INDUSTRY PROFESSIONAL

Once and For All

Anyone who knows Disney at all probably remembers the movie “Fantasia,” and relating to Mickey Mouse in “The Sorcerer’s Apprentice,” as he cast a spell on a broom to do his chores for him and make his life a little easier. SPOILER ALERT: it did not go as Mickey intended, with the broom ultimately cloning itself ad infinitum and causing a massive flood that almost drowned Mickey.

The Internet of Things (IoT) offers parallel benefits, but also a parallel lesson. On the one hand, IoT makes our everyday lives easier. Smart speakers make it easy to play different types of music in different rooms, and people feel safer when their home is watched 24/7 by a smart security system. However, IoT represents a substantial risk for the networks to which they are connected.

IT IS ABOUT THE SOFTWARE

IoT software — all software — is written by humans, which means it will never be perfectly secure code, even if it’s created under the most idyllic secure software development lifecycle implementation. Unfortunately, IoT software (especially consumer IoT) tends to be less secure, which means easy-toexploit vulnerabilities and more of them.

Consumer IoT software is an interesting problem because it’s not as though manufacturers are intentionally releasing smart thermostats, remote control drones or connected coffee makers that will “go rogue” and start sending sensitive data to attackers. Secure coding practices are more expensive and security is not accountable. The fact is that currently, secure code is not part of consumer IoT buying criteria.

SECURING IOT: WHAT DOESN’T WORK

For devices where the code may not be the most secure, endpoint agents that detect and stop exploits and malware deployed on the device itself, to help keep it safe. The agents are not deployed on IoT devices for a few reasons: • Endpoint agents are too expensive, financially and operationally, for consumers to purchase, and install, and manage themselves. • Endpoint agents are for specific operating systems and IoT devices use such a wide variety of operating systems that it is not feasible that an agent will specifically apply to each one.

Some IoT manufacturers will issue software patches to fix vulnerabilities and bugs, but deploying and applying patches comes with some operational overhead. For example, for someone to upgrade their phone OS they likely have to start the install manually and then restart their phone. It is annoying, so most consumers will put off software upgrades until forced to apply them.

For Industrial IoT (IIoT), patching and endpoint agents are a no-go. These systems are critical for infrastructure to function — think gas pipelines, power grids or water mains — so taking them offline to apply patches is out of the question.

Therefore, the network has the job of providing security measures for connected IoT devices.

SECURING IOT: GETTING STARTED

The first step is identifying that a connected device is indeed an IoT device and then understanding the risk that device presents to the network. For example: • What is the use of the device? • What access does it currently have? • Is it running current software? • Does that software have known high-severity vulnerabilities? • Is that device exhibiting compromised behavior?

Answering these questions about an IoT device is fundamental to figuring out how best to secure it. There are many mechanisms that a threat-aware network can employ based on the context of these answers.

IoT devices can also be put into a separate security zone with access to resources limited based only on what the device needs to access (least privilege), and that access should be segmented based on individual sessions. For example, a printer on the Fourth floor of a building can only have access to files sent to it for printing and is not able to communicate with the engineering department’s internal code repository. Access can and be defined per session, and the direction of each session should be enforced. If a new, unknown IoT device tries to connect via Wi-Fi or Bluetooth, perhaps it connects to the guest network until questions are answered sufficiently.

Additional security measures can be applied to IoT devices; such as always-on decryption with IPS/anti-malware, content inspection and sandboxing for all unknown files. Network behavior to and from IoT devices monitored for indicators of compromise, such as beaconing behaviors and connections to known command-and-control domains and IP addresses.

HOW THE NETWORK CAN HELP

That said, when an IoT device is compromised and endpoint protection is not there or a patch cannot be deployed quickly, what can be done? The network can offer some mitigation.

In a threat-aware network, the infrastructure itself can stop certain connections. A Wi-Fi access point might be able to help assess the risk of the connecting device. The router might be able to prevent a compromised device being leveraged in a DDoS attack or prevent command-and-control communication to and from malicious domains and IP addresses. The switch might be able to help quarantine an infected IoT device at the switch port. All of this is beyond what a firewall can and should do.

In a threat-aware network, every point of connection participates in visibility, threat intelligence and enforcement, and IoT threats are thwarted at every stop. It is not just Mickey Mouse wringing his hands while the water level keeps rising; the threat-aware network helps solve for some of the security issues inherent in IoT so the benefits can be realized and life can be a little easier.

This article originally appeared in the September / October 2021 issue of Security Today.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities