INDUSTRY PROFESSIONAL
Once and For All
Anyone who knows Disney at all probably remembers
the movie “Fantasia,” and relating to Mickey Mouse
in “The Sorcerer’s Apprentice,” as he cast a spell on
a broom to do his chores for him and make his life a
little easier. SPOILER ALERT: it did not go as Mickey intended,
with the broom ultimately cloning itself ad infinitum and causing
a massive flood that almost drowned Mickey.
The Internet of Things (IoT) offers parallel benefits, but also
a parallel lesson. On the one hand, IoT makes our everyday
lives easier. Smart speakers make it easy to play different types
of music in different rooms, and people feel safer when their
home is watched 24/7 by a smart security system. However, IoT
represents a substantial risk for the networks to which they are
connected.
IT IS ABOUT THE SOFTWARE
IoT software — all software — is written by humans, which
means it will never be perfectly secure code, even if it’s created
under the most idyllic secure software development lifecycle
implementation. Unfortunately, IoT software (especially
consumer IoT) tends to be less secure, which means easy-toexploit
vulnerabilities and more of them.
Consumer IoT software is an interesting problem because it’s
not as though manufacturers are intentionally releasing smart
thermostats, remote control drones or connected coffee makers
that will “go rogue” and start sending sensitive data to attackers.
Secure coding practices are more expensive and security is not
accountable. The fact is that currently, secure code is not part of
consumer IoT buying criteria.
SECURING IOT: WHAT DOESN’T WORK
For devices where the code may not be the most secure, endpoint
agents that detect and stop exploits and malware deployed on the
device itself, to help keep it safe. The agents are not deployed on
IoT devices for a few reasons:
• Endpoint agents are too expensive, financially and operationally,
for consumers to purchase, and install, and manage themselves.
• Endpoint agents are for specific operating systems and IoT
devices use such a wide variety of operating systems that it is
not feasible that an agent will specifically apply to each one.
Some IoT manufacturers will issue software patches to fix
vulnerabilities and bugs, but deploying and applying patches
comes with some operational overhead. For example, for
someone to upgrade their phone OS they likely have to start the
install manually and then restart their phone. It is annoying, so
most consumers will put off software upgrades until forced to
apply them.
For Industrial IoT (IIoT), patching and endpoint agents are a
no-go. These systems are critical for infrastructure to function —
think gas pipelines, power grids or water mains — so taking them
offline to apply patches is out of the question.
Therefore, the network has the job of providing security
measures for connected IoT devices.
SECURING IOT: GETTING STARTED
The first step is identifying that a connected device is indeed an
IoT device and then understanding the risk that device presents
to the network. For example:
• What is the use of the device?
• What access does it currently have?
• Is it running current software?
• Does that software have known high-severity vulnerabilities?
• Is that device exhibiting compromised behavior?
Answering these questions about an IoT device is fundamental
to figuring out how best to secure it. There are many mechanisms
that a threat-aware network can employ based on the context of
these answers.
IoT devices can also be put into a separate security zone with
access to resources limited based only on what the device needs to
access (least privilege), and that access should be segmented based
on individual sessions. For example, a printer on the Fourth floor
of a building can only have access to files sent to it for printing
and is not able to communicate with the engineering department’s
internal code repository. Access can and be defined per session,
and the direction of each session should be enforced. If a new,
unknown IoT device tries to connect via Wi-Fi or Bluetooth,
perhaps it connects to the guest network until questions are
answered sufficiently.
Additional security measures can be applied to IoT devices;
such as always-on decryption with IPS/anti-malware, content
inspection and sandboxing for all unknown files. Network
behavior to and from IoT devices monitored for indicators of
compromise, such as beaconing behaviors and connections to
known command-and-control domains and IP addresses.
HOW THE NETWORK CAN HELP
That said, when an IoT device is compromised and endpoint
protection is not there or a patch cannot be deployed quickly,
what can be done? The network can offer some mitigation.
In a threat-aware network, the infrastructure itself can stop
certain connections. A Wi-Fi access point might be able to help
assess the risk of the connecting device. The router might be able
to prevent a compromised device being leveraged in a DDoS
attack or prevent command-and-control communication to and
from malicious domains and IP addresses. The switch might be
able to help quarantine an infected IoT device at the switch port.
All of this is beyond what a firewall can and should do.
In a threat-aware network, every point of connection
participates in visibility, threat intelligence and enforcement,
and IoT threats are thwarted at every stop. It is not just Mickey
Mouse wringing his hands while the water level keeps rising; the
threat-aware network helps solve for some of the security issues
inherent in IoT so the benefits can be realized and life can be a
little easier.
This article originally appeared in the September / October 2021 issue of Security Today.