don’t support the feature sets that are required by modern security programs. A lot of these requirements fall into the authentication space, as well as the network security space.
Just talking legacy equipment, a trivial example is a device that doesn’t require authentication to modify the device. In other words, devices that just require you to hit “Enter,” and you don’t have to type in a username or password or use any kind of credentials.
A more sophisticated example that’s more common is older devices that can’t support the second factor of two-factor authentication. This is a major problem being faced by just about every enterprise out there, regardless of what they do, manufacture, or sell. The advice that they typically receive from us is that if they can’t secure the device or upgrade the device, they should at least be very closely monitoring the device. Certainly in the industrial control system (ICS) and CI spaces, these are major problems because now you’re talking about mission-critical and life-critical systems that can’t meet current security requirements. Again, outside of replacing or upgrading the device, our typical response is to isolate and carefully monitor.
Network defenses tend to be external, but the downside of this is that once a device on the network is compromised, threats can often move laterally across the interior of networks, largely unimpeded. How can this be mitigated?
HOWARD: I call this problem the “egg problem,” because you have a nice hard shell but a really soft inside.
This problem existed well before the concept of IoT existed since a lot of enterprises focused on network security at the perimeter and really didn’t care about the internal portions of the network, both because it was a complex problem and because all of the threats were at the edge. As you said, the problem is, once those threats are in, they have full access to everything that goes on the network.
Segmentation here goes a long way. If you’ve got an IoT device on your enterprise network, that device or those devices should be segmented from the rest of the corporate network so that you don’t have an IoT device attacking other things within the network. Then, smart network architecture and smart network log analysis also go a long way towards ensuring that devices are operating as expected.
The example I’ll give is something that’s been in the news. If you’ve got two web cameras – which I would consider IoT devices – that are on your enterprise network and supposed to communicate with a server inside your network, there’s no reason that those two cameras should be talking to each other. Any network traffic that shows device-to-device communication or what would look like reconnaissance or action on objectives or lateral movement by one of those cameras should be identified through typical log analysis.
Again, these concepts are not new, and existed well before the IoT. They’re just good cyber hygiene. IoT puts a really big focus on cyber hygiene because the numbers are a lot bigger and failure to do the right things can really spiral out of control quickly.
Where is the best place to start for building in a managed security plan for new IoT device and network deployments?
HOWARD: The answer is you’ve got to get help, and the reason is that these problems are difficult and also require a different way of thinking about device protection than a lot of IT and security professionals are used to. The number of companies and people who have experience dealing with IoT devices – meaning that the devices are out in the field for a long time, physical access is a concern, they’re tough to upgrade, and have low power requirements and processing capabilities – is not large. The best path forward is to try to get help from a company who has experience with those devices.
Also, don’t home brew a solution. We’ve looked at a lot of IoT devices in the past that have home brewed solutions for security when there were commercial or proprietary solutions available that were better written, better tested, and easier to manage that would solved a lot of problems. A lot of the IoT devices that I’ve had experience working with still tend to home brew cryptography, for example, because they can’t find that AES or public key cryptography package for their OS, so they home brew the cryptography. Those types of decisions can lead to catastrophic problems, so get some help.