Why IoT Security Needs A Totally Different Approach: Lock the Doors

We all heard it growing up, “Close and lock the doors when you leave the house!” We all knew where the doors were and how to lock them. It was easy. But what if you don’t know where all the “doors are” and they don’t all have “locks?” What’s the move then?

Internet of Things (IoT) devices (any device that connects to our networks) are the open “doors” into, and out of, corporate networks. Most of the time, they’re hidden doors and don’t have locks. They range from complex multi-function printers to the name plates on a hospital rooms to a thermometer in a casino lobby aquarium. They include cameras, temperature sensors, HVAC systems, insulin pumps and many other “game changing” technologies.

IoT devices are ubiquitous and still increasing in adoption for all aspects of business on our networks.

Along with their limitless utility, IoT devices present limitless security risk to themselves, the sensitive (and valuable) data that they transmit, use and maintain and also the whole corporate networks that they’re connect to. Mainstream computer industry devices like desktops, laptops and servers have standards for enterprise management - IoT devices do not. IoT manufacturers have mainly focused their design efforts on utility and not security. Most customers still remain in the dark about IoT-associated risks.

In July, National Institute of Standards and Technology (NIST), came out with its 38 page NISTIR 8259 Core Cybersecurity Feature Baseline for Securable IoT Devices, A Starting Point for IoT Device Manufacturers (July 2019), in which the authors set out steps to “help Internet of Things (IoT) device manufacturers understand the cybersecurity risks their customers face so IoT devices can provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them.” They stated that, “a key motivation for developing this publication is also to help address the problem of IoT devices being compromised by attackers and joined to botnets, where they can be used to perform distributed denial of service (DDoS) attacks. Use of large numbers of IoT devices in botnets for the Mirai botnet attack in the fall of 2016 highlighted the vulnerable state of many IoT devices.”

Laws like California's SB 327, which will take effect in January 2020, (and similar regulations) are also requiring connected (IoT) device manufacturers to add features to be secure and protect their devices and customer’s networks.

So, what can we do now to address IoT security risk?

We believe the answer is locate and lock the doors.

Some companies in the exploding cyber security software industry have developed approaches to securing IoT devices with software the sniffs the network traffic or software that audits logs to identify anomalies, alert them and react. In our “lock the doors” house analogy, these approaches are like motion detectors inside the house with sirens and auto dialers.

We believe that the best approach is a wholistic cyber security maturity approach, including 1) environmental measures such as establishing and maintaining micro-segmentation on networks, 2) continuous inventorying, 3) asset lifecycle management from cradle to grave, 4) continuous vulnerability management, 5) security configuration management, including administrative privilege, 6) embedded system security software, 7) network sniffing and 8) log auditing.

Just like with mainstream computing devices, the best approach is both a “defend” approach and a “detect” approach. Not just sniffing or log auditing because there are standards for enterprise configuration management of IoT.

In fact, the Center for Internet Security (CIS) agrees and identifies its “Basic Controls” to be: 1) inventory and control hardware assets (this include all IoT devices), 2) continuous vulnerability management, 3) controlled use of administrative privileges and 4) secure configuration of hardware and software on mobile devices, laptops, workstations and servers. CIS says that these are “the basics.” These apply to all hardware, including IoT devices. In other words, identify the doors, lock them and keep them locked.

The main security management issues are that standards for enterprise management are not available. So, a vendor agnostic (comprehensive) customer focused approach is required rather relying on vendor specific solutions.

Let’s look at an example IoT device type with mature security features, but where the basics aren’t even being met.

The most mature IoT devices on all corporate networks are, hands down, the networked printer. They aren’t “dummy dot matrix copiers” like in the 1990’s. These complex business machines currently sit at the top of the IoT food chain when it comes to business features and capabilities and configurability maturity. They number in the 1000’s on most corporate networks. There are hundreds of millions of networked printers deployed on networks in almost every type of organization, including HIPAA regulated healthcare organizations and highly sensitive energy and government facilities. But, just like other IoT devices, they have no standards for management or access or features. Each manufacturer has a “buy our newest model with the newest features” sales approach and is brand and model siloed with its own management software. The result is that less than two percent (2%) of networked printers are secure.

As with other IoT devices, companies are unfamiliar with the risks presented by their networked printers or what to do. They aren’t aware of the broad threat landscape that unprotected printers present to the electronic protected health information (ePHI) and personally identifiable information (ePII) that they transmit, use and maintain but also act as open gateways to internal corporate networks that they’re connected to.

The most common approach to securing print fleets has been to ignore them. Gartner points out that there may be as many as four or five titles that have duties for security (and compliance) of networked printers with no one title having clearly defined responsibility. The $42.5B managed print services (MPS) industry that companies outsource the management of their print fleets to has been maintaining these devices for convenience of service, not security because of extremely competitive economic pressures and also a complete lack of comprehensive printer security configuration management technology. Printer original equipment manufacturers (OEMs) do not expose their security features to common network scanning protocols.

To complicate matters, printer OEMs have been competing with each other by rapidly adding advanced business capabilities such as built in e-mail, web, fax and FTP servers, huge hard drives, and many others. They’ve also built-in more advanced security features into their latest models to compete as well. But, for competitive reasons, they remain siloed when it comes to management of security features on their devices – the curse of proprietary product marketing strategies.

Without a vendor agnostic (comprehensive) solution to access and manage across all diverse makes, models, ages and types there has been no way for companies or their MPS providers to take advantage of those built in features to secure whole print fleets. As with all other IoT devices, printers are too numerous to secure manually – it would not be economically feasible. For the same reason, they can’t be managed by cobbled together OEM management software (even if available) for each make and model in the fleet combined with expensive employees to operate it to maintain security for these constantly changing fleets. As we can see from our mature IoT example, IoT now and moving forward must have an economical customer driven, vendor agnostic (comprehensive) solution to address all IoT on networks to establish the basics—locate and lock the doors.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3