‘Building’ a case for stronger IoT-related cybersecurity
BY CHIP JARNAGIN AND DOUGLAS HUMPHREY
In an April 2018 presentation to the Wall Street Journal CEO Council Conference, Nicole Eagan, the CEO of Darktrace, reported that hackers had breached the automated thermostat of a casino aquarium and through it exfiltrated the casino’s high-roller database.
While characterizing this story as one of the greatest fishing (sic) attacks ever elicits peals of laughter, it takes on considerable significance when one looks at the cybersecurity Wild West that is the Internet of Things (IoT). According to a study by Aruba Networks involving more than 3,000 companies, 84 percent of them had experienced some type of IoT breach. While some cybersecurity teams see IoT security as a current issue because of their organizations’ industry (e.g., the medical and high-technology fields have been early adopters), most mistakenly believe it will not affect them anytime soon.
In fact, all cybersecurity organizations will be impacted by IoT implementations because of the buildings their companies occupy. This will happen sooner than most cybersecurity professionals realize because of the savings that can be realized through reduced building costs. Mark Gardner, in a presentation for The Builders’ Association, stated that 71 percent of the total cost of ownership (TCO) for a building is owed to operational costs, which creates the imperative to run buildings as efficiently as possible. The legacy systems currently in place are outdated and do not supply the necessary information to do so. Replacing those systems with the latest technology will also help improve worker productivity through increased personalization and comfort. Such optimization efforts for buildings, along with the greater operational efficiencies, will require data. Lots of (IoT) data.
Because of the large rewards involved for enabling all of these benefits, there is a headlong rush to develop those capabilities. Unfortunately, systems for intelligently controlling and reporting on power, lighting, HVAC, physical security, etc., are being developed outside of traditional IT with little (or no) regard for cybersecurity. And these systems will need to be visible/accessible both internally and externally via the internet, which could provide unlocked back doors into an organization’s core systems and data — up to and including the ability to take control of a building’s systems.
Buildings are perfect attack vectors as breaches of simple devices, such as thermostats, can offer a direct kill chain to valuable IT corporate assets. The real pot of gold at the end of the building hacker’s rainbow is corporate tenant personally identifiable information (PII). This is information related to the company’s balance sheet, strategic plans and employee profiles. Breach of this information can cost a company millions of dollars.
The potential risk of the loss of control of PII must be weighed against the possible benefits from smart (IoT-enabled) buildings. David Barista, editorial director of Building Design+Construction magazine, states that “[a]s buildings become ‘smarter’ and increasingly connected — through advanced systems controls, communications protocols, building automation platforms, networked tenant devices and IoT technology — opportunistic hackers have countless avenues into a building’s network, to gain access to critical data or even take control of a building’s systems.”
Even if a firm rents its office space, the cybersecurity organization is not out of woods. It must still perform due diligence on the landlord just like it would with any vendor to assess the risk of the firm’s PII falling into the wrong hands.
Intelligent buildings are why all cybersecurity organizations need to immediately get ahead of the curve regarding IoT.
The IOT Explosion
This explosion in IoT development is being driven by Moore’s law (the doubling of computing power every 18 months). While the cost of IoT devices is dropping dramatically, the power of the processors and devices is steadily increasing. In the headlong rush to create and implement them, cybersecurity is largely being ignored because it is considered secondary to the business of these low-cost products.
Unforeseen market opportunities are emerging from the development of IoT. Many new, disruptive business models are being uncovered as organizations seek to meet their investment hurdle rates and maximize their return on investment (ROI).
IoT will raise expectations (unrealistically?) for both businesses and consumers as companies endeavor to give customers what they want, when they want it. Artificial intelligence will create a learning feedback cycle that will allow companies to deliver faster and with greater precision. Supply chains will become more integrated and transparent. Additionally, IoT will amplify current trends, including the trend to work remotely: Individuals will be able to live closer to the people they care about without the tyranny of having to go to the office.
Given IoT’s burgeoning potential benefits, these devices will soon be arriving in tradespeople’s vans by the thousands.
The Current State of IoT Cybersecurity and Why It Is a Concern
In the business world, an IoT device is an industrial operational asset that has a fixed function. It is designed to perform a specific task such as actuation or sensing. To keep costs low so vendors can make an acceptable profit and/or take advantage of game-changing market opportunities, these devices are designed to consume minimal processing power and thus cannot easily support niceties like cybersecurity.
Because these devices are situated at the network edge, the security risks are increased by the broader attack surfaces (defined as the sum of points of attack where an unauthorized user can enter data into or extract data from an environment). Unprotected systems, visible and accessible by people outside of an enterprise (i.e., hackers and foreign governments), provide unlocked back doors into the organization’s core systems and data. Vulnerabilities, like those listed below, heighten risk:
- Most IoT devices have little or no internal security, which can give an attacker ready access not only to all of an enterprise’s IoT devices, but to all other systems on its network. As an example, a simple unsecured thermostat in a building may be hacked, allowing unapproved actors to infiltrate a company’s core network.
- The majority of all IoT devices (pump sensors, temperature gauges, etc.) use Telnet, which communicates in plain text without encryption. This includes passwords being sent in plain text.
- IoT devices often have hard-coded passwords that are easy to penetrate or are widely available from the vendor:
- IoT passwords are typically very weak, which makes them insecure. Because of this, they can be harnessed to launch attacks. In 2016, the Mirai botnet exploited this vulnerability to cause “some of the largest and most disruptive online attacks the Internet has ever witnessed.”
- Most IoT devices do not require complex or long passwords.
- Updates and security patches are too often unavailable or nonexistent from the vendors for IoT devices and applications: There are far too few security solutions to common problems.
Unfortunately, the very developers responsible for IoT security have often strongly resisted or even purposely circumvented security measures. And, although it may not be apparent, customers do seem to have a breaking point for how much risk to privacy and security they will abide. Once the trust of IoT users is gone, it will be difficult to recapture. This obvious lack of due care represents both a great long-term risk and a barrier to the adoption of IoT.
Providers of IoT services and products also need to think through data-sharing arrangements (including data sharing with supply chain members) and what this will mean. Organizations should keep in mind that single-purpose sensors may unknowingly be collecting and transmitting sensitive data outside of the organization.
Regrettably, cybersecurity is also lax in the IoT user community. According to directly quoted findings in a recent Ponemon survey regarding IoT security:
- Fewer than 20 percent of survey respondents say their organizations can identify a majority of their IoT devices.
- 49 percent of respondents do not keep an inventory of IoT devices and 56 percent do not keep an inventory of IoT applications, with 88 percent citing this is because of a lack of centralized control over these applications.
- 58 percent of respondents indicate that it is not possible to determine if IoT and third-party safeguards are sufficient.
The stark fact that the adoption of IoT is occurring without cybersecurity safeguards in place necessitates that reasonable security practitioners ask how far along the standards bodies are in developing IoT standards and what can be done to secure the IoT stack while standards are being developed.
The Current State of IoT Standards
Unfortunately, there are few widely accepted standards regarding IoT security and risk management, even though they are necessary for disparate systems to communicate securely. There are currently more than 400 proprietary and open IoT platforms and “some 100+ standards across the various levels of the IoT stack, from the sensor level to network connectivity (LTE, Wi-Fi, Bluetooth, LPWAN, etc.), cloud and security,” Despite this surfeit of options, no standard reference model has emerged as the clear winner. Importantly, this lack of security standards constitutes another barrier to adoption of IoT.
IoT cannot reasonably fulfill expectations without an industry standard reference architectural model. Such a model will allow consumers to make more informed decisions. Currently, beyond a very basic IoT security model, the reference architectures vary. Too much choice is unnecessarily delaying buying decisions and a clear distinction cannot be made between IoT and non-IoT devices and systems.
In order to sell products and services, however, companies must begin developing meaningful standards so they can at least show how their offerings meet security requirements. The most forward-looking companies will consider future standards (or help to develop these standards), rather than simply push product.
Security for the IoT will not be as straightforward as it was for traditional IT networks, which first concentrated on perimeter defense. IoT is essentially borderless and devices are required to talk to many other devices sometimes in new and unfamiliar ways.
Standards bodies such as the National Institute of Science and Technology (NIST) are developing models that are gaining traction. In September 2018, NIST published NISTIR 8228 (Draft), “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” Its purpose is “to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles.”
NIST has also released a conceptual model for IoT connectivity known as fog computing, which is the decentralization of “applications, management and data analytics into the network itself using a distributed and federated compute model.”
In addition, three leading private sector-models (AWS, Microsoft Azure and IBM Watson) have gained traction in the marketplace, as has GE Predix (open source). These IoT platforms tend to emphasize what have become standard parts of an IoT stack:
(1) Devices – Dealing with physical protection.
(2) Connectivity – Dealing with encryption of data and communications.
(3) Cloud/Fog Services – Dealing with device management, processing, data visualization and analytics, privacy and authentication.
(4) External Interfaces, Applications – Dealing with identity and access management (IAM).
The number of IoT security models is expected to soon coalesce to a more manageable number as standards merge and larger companies acquire smaller ones. But what can be done in the meantime to secure these devices until clear IoT standards are in place?
A Way Forward
For efficient operation and time-critical decision making, smart devices need to be secure, reliable, interoperable and manageable. No matter the IoT security model (or models) that prevail as the ultimate standard(s), they will provide a roadmap for assessing and securing the IoT stack. Such model(s) will address how to simultaneously secure operational technologies (OT) and information technologies (IT) and the data that is both in motion and at rest between them.
There are four primary steps to assess an organization’s IoT security posture and ensure the protection of every part of the IoT stack:
- Strategic Alignment and Optimization – Just as a cybersecurity organization would do with any major initiative, involve senior management and the C-suite throughout the lifecycle of the enterprise’s IoT initiatives to ensure lasting success.
- Identify IoT Objectives – Inventory IoT assets and then determine who might attack them and how. Next, analyze and document all threats and vulnerabilities for these devices. What data should be collected for and about these assets? With whom should the data be shared?
There are different types of IoT devices, which can serve thousands (or more) of unique purposes:
- One-way devices are simple devices with one-way communications. For example, “This parking space is occupied.” This is a one-way service request outbound. Its status is monitored. These devices aren’t powerful, they are cheap and there is not much one can do to manage them.
- Slightly more sophisticated one-way devices include fitness or vehicle trackers.
- Two-way devices are smart devices such as those used for security, lighting and medical equipment. These devices enable edge processing and local computing.
- There are also smarter two-way communications devices that do everything mentioned above and include extreme artificial intelligence (AI). Example: self-driving cars.
- Edge Gateways – These serve as IoT connection points between devices/sensors and the cloud, and may also be classified as smart two-way devices.
At each level of the IoT stack there are techniques that can be used to meet standard requirements of various IoT security control regimes. In addition, there are some standard approaches to basic IoT security hygiene that an organization can take:
- Isolate these devices on their own separate network. For example, in a manufacturing network, maintain multiple networks or VLANS for IoT devices (including critical assembly lines).
- Change the default settings, especially those for passwords and “features” like Plug and Play (PnP).
- Constantly monitor these devices like any other device on the network.
- Maintain a stringent testing framework (including tests for device range, latency, capacity).
- Ensure that patching procedures are up to date and available. As a fallback, ensure there are compensating controls.
- Only deal with vendors who can deliver security for their IoT offerings, and perform vendor assessments as is done for any other vendor.
- Have a professional consulting organization conduct end-to-end IoT security assessments.
Keep in mind that organizations that implement an IoT security solution are not necessarily looking to create impenetrable security — they are simply looking to solve their security problems at an acceptable cost. Savvy buyers look for clues regarding both the cost of an IoT solution and its possible risks to revenue, reputation, brand, compliance, and ultimately, valuation.
While there is no single magic bullet that will secure an organization’s IoT investment, these steps will give it basic hygiene and protect against most IoT cybersecurity threats.
In April 2018, the CISO of a large international corporation walked into the corporate break room and noticed a lot of construction. When he asked what was going on, he was told that the vending machines were being removed, and the vendor was going to an honor system for payments. All of the food and beverages would be displayed on open shelves, and the employees would take what they wanted while paying for it with a credit card. To ensure the honor system would be honored, a video camera was being installed that would livestream the break room activities to the vendor’s headquarters.
The CISO immediately intervened and ensured that the camera would not be installed.
If they are not already being implemented, intelligent building (read IoT) initiatives for an enterprise’s buildings are just around the corner. If its cybersecurity team has not done so already, it must immediately get involved with the building services team to start working together on the company’s building plans.
It is a cybersecurity imperative that the threat of a direct kill chain to valuable IT corporate assets posed by IoT devices must be shut down.
Besides, no employee wants their friends watching an internet video feed of the corporate break room to see if the employee is cheating on his or her diet.
CHIP JARNAGIN, MBA, CISSP, PMP, CSM, Lean Six Sigma Green Belt, is a consultant at LatticeWorks Consulting. He has more than 20 years of experience in cybersecurity, telecommunications and IT. He is published in the fields of cybersecurity, organizational culture, project management and IT governance/management.
Douglas Humphrey, CISM, CSCP, CDCP, Lean Six Sigma Black Belt, is a manager at DXC Technologies, a Fortune 50 IT and security provider. Douglas also serves as an instructor at Harvard Innovation Labs, where he teaches courses on cybersecurity for the IoT and conducts research on prevention of and response to breaches of enterprise networks via real estate vectors. Previously, he was a manager at Hewlett Packard Enterprise where he was cybersecurity lead for the HPE Universal IoT Platform Working Group and helped to organize the CISO Council. He is a frequent speaker on the topic of cybersecurity for the IoT and currently serves on the Board of Advisors of 802 Secure, a Silicon Valley IoT security startup developing signal intelligent technology.