Why IoT Security Needs A Totally Different Approach: Lock the Doors
We all heard it growing up, “Close and lock the doors when you leave the house!” We all knew where the doors were and how to lock them. It was easy. But what if you don’t know where all the “doors are” and they don’t all have “locks?” What’s the move then?
Internet of Things (IoT) devices (any device that connects to our networks) are the open “doors” into, and out of, corporate networks. Most of the time, they’re hidden doors and don’t have locks. They range from complex multi-function printers to the name plates on a hospital rooms to a thermometer in a casino lobby aquarium. They include cameras, temperature sensors, HVAC systems, insulin pumps and many other “game changing” technologies.
IoT devices are ubiquitous and still increasing in adoption for all aspects of business on our networks.
Along with their limitless utility, IoT devices present limitless security risk to themselves, the sensitive (and valuable) data that they transmit, use and maintain and also the whole corporate networks that they’re connect to. Mainstream computer industry devices like desktops, laptops and servers have standards for enterprise management - IoT devices do not. IoT manufacturers have mainly focused their design efforts on utility and not security. Most customers still remain in the dark about IoT-associated risks.
In July, National Institute of Standards and Technology (NIST), came out with its 38 page NISTIR 8259 Core Cybersecurity Feature Baseline for Securable IoT Devices, A Starting Point for IoT Device Manufacturers (July 2019), in which the authors set out steps to “help Internet of Things (IoT) device manufacturers understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them.” They stated that, “a key motivation for developing this publication is also to help address the problem of IoT devices being compromised by attackers and joined to botnets, where they can be used to perform distributed denial of service (DDoS) attacks. Use of large numbers of IoT devices in botnets for the Mirai botnet attack in the fall of 2016 highlighted the vulnerable state of many IoT devices.”
Laws like California's SB 327, which will take effect in January 2020, (and similar regulations) are also requiring connected (IoT) device manufacturers to add features to be secure and protect their devices and customer’s networks.
So, what can we do now to address IoT security risk?
We believe the answer is locate and lock the doors.
Some companies in the exploding cyber security software industry have developed approaches to securing IoT devices with software the sniffs the network traffic or software that audits logs to identify anomalies, alert them and react. In our “lock the doors” house analogy, these approaches are like motion detectors inside the house with sirens and auto dialers.
We believe that the best approach is a wholistic cyber security maturity approach, including 1) environmental measures such as establishing and maintaining micro-segmentation on networks, 2) continuous inventorying, 3) asset lifecycle management from cradle to grave, 4) continuous vulnerability management, 5) security configuration management, including administrative privilege, 6) embedded system security software, 7) network sniffing and 8) log auditing.
Just like with mainstream computing devices, the best approach is both a “defend” approach and a “detect” approach. Not just sniffing or log auditing because there are standards for enterprise configuration management of IoT.
In fact, the Center for Internet Security (CIS) agrees and identifies its “Basic Controls” to be: 1) inventory and control hardware assets (this include all IoT devices), 2) continuous vulnerability management, 3) controlled use of administrative privileges and 4) secure configuration of hardware and software on mobile devices, laptops, workstations and servers. CIS says that these are “the basics.” These apply to all hardware, including IoT devices. In other words, identify the doors, lock them and keep them locked.
The main security management issues are that standards for enterprise management are not available. So, a vendor agnostic (comprehensive) customer focused approach is required rather relying on vendor specific solutions.
Let’s look at an example IoT device type with mature security features, but where the basics aren’t even being met.
The most mature IoT devices on all corporate networks are, hands down, the networked printer. They aren’t “dummy dot matrix copiers” like in the 1990’s. These complex business machines currently sit at the top of the IoT food chain when it comes to business features and capabilities and configurability maturity. They number in the 1000’s on most corporate networks. There are hundreds of millions of networked printers deployed on networks in almost every type of organization, including HIPAA regulated healthcare organizations and highly sensitive energy and government facilities. But, just like other IoT devices, they have no standards for management or access or features. Each manufacturer has a “buy our newest model with the newest features” sales approach and is brand and model siloed with its own management software. The result is that less than two percent (2%) of networked printers are secure.
As with other IoT devices, companies are unfamiliar with the risks presented by their networked printers or what to do. They aren’t aware of the broad threat landscape that unprotected printers present to the electronic protected health information (ePHI) and personally identifiable information (ePII) that they transmit, use and maintain but also act as open gateways to internal corporate networks that they’re connected to.
The most common approach to securing print fleets has been to ignore them. Gartner points out that there may be as many as four or five titles that have duties for security (and compliance) of networked printers with no one title having clearly defined responsibility. The $42.5B managed print services (MPS) industry that companies outsource the management of their print fleets to has been maintaining these devices for convenience of service, not security because of extremely competitive economic pressures and also a complete lack of comprehensive printer security configuration management technology. Printer original equipment manufacturers (OEMs) do not expose their security features to common network scanning protocols.
To complicate matters, printer OEMs have been competing with each other by rapidly adding advanced business capabilities such as built in e-mail, web, fax and FTP servers, huge hard drives, and many others. They’ve also built-in more advanced security features into their latest models to compete as well. But, for competitive reasons, they remain siloed when it comes to management of security features on their devices – the curse of proprietary product marketing strategies.
Without a vendor agnostic (comprehensive) solution to access and manage across all diverse makes, models, ages and types there has been no way for companies or their MPS providers to take advantage of those built in features to secure whole print fleets. As with all other IoT devices, printers are too numerous to secure manually – it would not be economically feasible. For the same reason, they can’t be managed by cobbled together OEM management software (even if available) for each make and model in the fleet combined with expensive employees to operate it to maintain security for these constantly changing fleets.
As we can see from our mature IoT example, IoT now and moving forward must have an economical customer driven, vendor agnostic (comprehensive) solution to address all IoT on networks to establish the basics—locate and lock the doors.