The rate that smart devices connected to the Internet of Things (IoT) was already brisk over the last few years, but the pace accelerated during the COVID-19 pandemic. Both the enterprise and the consumer IoT market boomed, despite economic uncertainty. As the World Economic Forum noted in a December 2020 report, "COVID-19 has radically transformed the role of IoT in just a few months."
Security has been a concern for IoT devices all along. However, it is growing into a much bigger problem as organizations embrace hybrid workplaces and work and home spaces remain intertwined for the long term.
When employees take their devices home and connect them to the same network as insecure smart devices, they open up new points of attack—and new entry points into your business. IT admins must contemplate a whole new set of implications. But it's not an easy task because of the inherent challenges with IoT security.
In 2018, there were 7 billion IoT devices. Before the pandemic hit, that number was expected to grow to 75 billion devices by 2025. The World Economic Forum now expects the IoT market and ecosystem to grow even faster, due in large part to pent-up demand and the new role of smart devices in making businesses more resilient.
On the consumer front, adoption is skyrocketing, too. The number of shipped smart home devices surpassed 800 million in 2020, a number that is forecast to grow to 1.4 billion in 2025.
Commercial IoT has expanded rapidly for several reasons. At its core, it offers virtually endless options for extending IP network connectivity to domains that have traditionally lacked it. Every sector, from healthcare to manufacturing, can leverage IoT to connect disparate systems and achieve new operational efficiencies.
For example, hospitals could use noninvasive IoT sensors to monitor patients and send key information to the cloud for delivery to other systems. Manufacturers can use sensors to gather operations data on the factory floor and improve efficiencies.
The potential of IoT devices to boost efficiency is breathtaking in scope, but the interconnected web of IoT devices also gives bad actors millions of new launching pads to breach a network. Worse, these devices come with weak security—or often—no security at all.
So, it's not surprising the World Economic Forum survey identified security as a major concern for IoT.
What are the implications for IT administrators? Managing the increasing variety of IoT devices—some without traditional interfaces for receiving patches—now involves a serious look at their security.
What Is IoT Security?
Like computers, IoT devices connect to the internet, making them vulnerable to a variety of threats (such as malware) and attacks (such as distributed denial of service or DDoS). Unlike computers, IoT devices have very little space for building in security features because the functionalities of the devices take up most of the real estate.
Since many IoT devices lack an interface altogether, you can't patch them easily, if at all. Plus, the variety of communication protocols that smart devices use to connect to the internet makes it a challenge to standardize additional security.
IoT security combines strategies, technologies, and methods for solving these security challenges and protecting your connected devices. Although the tools and techniques you can leverage are as extensive as the types of devices themselves, adopting IoT security best practices is a good starting point.
Let's review some of the practices IT admins should consider:
IoT Best Practice #1: Network Segmentation
One of the most effective countermeasures to the vast spectrum of IoT threats is network segmentation. This involves dividing the network into multiple segments, typically for purposes of improved performance and enhanced security.
What Is Network Segmentation?
Network segmentation breaks down your network architecture into subnets. Each of these subnets is its own, albeit smaller, network.
Network or IT administrators can set policies to control how traffic flows within these subnets. Think of it like a complex web of interconnected, multilane highways, where cars automatically choose a lane and direction based on their destination and traffic conditions.
Segmentation serves a variety of network control and security purposes. It:
- Optimizes and boosts network performance.
- Prevents unauthorized users from accessing specific network-connected resources like databases and applications.
- Enables a zero-trust approach to security by creating micro-perimeters around critical resources.
With a segmented network, you can separate internal user traffic from that of guests and external contacts. You can further fine-tune the segmentation so there are individual segments for your web servers, databases, and employee devices. Specific regulations, such as PCI DSS, actually mandate physical segmentation.
In addition to standardized compliance, segmentation also makes it more difficult for outsiders to penetrate your network via an unsecured IoT device—and it shields sensitive data from overly curious insiders.
How Does Network Segmentation Work?
Consider a guest Wi-Fi network, which is the IT equivalent of a visitor parking lot. It has a limited, self-contained scope, and key restrictions on its use.
Visitors log on to this guest Wi-Fi, while employees use a restricted access network. The separation is critical, since outsiders inevitably use unmanaged hosts and endpoints not provisioned by IT—an issue that will only become more pronounced as IoT expands the overall number and variety of possible devices.
How to keep untrusted devices in the guest network:
Create a unique SSID for the network.
This leads to an isolated VLAN that connects to the internet separately from the internal network. A dedicated circuit for the guest network may also be installed.
Require visitors to enter passwords through a captive portal.
This not only prevents network overuse, but also logs every visitor and enables enhanced access controls, including session termination, that comes with it.
Monitor all traffic on the guest network.
Even if it’s segmented and has its own circuit, you don't want the guest network to become a blind spot in your IoT defenses. Security operations that include a security information and event monitoring (SIEM) solution can ensure you keep tabs on network activity and spot anomalies quickly.
These measures and others help reduce the total attack surface, even as your IoT infrastructure expands.
Your internal network structure remains invisible to guest users. Plus, if there is a security incident involving a guest, it's relatively easy to contain and won't spread to more important assets.
Ultimately, network segmentation works by restricting the flow of traffic between zones. Your security team gains granular control over who has access to various systems, allowing them to head off common IoT threats such as botnet-enabling malware that thrive on easy proliferation across devices.
For example, IoT endpoints like IP cameras and smart home security devices are notorious for their security vulnerabilities. The Persirai botnet alone, discovered in 2017, exposed 120,000 such cameras. Implementing network segmentation and a SIEM solution within a security operations center (SOC) is your best defense against these types of cyberattacks.
For more information about SIEM strengths and weaknesses, check out SIEM: A Comprehensive Guide.
IoT Best Practice #2: Patching Your IoT Infrastructure
The dangers of unpatched PCs and servers are well understood. They've been front and center in some of the most prominent attacks. The issue is magnified with IoT devices, where even routine patching is more complex and risk prone. At the same time, of course, cyberthreats are on the uptick.
In the first quarter of 2021, for example, researchers observed a 55% increase in new malware variants based on Mirai, which scans the internet for vulnerable connected devices. Mirai was behind the massive DDoS attacks against the DNS company Dyn, which knocked thousands of websites offline in 2016, including Amazon, Reddit, and Twitter.
Another example is a medical device hijack (aka medjack), which typically involves the lateral movement of malware across networked, interconnected platforms that perform tasks such as MRI processing, picture archiving and communications, and blood gas analysis. This essential infrastructure is highly vulnerable to medjack attacks, in part because of the difficulties associated with patching.
To further complicate things, it's difficult to maintain these systems when you consider their environment, especially those devices that require special handling to upgrade. Still, even mundane office equipment, such as printers, and relatively simple IoT appliances, like embedded sensors, usually aren't patched as rapidly as traditional endpoints, such as laptops or mobile devices.
One challenge is that device manufacturers can't push out patches to IoT devices as easily as they can send updates to mobile devices and computers. Take the example of Taiwan-made CCTV security cameras and DVRs that had various security issues. Threat actors behind three botnets were actively exploiting those vulnerabilities in 2020. While the vendor made firmware patches available, it didn't have an easy way to push those upgrades to customers.
In all likelihood, many of those cameras and DVRs remain vulnerable or may already be part of a botnet.
Perform Regular Vulnerability Scans
So, what's the solution? Given the immense variety of IoT infrastructure, there's no one-size-fits-all approach. However, the regular, periodic use of a vulnerability scanning tool is a good place to start.
Once you identify vulnerabilities, you must prioritize system patching by carefully considering their severity, the end-user impact, and operational downtime.
In many cases, you might not have to completely disable an essential IT function, but instead simply limit its functionality as you perform patches.
IoT Best Practice #3: Implement Two-Factor/Multifactor Authentication for IoT Admin Accounts
Passwords have been the bane of information security and the user experience since the time they became necessary for switching between users on time-sharing systems. Too often, they are weak enough to be overcome with dictionary attacks, too complex to remember, or both.
In recent years, numerous high-profile security incidents have involved compromised or weak passwords. In the recent Colonial Pipeline attack, attackers used a compromised password to gain remote access into the company's network via a VPN, which didn't use multifactor authentication.
Passwords Are Not Enough
Many people reuse their credentials or use weak passwords, and IT admins are not an exception. Without additional security measures in place, admins are practically giving away the keys to the kingdom to cyberthieves.
That's where two-factor authentication (2FA) or multifactor authentication (MFA) comes in. Among consumers, 2FA/MFA is probably best known as the SMS code required for verifying actions, such as opening new accounts or making unusual bank transactions. For your organization, you can enforce 2FA/MFA much more systematically, with additional factors that are safer than text messages.
Why You Need 2FA/MFA
A business-class 2FA/MFA system might require the use of biometrics (usually a fingerprint, retina scan, or facial-recognition pattern), hardware tokens, or separate devices in addition to a standard password. These requirements are particularly important for ensuring the integrity of administrator actions pertaining to IoT devices.
Unlike laptops or smartphones, many IoT devices are so minimalistic that you can't log on to them directly from their own interfaces. Their entire security depends on administrator actions, making the thorough verification of any changes or updates mission critical.
While 2FA/MFA is central to IoT security, it's not as widely used as it should be. A survey conducted by LastPass found that only 57 percent of those surveyed were using 2FA/MFA. While that number has grown over the past few years, it's still a surprising low figure.
IoT Best Practice #4: Continuously Monitor Workloads, Applications, and Devices
Once attackers compromise a system, typically only a small window exists to prevent their lateral movement. The breakout time—the time it takes for an attacker to move to additional systems and potentially initiate data exfiltration after a breach—is surprisingly short.
A breakout, in fact, can occur faster than a flight from San Francisco to Seattle. The Internet of Things compounds this issue with universal plug-and-play (UPnP) schemes, which allow for traffic to seamlessly pass between devices like routers. UPnP enables proxy chains that cover the tracks of attackers, while supporting massive IoT botnets.
Security and IT teams face the daunting challenge of trying to secure their IoT infrastructure within this brief timetable. In a short amount of time, they must detect initial intrusions, investigate those events, remove the infiltrators from the network, and take steps to prevent future issues.
Making matters worse is that there can be many obstacles to acting fast. They may include lack of full visibility into IoT infrastructure, or a shortcoming of niche defenses like antivirus software and firewalls.
Why 24x7 Monitoring Is the Answer
The good news is that 24x7 monitoring provides comprehensive insight into network activity. Aggregating logs from multiple on-premises and cloud-based architectures for analysis enables teams to evaluate alerts from a broad range of security systems. By monitoring your infrastructure 24x7, you can react quickly when the team investigating the alerts finds an issue.
However, devoting the necessary time and manpower to these tasks is often beyond the means of organizations with limited IT budgets or in-house expertise.
IoT Best Practice #5: Invest in a Security Operations Solution for Scalable Monitoring and Protection
In-house security operations are too costly and too complex for many organizations to manage. A security operations center requires a SIEM system supplemented by threat-subscription feeds, well-staffed teams, and codified response processes.
Throw in a growing talent shortage and this is no easy feat. The costs of these different components quickly add up, not to mention the added hurdle of implementation, which takes at least several months for the SIEM to become operational.
Yet, 24x7 monitoring is essential to catch as many security threats as possible across IoT. By working with a partner that provides security operations, you can benefit from a cost-effective, scalable, and easy-to-control solution. A managed security operations solution typically offers:
- A cloud-based SIEM.
- Around-the-clock monitoring and alerting.
- External vulnerability scanning.
- Compliance reporting.
- Hybrid AI, combining machine and human intelligence.
- Managed detection and response capabilities (MDR).
- Analysis from expert security engineers.
Since these capabilities are rolled into a subscription package with simple and predictable pricing, you don't have to break the bank or wait months for critical security systems to deploy before protecting your growing investments in IoT.
Piecing Together the IoT Security Puzzle
The size and technical limitations of the Internet of Things requires a unique approach to information and device security. While many specific practices for fending off threats are carryovers from endpoint security, IoT security demands that they be applied at a greater scale and speed than ever before.
Arctic Wolf security operations solutions with 24x7 monitoring deliver the insight and technical capacity to keep pace with the growing universe of IoT risks. Your dedicated Arctic Wolf Concierge Security® Team works as an extension of your in-house team to understand your unique security needs and ensure that your entire ecosystem, including IoT devices, is protected.