What is IoT Security?
The Internet of Things (IoT) is the term that applies to a broad range of connected devices and technologies. IoT, in a nutshell, is simply any unmanaged device that connects to a network or the internet.
Devices have been connected on local networks and across the internet for decades. But now there are four distinct changes in the age of IoT devices.
- Exponential Growth – The number of these devices is growing from an anticipated 8 billion in 2017 to 20 billion or more by 2020 (according to Gartner). Juniper Research estimated that there were more than 13 billion IoT devices in 2015, and predicted that number will explode to 38.5 billion IoT devices by 2020.
- Designed to Connect – Unlike previous devices in the home and workplace, many are now designed to automatically connect to the Internet or other devices.
- Difficult to Upgrade – Most of these devices have not be designed to allow upgrades to their limited operating system or firmware
- No security – Most of these devices have no security
While businesses have had years of experience managing and securing 802.11 WiFi networks, most have zero experience managing and securing Bluetooth connections, not mention the new connection protocols like zigbee, among others.
Why IoT Security Matters
By 2020, more than 25% of identified attacks in enterprises will involve IoT.
Gartner, Leading the IoT Report, 2017
Gartner reports that by the year 2020 more than 25% of identified attacks in enterprises will involve IoT. Why? There are two primary reasons why IoT security is important. First, simply keeping up with the sheer volume of IoT devices is daunting.
The larger issue, however, is the fact that the vast majority of IoT devices will be deployed by businesses. Companies in manufacturing, retail, utilities, transportation and other industries are leveraging IoT to automate and streamline business processes. And companies in all industries are using connected devices as part of the everyday office environment – Bluetooth keyboards, smart lighting, HVAC, tablets… the list goes on.
The very nature of these devices makes IoT security a challenge—particularly for businesses. As mentioned above, most of these devices have no inherent security. They also are not equipped with any sort of direct user interface, and there is no way to install security software or an agent to facilitate monitoring. Traditional security best practices—firewalls, anti-malware, and other security solutions—are not adequate when it comes to IoT security.
What is an IoT Device?
An IoT device is any system that can communicate data but can’t be managed via traditional security tools. This includes the following:
- Office devices and peripherals – Printers, VoIP phones, TV screens and monitors, Bluetooth keyboards, headsets, etc.
- Building automation – HVAC systems, security systems, lighting systems, cameras, vending machines, etc
- Personal or consumer devices – Smart phone, smart watch, gaming consoles, Apple TV, Slingbox, digital assistants (Amazon Echo, Google Home, etc), cars.
- Industry-specific devices – Industrial control systems, medical devices (patient monitoring systems, mobile imaging systems, infusion pumps, communication badges, etc), retail (barcode scanners, POS system, loss prevention, etc), warehouse (inventory systems).
- IT infrastructure – Routers, switches, firewalls, baseboard management controllers of servers.
IoT devices, by their very nature, are engineered to be connected and to communicate. They use standard network or wireless protocols including 802.3, 802.11 (WiFi), Bluetooth, BLE, ZigBee, Z-Wave, 6LoWPAN, ANT, NFC, RFID, DigiMesh, WirelessHART, ISA100.11a, EnOcean, WiMax, and LoRaWAN.
IoT devices are at risk of being compromised because an unmanaged IoT device is unprotected and exposed. It has an underlying operating system capable of executing code, and generally lacks basic security controls. Default credentials are often hard-coded into the device, making them easy to compromise
Are IoT Attacks a Real Issue?
Yes. The number of IoT attacks, and the damage that they have done, have both been steadily increasing.
The most infamous example of an IoT attack is the Mirai botnet that spread around the world in late 2016. The Mirai botnet exploited weak security and default credentials in IoT devices. The compromised devices were then used to cripple various websites in massive DDoS (distributed denial-of-service) attacks.
Mirai made international headlines, but that is just one form of IoT attack. There are a variety of clever ways that attackers can use devices on your network to hurt you. For example
- Hackers can compromise a device on your network and then use it as a proxy to propagate or move laterally within your network. The hackers know that the IoT device will lack the normal monitoring agents that are typically installed on computers, so the device is a relatively safe place for the hacker to maintain a presence on your network.
- Hackers can compromise a device on your network and then use the device to attack your network. For example, Verizon reported that a university was attacked by 5000 IoT devices (possibly soda machines and smart light bulbs) that had been installed on a separate subnet. Despite the wise precaution of segmenting the network, the devices were still able to effectively bring the university’s production network to its knees by attacking the DNS server that was shared by all the networks.
- Hackers can directly attack the devices on your network and then cause a system shutdown. For example, the HVAC systems in several apartment buildings in Finland were shut down because of a remote attack on the HVAC controllers.
- Hackers can compromise a device on your network and use it to leak data directly. For example, one of Armis’ customers identified a tablet in a conference room streaming audio and video to an unknown destination via a guest network. Traditional security products would never have found that.
Types of IoT Attacks
The rise of IoT and the exponential proliferation of IoT devices has resulted in new attack types that focus on the ubiquity and inherent security weaknesses of IoT:
- IoT Botnet
- IoT DDOS
- Shadow IoT
- Rogue Access Points
- Shadow Networks
- Airborne Attacks
- Air Gap’d Devices
What is an effective IoT Security Strategy?
Traditional IT security solutions are inadequate for defending enterprises from the threats posed by IoT devices. Rather than a layered, defense-in-depth approach of point product solutions cobbled together, organizations need to adopt a holistic security strategy that seamlessly integrates endpoints, data center, local network, SaaS environments, and public and private cloud to focus on detection and prevention.
There are five things that are essential for effective IoT security:
- Agentless. Because most IoT devices don’t offer any way to install an agent, it’s crucial that your IoT security strategy not rely on agents.
- Visibility. It’s important to have an accurate inventory of all devices in your environment – managed and unmanaged. That includes devices on your network, as well as devices in your nearby airspace which may or may not be connected at the current time; as well as devices that are connected and transmitting of the corporate network.
- Device Monitoring. IoT security requires a new, holistic view, that looks beyond network access and traffic. Businesses need to be able to determine not only the state of the device, but also track a device’s state, behavior, version, risk, vulnerability history, reputation, and connections over time.
- Control. Visibility and monitoring help you detect potential attacks, but in order to thwart an attack, your security system must be able to control all wired and wireless connections so it can automatically block traffic or disconnect unmanaged or compromised devices.
- Frictionless. Most organizations aren’t deploying IoT security in a vacuum. The IoT security solution must be able to integrate seamlessly with your existing network hardware and software, as well as with any security solutions that are already in place, such as the existing network infrastructure, firewalls, or network access control solutions.