Tackling security for connected devices
by Bill Kalogerous
National Cyber Security Awareness Month brought much-needed attention to issues like ransomware and phishing, but there’s another corner of the security industry that can’t be ignored: the internet of things. IoT has already greatly expanded the capabilities of modern technology, and it has the potential to dramatically change how people live and work.
There are 16 critical infrastructure sectors whose assets, systems and networks — both physical and virtual — are considered so vital that their incapacitation or destruction would have a debilitating effect on national security, the economy, public health or safety. All these critical infrastructures, like utility networks and transit systems, are becoming more dependent on IoT for efficient, day-to-day operations. However, as with all new technology, IoT is not without vulnerabilities.
Security has been the top concern around IoT from the start because it monitors and manages sensitive applications — from a city’s water supply to a family’s home security system. In government, an IoT vulnerability could have dire consequences.
In September, the House of Representatives passed the IoT Cybersecurity Improvement Act, which directs the National Institute of Standards and Technology to outline best practices for device security and the Office of Management and Budget to create guidance for agencies to meet or exceed those practices. Additionally, the Department of Homeland Security would be required to publish guidance on coordinated vulnerability disclosures for contractors and vendors. This bill would provide the improved security recommendations and guidance that IoT and operational technology systems desperately need.
IoT vulnerabilities have been behind a number of high-profile attacks. Take the Target breach a few years ago. After the Target enterprise network was supposedly “locked down and secured” after the initial attack, it was penetrated by a red team that broke into the network via a food scale in one of the Target delis — an IoT device. In 2019, Russian hacking group Fancy Bear was behind the infection of more than 500,000 consumer-grade routers in 54 countries that gave attackers the ability to monitor, log or modify traffic passing between network end points and websites or industrial control systems. In August, researchers found that Alexa’s web services had a flaw that left its recorded audio interactions exposed to hackers.
All of these situations could have been nullified with a zero-trust infrastructure deployment, which ensures that a hacker does not have the ability to traverse or access other parts of the network, even if an IoT device is compromised. A zero-trust deployment would have kept Target secure from the first breach and from the subsequent red team exercise, and it would have kept both the Alexa and Fancy Bear hackers from accessing any personal information.
Even with “allowed” IoT systems for perimeter security — security cameras, gate/access control systems — organizations still have multiple contractors deploying a variety of devices, all managed via a jump host to keep the IoT devices secured from the enterprise network. If the jump host is compromised, the network is at risk. With a zero-trust deployment, the jump host is eliminated, and the IoT devices are secured and invisible from the outside world and all users on the network — a zero trust infrastructure.
While the government may not directly purchase consumer-based IoT devices, government employees do, and with pandemic-induced telework, all bets are off as to what vulnerable devices may be connected via a government worker’s laptop or home network. In addition, the defense contractors may have vulnerable IoT devices in their networks, providing a back door into the networks and demanding just as much security as government devices.
Whether or not the IoT Cybersecurity Improvement Act becomes law, there are other important steps agencies can take to enhance IoT security.
The government should consider requiring the use of zero-trust, software-defined perimeter technology for agencies using IoT devices. The ideal platform would enable microsegmented, secure networking for important network assets by making them invisible to unauthorized users such as malicious insiders, external bad actors and even nation-states, while enabling authorized users to connect to the “things” they need from anywhere in the world. This not only greatly reduces the security risks for the agencies, but government employees as well.
With this mind, we must all take stock of the IoT devices we use at home and in the office and work to secure them.