Sponsored By

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

7 Steps to IoT Security in 20207 Steps to IoT Security in 2020

There are important steps security teams should take to be ready for the evolving security threats to the IoT in 2020.

Curtis Franklin, Principal Analyst, Omdia

January 24, 2020

20 Min Read

Figure 1: In the opening weeks of a new year, it's reasonable to ask whether the security challenges to be faced in the year ahead differ from those in previous years. And whether or not the challenges differ, should organizations shift their defensive strategies, especially when it comes to operational technology (OT), Internet of Things (IoT), and critical infrastructure components? 'What we're seeing emerging in general trends in cybersecurity is that it's always been a pretty dynamic place, but now the attacks know no boundaries,' says Stuart Reed, vice president of cybersecurity at Nominet. And, he explains, those boundary-jumping attacks against OT can have an impact beyond data — hitting systems that have an immediate impact on human life and safety. Security's job is complicated by OT and IoT devices that weren't designed with the level of security that's now the norm in IT systems. 'A lot of the control systems and the OT infrastructure were never, ever designed to be digitally connected anywhere else,' says Reed. But the continuing trend of digitalization, he explains, means that few OT systems can remain isolated for long. With threats from both criminal and nation-state aggressors evolving, what steps should security teams take to protect the OT and IoT systems owned by their organizations? Dark Reading spoke to experts in the industry to ask what they would recommend for dealing with the IoT threats of 2020. Through the conversations we collected seven key considerations for security professionals looking to keep their OT systems as secure as possible in the months ahead — no matter how the threat landscape might change. (Image: Poobest via Adobe Stock)

In the opening weeks of a new year, it's reasonable to ask whether the security challenges to be faced in the year ahead differ from those in previous years. And whether or not the challenges differ, should organizations shift their defensive strategies, especially when it comes to operational technology (OT), Internet of Things (IoT), and critical infrastructure components?

"What we're seeing emerging in general trends in cybersecurity is that it's always been a pretty dynamic place, but now the attacks know no boundaries," says Stuart Reed, vice president of cybersecurity at Nominet. And, he explains, those boundary-jumping attacks against OT can have an impact beyond data — hitting systems that have an immediate impact on human life and safety.

Security's job is complicated by OT and IoT devices that weren't designed with the level of security that's now the norm in IT systems. "A lot of the control systems and the OT infrastructure were never, ever designed to be digitally connected anywhere else," says Reed. But the continuing trend of digitalization, he explains, means that few OT systems can remain isolated for long.

With threats from both criminal and nation-state aggressors evolving, what steps should security teams take to protect the OT and IoT systems owned by their organizations? Dark Reading spoke to experts in the industry to ask what they would recommend for dealing with the IoT threats of 2020. Through the conversations we collected seven key considerations for security professionals looking to keep their OT systems as secure as possible in the months ahead — no matter how the threat landscape might change.

(Image: Poobest via Adobe Stock)

Figure 2:Mind the Edge 'With the increase in edge computing and distributed sensor networks, cloud infrastructure and edge devices are an increasingly attractive target,' says Jack Mannino, CEO of nVisium. The key to keeping the edge devices out of the grasping reach of attackers, he says, is to bring a hybrid approach to solving the problem. 'Edge computing requires a hybrid cloud approach, where the edge devices and cloud services must establish trust at each layer,' Mannino says. And deciding on how that trust will be established and be part of the business process flow begins with a detailed analysis of how the edge device generates data, what kind of data it generates, and the process by which the data is transferred to the rest of the application infrastructure. Just as traditional IT attackers often choose users as their way into a network, those who want to breach your IoT may see edge devices as hosting the easiest ports of entry. Don't let your focus on the rich, creamy center of the network keep you from paying attention to the often-brittle devices out at the edge. (Image: denisismagilov via Adobe Stock)

Mind the Edge

"With the increase in edge computing and distributed sensor networks, cloud infrastructure and edge devices are an increasingly attractive target," says Jack Mannino, CEO of nVisium. The key to keeping the edge devices out of the grasping reach of attackers, he says, is to bring a hybrid approach to solving the problem.

"Edge computing requires a hybrid cloud approach, where the edge devices and cloud services must establish trust at each layer," Mannino says. And deciding on how that trust will be established and be part of the business process flow begins with a detailed analysis of how the edge device generates data, what kind of data it generates, and the process by which the data is transferred to the rest of the application infrastructure.

Just as traditional IT attackers often choose users as their way into a network, those who want to breach your IoT may see edge devices as hosting the easiest ports of entry. Don't let your focus on the rich, creamy center of the network keep you from paying attention to the often-brittle devices out at the edge.

(Image: denisismagilov via Adobe Stock)

Figure 3:Remember the People While malware and the attacks based on it are becoming more sophisticated, tremendous sophistication isn't required for a successful attack, says Nominet's Reed. 'There's some very basic and rudimentary attacks that potentially can take place if people are not aware of the role and responsibility they play in good cyber hygiene,' he explains. Those roles and responsibilities include obvious points like not clicking on attachments from unknown or unexpected sources, but they go far beyond those basics. Protecting vital data and infrastructure, after all, '...first requires the end user to accept that the data needs protection. Here we get into different societal norms regarding the accepted value of data and therefore the need to protect it, along with who should be responsible for protecting data in the first place,' says Steve Durbin, managing director of the Information Security Forum. The key to minimizing the risk from employee action is education, says Reed. And he sees the specific type of education as less important than the fact that serious education is taking place. 'I think education takes a number of different forms, in addition to training courses. There are online modules, and the media plays a very key role in being able to educate the wider market that cybersecurity is of paramount importance,' he explains. (Image: auremar via Adobe Stock)

Remember the People

While malware and the attacks based on it are becoming more sophisticated, tremendous sophistication isn't required for a successful attack, says Nominet's Reed. "There's some very basic and rudimentary attacks that potentially can take place if people are not aware of the role and responsibility they play in good cyber hygiene," he explains.

Those roles and responsibilities include obvious points like not clicking on attachments from unknown or unexpected sources, but they go far beyond those basics. Protecting vital data and infrastructure, after all, "...first requires the end user to accept that the data needs protection. Here we get into different societal norms regarding the accepted value of data and therefore the need to protect it, along with who should be responsible for protecting data in the first place," says Steve Durbin, managing director of the Information Security Forum.

The key to minimizing the risk from employee action is education, says Reed. And he sees the specific type of education as less important than the fact that serious education is taking place. "I think education takes a number of different forms, in addition to training courses. There are online modules, and the media plays a very key role in being able to educate the wider market that cybersecurity is of paramount importance," he explains.

(Image: auremar via Adobe Stock)

Figure 4:Look and See A common theme in conversations with security professionals is the need for better visibility into your network and infrastructure. That need doesn't stop with the division between traditional IT and IoT devices. 'The potential security and privacy risks of IoT data cannot be determined without context of the IoT device and the risks it introduces,' says Joseph Carson, chief security scientist at Thycotic. 'To understand the risks of IoT devices, I first want to know what is its function or purpose; whether it is a data collector, a data processor, or a data correlator.' Understanding the function is step two, after determining that the device exists as part of the overall infrastructure. What are security professionals to do when it comes to gaining greater visibility into the IoT portions of their total infrastructure? The effort should start with 'consistent security analysis of architecture blueprints for such prized assets [as IoT devices] to ferret out missing and incorrectly designed architecture controls, complemented by consistent secure code analysis (where permissible),' nVisium's Mannino says. (Image: wladimir1804 VIA Adobe Stock)

Look and See

A common theme in conversations with security professionals is the need for better visibility into your network and infrastructure. That need doesn't stop with the division between traditional IT and IoT devices.

"The potential security and privacy risks of IoT data cannot be determined without context of the IoT device and the risks it introduces," says Joseph Carson, chief security scientist at Thycotic. "To understand the risks of IoT devices, I first want to know what is its function or purpose; whether it is a data collector, a data processor, or a data correlator." Understanding the function is step two, after determining that the device exists as part of the overall infrastructure.

What are security professionals to do when it comes to gaining greater visibility into the IoT portions of their total infrastructure? The effort should start with "consistent security analysis of architecture blueprints for such prized assets [as IoT devices] to ferret out missing and incorrectly designed architecture controls, complemented by consistent secure code analysis (where permissible)," nVisium's Mannino says.

(Image: wladimir1804 VIA Adobe Stock)

Figure 5:Consumer Tech Matters If you have a network, the odds are good that you have consumer devices connecting to your infrastructure. Employees have made personal technology part of their daily lives, and most will be reluctant to leave the advantages of those devices behind just because they've walked through the doors of an office building. 'When these consumers go to work, they want to use these evermore powerful and capable devices for business applications, too -- over the past few years this has resulted in a blurring of lines between the organization and the individual, between personal information and publicly available details,' says Durbin. In many cases the issues don't begin with employee use of their own devices -- they begin with the fact that many of the most popular devices weren't designed to be secure business devices from the beginning of their design lives. Further, 'The way these devices are used blurs the line between personal and business usage and behavior,' says Information Security Forum's Durbin. 'The potential risks include misuse of the device itself, outside exploitation of software vulnerabilities, and the deployment of poorly tested, unreliable business apps.' Defending your business IT and OT networks from hazards introduced by consumer IoT devices gets back to teaching employees that the hazards exist, and that it's important to keep the threats at bay. 'In this there is a role for our education systems, governments, and regulators, all of which will need to combine with organizations and individuals to determine a robust and acceptable means of protecting personal data, ensuring privacy rights are preserved, whilst continuing to enable the use of increasingly sophisticated, technologically enabled means of working and living,' Durbin says. (Image: rcfotostock via Adobe Stock)

Consumer Tech Matters

If you have a network, the odds are good that you have consumer devices connecting to your infrastructure. Employees have made personal technology part of their daily lives, and most will be reluctant to leave the advantages of those devices behind just because they've walked through the doors of an office building. "When these consumers go to work, they want to use these evermore powerful and capable devices for business applications, too -- over the past few years this has resulted in a blurring of lines between the organization and the individual, between personal information and publicly available details," says Durbin.

In many cases the issues don't begin with employee use of their own devices -- they begin with the fact that many of the most popular devices weren't designed to be secure business devices from the beginning of their design lives. Further, "The way these devices are used blurs the line between personal and business usage and behavior," says Information Security Forum's Durbin. "The potential risks include misuse of the device itself, outside exploitation of software vulnerabilities, and the deployment of poorly tested, unreliable business apps."

Defending your business IT and OT networks from hazards introduced by consumer IoT devices gets back to teaching employees that the hazards exist, and that it's important to keep the threats at bay. "In this there is a role for our education systems, governments, and regulators, all of which will need to combine with organizations and individuals to determine a robust and acceptable means of protecting personal data, ensuring privacy rights are preserved, whilst continuing to enable the use of increasingly sophisticated, technologically enabled means of working and living," Durbin says.

(Image: rcfotostock via Adobe Stock)

Figure 6:It Takes a Village There are certainly small organizations (and very highly secure government or military installations) that include no Internet connectivity for their IoT devices. But for most organizations, moving, analyzing, and using the data from their edge devices means connecting the devices to the Internet and one or more cloud services.'With the increase in edge computing and distributed sensor networks, cloud infrastructure and edge devices are an increasingly attractive target,' nVisium's Mannino points out. Chris Morales, head of security analytics at Vectra, explains it succinctly. 'Unlike a traditional desktop system where data can be stored and locked up away from prying eyes, IoT devices are designed to share information with each other and to remote storage locations for analytics and for providing the business remote access to their data. This usually takes the form of cloud storage hosted by the manufacturer of the IoT devices.' In dealing both with the cloud services and the IoT devices that may be involved in the total IoT environment, security professionals need to actively engage their suppliers and partners to make sure that the basic components are capable of secure use. For example, Fausto Oliveira, principal security architect at Acceptto, says that devices must have the ability to have default usernames and passwords changed, as well as the capacity for encrypted communications with both upstream and downstream systems in the network. 'Organizations need to provide strong guidance to the vendors and make sure that, in the selection process, security is a clearly defined feature that is non-optional,' Oliveira says. It is, he says, in the best interest of both the vendors and their customers to make sure the total system is as secure as possible. (Image: metamorworks via Adobe Stock)

It Takes a Village

There are certainly small organizations (and very highly secure government or military installations) that include no Internet connectivity for their IoT devices. But for most organizations, moving, analyzing, and using the data from their edge devices means connecting the devices to the Internet and one or more cloud services."With the increase in edge computing and distributed sensor networks, cloud infrastructure and edge devices are an increasingly attractive target," nVisium's Mannino points out.

Chris Morales, head of security analytics at Vectra, explains it succinctly. "Unlike a traditional desktop system where data can be stored and locked up away from prying eyes, IoT devices are designed to share information with each other and to remote storage locations for analytics and for providing the business remote access to their data. This usually takes the form of cloud storage hosted by the manufacturer of the IoT devices."

In dealing both with the cloud services and the IoT devices that may be involved in the total IoT environment, security professionals need to actively engage their suppliers and partners to make sure that the basic components are capable of secure use. For example, Fausto Oliveira, principal security architect at Acceptto, says that devices must have the ability to have default usernames and passwords changed, as well as the capacity for encrypted communications with both upstream and downstream systems in the network. "Organizations need to provide strong guidance to the vendors and make sure that, in the selection process, security is a clearly defined feature that is non-optional," Oliveira says. It is, he says, in the best interest of both the vendors and their customers to make sure the total system is as secure as possible.

(Image: metamorworks via Adobe Stock)

Figure 7:Focus on Device Agility Two of the IoT characteristics that have made expanded OT so vulnerable are the unchangeable nature of so many devices and the fact that they tend to stay in place so very long. Vulnerable, static, and long-lasting are not qualities that most professionals look for in secure infrastructures. 'The use of default usernames and passwords, as well as insecure protocols, such as telnet, needs to disappear,' says Acceptto's Oliveira. 'There are better ways to achieve manageability without using easy-to-compromise default accounts and insecure protocols.' It's not enough to simply say to vendors that their devices must allow default credentials and protocols to be changed, he insists. Customers must make that changeability a requirement for purchase. 'IoT devices need to be treated as any other security asset, and as such they need to managed and audited for vulnerabilities periodically,' Oliveira says. Nominet's Reed agrees. 'Practitioners across the board need to make sure that they have the right audits and the right controls and the right policies in place to be able to understand with confidence that the third parties that they're working with have the same, if not better, security posture to their own,' he says. Both also acknowledge that solid auditing and monitoring have limited impact if the devices in the infrastructure can't be reconfigured to address vulnerabilities. (Image: mrmohock via Adobe Stock)

Focus on Device Agility

Two of the IoT characteristics that have made expanded OT so vulnerable are the unchangeable nature of so many devices and the fact that they tend to stay in place so very long. Vulnerable, static, and long-lasting are not qualities that most professionals look for in secure infrastructures.

"The use of default usernames and passwords, as well as insecure protocols, such as telnet, needs to disappear," says Acceptto's Oliveira. "There are better ways to achieve manageability without using easy-to-compromise default accounts and insecure protocols." It's not enough to simply say to vendors that their devices must allow default credentials and protocols to be changed, he insists. Customers must make that changeability a requirement for purchase.

"IoT devices need to be treated as any other security asset, and as such they need to managed and audited for vulnerabilities periodically," Oliveira says. Nominet's Reed agrees. "Practitioners across the board need to make sure that they have the right audits and the right controls and the right policies in place to be able to understand with confidence that the third parties that they're working with have the same, if not better, security posture to their own," he says.

Both also acknowledge that solid auditing and monitoring have limited impact if the devices in the infrastructure can't be reconfigured to address vulnerabilities.

(Image: mrmohock via Adobe Stock)

Figure 8:Get Ruthless with Data The IoT's ability to generate data is running headlong into the requirements of regulations like the European Union's General Data Protection Regulation and the newer California Consumer Privacy Act. As a result, 'Businesses need to be even more mindful about the type of data devices are collecting and how that is used,' says Vectra's Morales. He points out that, in an age where every device is connected and data is generated by cameras, GPS tracking, and sensors tracking every stage of a business, protecting personal privacy becomes paramount to keep personal freedoms. 'IoT devices are designed to share information with each other and to remote storage locations for analytics and for providing the business remote access to their data,' Morales says. And that data has to be protected both in the device and as it moves from one stage in the business process to another. 'All communication to and from the devices must be encrypted, and ideally data traffic must be subject to context-based and role-based access control, except for very specific cases there is no reason to leave a device contactable by the whole Internet,' Acceptto's Oliveira says. Understanding just how the 'ruthlessness' can be applied to various parts of your IoT begins with visibility into both the infrastructure and the business processes they enable. 'The potential security and privacy risks of IoT data cannot be determined without context of the IoT device and the risks it introduces,' Thycotic's Carson says. 'Knowing the role of the device and the data associated with it allows me to evaluate the risks that the device introduces on the network.' Related content: - Car Hacking Hits the Streets - How Medical Device Vendors Hold Healthcare Security for Ransom - Poll Results: Smart Enterprises, Dumb Homes (Image: EtiAmmos via Adobe Stock)

Get Ruthless with Data

The IoT's ability to generate data is running headlong into the requirements of regulations like the European Union's General Data Protection Regulation and the newer California Consumer Privacy Act. As a result, "Businesses need to be even more mindful about the type of data devices are collecting and how that is used," says Vectra's Morales. He points out that, in an age where every device is connected and data is generated by cameras, GPS tracking, and sensors tracking every stage of a business, protecting personal privacy becomes paramount to keep personal freedoms.

"IoT devices are designed to share information with each other and to remote storage locations for analytics and for providing the business remote access to their data," Morales says. And that data has to be protected both in the device and as it moves from one stage in the business process to another. "All communication to and from the devices must be encrypted, and ideally data traffic must be subject to context-based and role-based access control, except for very specific cases there is no reason to leave a device contactable by the whole Internet," Acceptto's Oliveira says.

Understanding just how the "ruthlessness" can be applied to various parts of your IoT begins with visibility into both the infrastructure and the business processes they enable. "The potential security and privacy risks of IoT data cannot be determined without context of the IoT device and the risks it introduces," Thycotic's Carson says. "Knowing the role of the device and the data associated with it allows me to evaluate the risks that the device introduces on the network."

Related content:

(Image: EtiAmmos via Adobe Stock)

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin, Principal Analyst, Omdia

Senior Analyst, Omdia

Curtis Franklin Jr. is Senior Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

See more from Curtis Franklin, Principal Analyst, Omdia
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events