Perspectives on Securing the IoT

The Internet of Things (IoT) continues to generate excitement in business and government. With its low-cost networks of sensors and devices, IoT can be genuinely transformative in the way we live and work. At the same, the scale of the IoT and the pace of its growth, is quickly outrunning any formal or rational attempt to secure it.

Today, which is probably just the start of the beginning phase of IoT dominance, traditional notions of cybersecurity cannot possibly keep up with the number of devices coming on to the market and being rushed into deployment. It simply is not realistic to imagine that IoT users will vet devices, scan IoT device source code, link devices with access controls, apply security patches and so forth. Indeed, in many cases, these countermeasures are simply impossible to apply.

It is possible, however, to mitigate IoT risks using some emerging techniques that adapt to the technology’s inherent lack of security. The following perspectives, which I learned at RSA 2019, offer insights into how the IoT will be secured in the coming years.

Playing Along with the Device

The Industrial IoT (IIoT) represents an area of significant risk to manufacturing companies and critical infrastructure providers. As sensors and comparable devices proliferate in industrial settings, they expose workers, the public and industrial assets to cyber risk. One problem is the devices themselves. “You have to assume the device manufacturer is not focused on security,” explained Julian Weinberger NCP Engineering, which focuses on IIoT security. “To be secure, you have to work around the device.”

Julian Weinberger
Director of Systems Engineering, CISSP – NCP engineering

The NCP approach is to secure the data communication inside the IIoT. Their IIoT remote gateway and management system allow for monitoring and management of IoT devices, regardless of the manufacturer’s built-in security mechanisms, or lack thereof. “We control the data flow between devices and core plant equipment, encrypting it and securing access from outside the system,” Weinberger shared.

Two of the biggest challenges in IIoT, according to Weinberger, concern the illusion of the “air gap” between Operational Technology (OT) and the Internet. For many years, OT managers could confidently state that their systems, the ones that run big industrial machines, were separated from outside networks. This is less and less the case today, as Internet-connected IoT devices now occupy the same space on the factory floor, often with wireless connections between legacy OT and new IoT systems.

“It’s a bit like a burglar alarm in the home,” Weinberger observed. “In the old days, your alarm would dial out by a phone land line if there was a break in. Now, it’s done with WiFi, which is less secure and easier to hack. Everything’s connected. The company usually wants to use a single network to save money. This creates risk, however.”

“To get secure, IT and OT have to come together and figure out where each side of the equation is in terms of its lifecycle. It has to be a dialogue.”

In addition to the nonexistent air gap, which leaves the big OT systems vulnerable to attack, there’s a conflict in technology lifecycles. IT works in three-to-five-year cycles, with software and hardware being totally replaced in this time frame. OT systems live a lot longer, with replacement cycles measured in decades. “To get secure, IT and OT have to come together and figure out where each side of the equation is in terms of its lifecycle. It has to be a dialogue,” Weinberger said. “You can’t have IT assuming that OT will be up to date every five years, nor can OT sit back and say, ‘well, we installed this in 1982 and it still works fine.’” NCP closes these gaps by adding security layers when the underlying systems may not have the required functionality.

Monitoring the IoT

Radiflow’s strategy for IoT security is similar to NCP’s hands off approach, but differs in execution. Radiflow, which focuses on securing OT and SCADA systems, works through intelligent alert monitoring. Like NCP, they don’t touch end devices. They monitor networks or put firewalls in places with remote maintenance. This is known as a passive connection.

Like all countermeasures, security monitoring for OT and SCADA generates far more alerts than security analysts can handle. To be effective, IIoT countermeasures must have alert filters that create priority for the most potentially serious problems. This, however, is where Radiflow is different from other vendors.

“It’s a big mistake to apply the kind alert monitoring processes you get from IT to an OT environment,” said Ilan Barda, Radiflow’s CEO. “Most vulnerability scoring methods were developed for IT. They’re dangerously misleading in ICS/SCADA networks.”

“It’s a big mistake to apply the kind alert monitoring processes you get from IT to an OT environment,” said Ilan Barda, Radiflow’s CEO. “Most vulnerability scoring methods were developed for IT. They’re dangerously misleading in ICS/SCADA networks.”

Why is this? The issue is a difference in business processes. According to Barda, industrial processes have distinct points of risk, times and places where a malicious cyberattack could be catastrophic. “Process A could be relatively harmless if it’s disrupted,” Barda said. “Process B could cause damage the building if it’s disrupted. Process C could kill a thousand people if it’s hacked. Which alert do you want prioritized based on those facts? That’s where we come in.”

Ilan Barda, CEO of Radiflow

Actually, Radiflow deliberately steps away from the work of prioritizing of alerts, at least at first. Rather, their method is to let the business stakeholders build the priorities. “They know their processes better than we do,” Barda shared. “It makes the most sense to let them guide us.” From there, Radiflow adds threat intel, assumptions about attacker (e.g. state actors vs criminals) and feeds them into an alert priority algorithm.

Barda also stressed the importance of speaking the language of OT to make an impact on IIoT security. “If your customer’s job is to protect commuters by preventing train doors from opening, then he or she will want to know about cyber threats that can open train doors,” he explained. “To communicate effectively in this case, it won’t serve you well to talk about operating system malware on the system that opens the doors. You need to focus on the risk as perceived by the customer.”

Securing the Connected Home

Greg Young,
Vice President Cybersecurity at Trend Micro

For Greg Young, Vice President Cybersecurity at  Trend Micro, the IoT risks are right in the home. The Trend team put together sample “smart homes” in the US and EU to assess how seriously they were under cyber threat. What they found was not encouraging. “We’re seeing a ton of low-cost, insecure devices connected with controllers that may or may not have much in the way of security—as well as owners who, to be fair, aren’t really up to the job of securing them.”

What alarms Young are the dependencies and interconnects in the smart home. “You walk in and say ‘Alexa, I’m home.’ This switches off your burglar alarm, because that connection and order exists. Now, an attacker can turn off your burglar alarm, too, if he or she can get inside Alexa. Or, the attacker can tell the smart refrigerator to turn off the alarm.”

Risks abound in the smart home. “There’s a lot of personal data streaming through the connected devices in the smart home,” according to Young. This might include corporate credentials. Hackers are also now routinely taking over home devices for crypto mining.

“There’s a lot of personal data streaming through the connected devices in the smart home.”

Young’s suggestion is to avoid buying the cheapest devices for the smart home. “You can find devices with more security built in,” he explained. “It may not be optimal, but it’s a lot better than being totally exposed with the cheapest stuff.” He also recommends paying attention to configuration, especially at key connection points like the home router. “It’s worth taking the time to consult the manual and really do as best as you can to keep that router secure. That’s a great step to take.”

TrendMicro is working with manufactures to build more security into smart home devices. “It’s an evolving category,” Young said. “I think, as consumers become more aware of the risks, they’ll insist on certain security measures. Until then, it’s up to you to guard your smart home.”