Why IoT Security Needs A Totally Different Approach: Lock the Doors

We all heard it growing up, “Close and lock the doors when you leave the house!” We all knew where the doors were and how to lock them. It was easy. But what if you don’t know where all the “doors are” and they don’t all have “locks?” What’s the move then?

Internet of Things (IoT) devices (any device that connects to our networks) are the open “doors” into, and out of, corporate networks. Most of the time, they’re hidden doors and don’t have locks. They range from complex multi-function printers to the name plates on a hospital rooms to a thermometer in a casino lobby aquarium. They include cameras, temperature sensors, HVAC systems, insulin pumps and many other “game changing” technologies.

IoT devices are ubiquitous and still increasing in adoption for all aspects of business on our networks.

Along with their limitless utility, IoT devices present limitless security risk to themselves, the sensitive (and valuable) data that they transmit, use and maintain and also the whole corporate networks that they’re connect to. Mainstream computer industry devices like desktops, laptops and servers have standards for enterprise management - IoT devices do not. IoT manufacturers have mainly focused their design efforts on utility and not security. Most customers still remain in the dark about IoT-associated risks.

In July, National Institute of Standards and Technology (NIST), came out with its 38 page NISTIR 8259 Core Cybersecurity Feature Baseline for Securable IoT Devices, A Starting Point for IoT Device Manufacturers (July 2019), in which the authors set out steps to “help Internet of Things (IoT) device manufacturers understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them.” They stated that, “a key motivation for developing this publication is also to help address the problem of IoT devices being compromised by attackers and joined to botnets, where they can be used to perform distributed denial of service (DDoS) attacks. Use of large numbers of IoT devices in botnets for the Mirai botnet attack in the fall of 2016 highlighted the vulnerable state of many IoT devices.”

Laws like California's SB 327, which will take effect in January 2020, (and similar regulations) are also requiring connected (IoT) device manufacturers to add features to be secure and protect their devices and customer’s networks.

So, what can we do now to address IoT security risk?

We believe the answer is locate and lock the doors.

Some companies in the exploding cyber security software industry have developed approaches to securing IoT devices with software the sniffs the network traffic or software that audits logs to identify anomalies, alert them and react. In our “lock the doors” house analogy, these approaches are like motion detectors inside the house with sirens and auto dialers.

We believe that the best approach is a wholistic cyber security maturity approach, including 1) environmental measures such as establishing and maintaining micro-segmentation on networks, 2) continuous inventorying, 3) asset lifecycle management from cradle to grave, 4) continuous vulnerability management, 5) security configuration management, including administrative privilege, 6) embedded system security software, 7) network sniffing and 8) log auditing.

Just like with mainstream computing devices, the best approach is both a “defend” approach and a “detect” approach. Not just sniffing or log auditing because there are standards for enterprise configuration management of IoT.

In fact, the Center for Internet Security (CIS) agrees and identifies its “Basic Controls” to be: 1) inventory and control hardware assets (this include all IoT devices), 2) continuous vulnerability management, 3) controlled use of administrative privileges and 4) secure configuration of hardware and software on mobile devices, laptops, workstations and servers. CIS says that these are “the basics.” These apply to all hardware, including IoT devices. In other words, identify the doors, lock them and keep them locked.

The main security management issues are that standards for enterprise management are not available. So, a vendor agnostic (comprehensive) customer focused approach is required rather relying on vendor specific solutions.

Let’s look at an example IoT device type with mature security features, but where the basics aren’t even being met.

The most mature IoT devices on all corporate networks are, hands down, the networked printer. They aren’t “dummy dot matrix copiers” like in the 1990’s. These complex business machines currently sit at the top of the IoT food chain when it comes to business features and capabilities and configurability maturity. They number in the 1000’s on most corporate networks. There are hundreds of millions of networked printers deployed on networks in almost every type of organization, including HIPAA regulated healthcare organizations and highly sensitive energy and government facilities. But, just like other IoT devices, they have no standards for management or access or features. Each manufacturer has a “buy our newest model with the newest features” sales approach and is brand and model siloed with its own management software. The result is that less than two percent (2%) of networked printers are secure.

As with other IoT devices, companies are unfamiliar with the risks presented by their networked printers or what to do. They aren’t aware of the broad threat landscape that unprotected printers present to the electronic protected health information (ePHI) and personally identifiable information (ePII) that they transmit, use and maintain but also act as open gateways to internal corporate networks that they’re connected to.

The most common approach to securing print fleets has been to ignore them. Gartner points out that there may be as many as four or five titles that have duties for security (and compliance) of networked printers with no one title having clearly defined responsibility. The $42.5B managed print services (MPS) industry that companies outsource the management of their print fleets to has been maintaining these devices for convenience of service, not security because of extremely competitive economic pressures and also a complete lack of comprehensive printer security configuration management technology. Printer original equipment manufacturers (OEMs) do not expose their security features to common network scanning protocols.

To complicate matters, printer OEMs have been competing with each other by rapidly adding advanced business capabilities such as built in e-mail, web, fax and FTP servers, huge hard drives, and many others. They’ve also built-in more advanced security features into their latest models to compete as well. But, for competitive reasons, they remain siloed when it comes to management of security features on their devices – the curse of proprietary product marketing strategies.

Without a vendor agnostic (comprehensive) solution to access and manage across all diverse makes, models, ages and types there has been no way for companies or their MPS providers to take advantage of those built in features to secure whole print fleets. As with all other IoT devices, printers are too numerous to secure manually – it would not be economically feasible. For the same reason, they can’t be managed by cobbled together OEM management software (even if available) for each make and model in the fleet combined with expensive employees to operate it to maintain security for these constantly changing fleets. As we can see from our mature IoT example, IoT now and moving forward must have an economical customer driven, vendor agnostic (comprehensive) solution to address all IoT on networks to establish the basics—locate and lock the doors.

Featured

  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX
  • Nothing Artificial About this Intelligence

    I have been looking forward to this year’s GSX show in New Orleans, the Cresent City, or if you prefer The Big Easy. It seems like quite a while since we’ve been here. Twenty years ago, ASIS, as it was known then was literally washed out of the city by someone known as Katrina. It is a good thing to come back to NOLA. Read Now

  • From Monitors to Mission Control

    Security Operations Centers (SOC) were once defined by rows of static monitors, each displaying a single feed with operators quietly watching for issues. That model has become obsolete. Incidents evolve too quickly, data comes from multiple locations, and decisions must be made in seconds—not minutes. Read Now

  • New Gas Monkey Garage Venue Uses AI-Enhanced Video Technology

    Gas Monkey Garage, the automotive custom shop and entertainment brand founded by Richard Rawlings of Fast N’ Loud TV fame, has opened a vibrant new restaurant and bar in South Dakota, equipped with advanced, AI-enhanced video tech from IDIS Americas. Read Now

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.