Internet of hackable things? Why IoT devices need better security
The Internet of Things is amazingly powerful and useful — but not always safe to use, and most organizations with IoT implementations need to do a better job of keeping them secure. That's a message that Jerry Irvine, CIO of the Chicago IT services company, Prescient Solutions, would like his fellow CIOs to take to heart. In an interview with The Enterprisers Project, he explains why.
The Enterprisers Project (TEP): Do IoT devices present more of a security threat than more traditional devices? If so, why?
Irvine: The main reason that IoT devices present such significant security threats is due, in most part, to the specific functions these devices are designed to fulfill. Common IoT devices, such as thermostats, garage door openers and even alarm systems, are typically small form factor devices with very little surface area where chips or other devices can be installed. As a result, only basic functionality such as reporting, monitoring and alerting are included within their programming. Additional functionality and features such as security, unfortunately, are not included within the devices themselves. Basic levels of security such as user ID and password are often required in the device's management applications. But these security measures are usually easy to bypass.
The same kinds of chips used in IoT devices have been performing basic functions for businesses, manufacturing, and power companies for over five decades. These devices are called Industrial Control Systems (ICS), Programmable Logic Controllers (PLC) and Supervisor Control and Data Acquisition (SCADA) devices. Only in the past few years have these monitoring devices and controllers become popular in the residential market.
TEP: Given that barring IoT devices from the workplace network may be impractical, what options do IT leaders have for keeping the network secure from any threats they may bring?
Irvine: Initial designs of IoT devices were developed for companies to monitor production environments and allow for remote control and alerting. Because these devices were designed to perform limited and specific automated functions within the production environment, they were on completely different networks from the business networks and end user access. As business, production, and telephony networks have converged over the past decade, these Industrial Control Systems have been combined onto the same networks as everything else. Because the design and configuration of these chips has remained the same since the early 1950s many vulnerabilities and risks associated with their use have been defined. Whether it is commercial ICS or residential IoT devices, the first step in securing them is complete segmentation from the Internet.
TEP: Many IoT devices send and receive machine-to-machine (M2M) communications and this type of data flow is growing exponentially. Should it be a source of concern for CIOs?
Irvine: Machine-to-machine communication has existed for over 50 years. One of the major issues with this type of communication is the proprietary languages or protocols devices speak to each other. These protocols were not designed to exist in an open environment where they can be seen, copied and retransmitted by anyone who has Internet access. They were designed to work within a closed environment with only trusted users and devices. The security of the protocols has not kept pace with the requirements for allowing communications to and from these devices across the Internet.
As a result, these devices can be specifically targeted to cause multiple problems. Malware exists to cause systems outages, failures and even to physically damage hardware (for example, Stuxnet). Additionally, vulnerabilities within these systems can allow malicious users to gain access to other devices within the internal network causing loss, corruption and theft of data, personally identifiable information, and intellectual property. The Target breach originated from an HVAC vendor.
Until new safer protocols, chips, and applications are created, the safest option is to segment ICS and IoT devices on separate networks with no access to the Internet and limit access and communications to them only to specific computers and users. Any external access to these devices should be encrypted via VPN or some other means of communications.
TEP: What advice would you offer to CIOs about keeping their networks secure in an IoT world?
Irvine: Managing and securing ICS and IoT devices is similar to managing and securing computers, laptops, tablets and mobile devices. Devices need to be kept up-to-date. All vendors create and distribute security patches and applications updates that provide fixes to known bugs, vulnerabilities and other risks associated with old code. Patch management is critical in maintaining a secure device. Devices should also be routinely scanned with antivirus, antimalware or other vulnerability scanning solutions. While ICS and IoT devices do not generally allow for antivirus to be installed on them directly, it should be installed and current on all of the computers and devices accessing them.
Users should create unique user IDs and unique complex passwords for all devices. Many ICS and IoT devices detected in production have the default passwords in place. These passwords can be easily found on the Internet and allow access to the devices as well as to all computers and networks they are attached to.
Segmentation must be implemented using firewalls to limit access to these devices to only known and authorized users. Additionally, segmented devices should be configured to monitor and alert administrators to all unauthorized attempts to communicate to these devices.