IoT Device Security: Risk Assessment, Hygiene Are Key
Key takeaways from this article include the following:
- As devices and data proliferate at the edge, so do cybersecurity incidents. According to one survey, 72% of organizations experienced an increase in IoT device security incidents in 2020.
- The consumerization of health care, among other emerging connected-device trends, has created new vulnerabilities at the edge of the network.
- Preventing security breaches at the edge requires some sound best practices, including doing a complete inventory of all devices in an organization’s estate, as well as developing risk profiles for each device.
- Organizations need to craft policies for IoT devices and consider network segmentation, among other best practices to ensure better security for IoT devices at the edge.
IoT devices at the edge of the network continue to proliferate, IT pros could be forgiven for comparing their efforts to a game of whack-a-mole.
As one device emerges with known vulnerabilities, there may be several more lurking, unbeknownst to IT, that are vulnerable to attack. According to F-Secure, cyberattacks on IoT devices increased 300% in 2019.
By 2022, there will be some 25 billion devices at the edge – all of which will vie for attention on the global network, according to the Telecommunications Industry Association. More than two-thirds – or some 18 billion – will be IoT devices. Survey data also suggests that enterprises will spend an average of 30% of IT budgets on edge cloud computing over the next three years, according to “Strategies for Success at the Edge, 2019,” a report by Analysys Mason.
In conjunction, these data points suggest that enterprises will move key compute resources to the edge to enable processes such as video surveillance, performance monitoring of industrial equipment and real-time data analytics.
According to new data released by Cybersecurity Insiders, 72% of organizations experienced an increase in endpoint and IoT device security incidents in the past year, while 56% anticipate their organization will likely be compromised due to an endpoint- or IoT-originated attack with the next 12 months.
Preventing Cybersecurity Attacks on IoT at the Edge
The keys to contending with these encroachments on enterprise security, say experts, are greater knowledge about an enterprise’s IoT profile and key security hygiene steps that many enterprises neglect.
“The biggest issue is trying to work out what is in your estate and how it gets there,” said Alex Leadbeater, head of global obligations and futures, BT Security at ETSI, in the panel discussion “Mitigating and Managing Risk with IoT – Securing your Device and Managing Infrastructure” at the IoT Security Summit in early December.
Leadbeater said shadow IT – whereby a business unit introduces an unsecured (and unknown to IT) connected device because it satisfies an unmet need – isn’t malicious but contributes greatly to enterprise cybersecurity vulnerabilities.
“IoT slowly creeps in,” said Leadbeater. “Call it ‘the march of IoT’ into segments that originally didn’t have it: hospitals, critical national infrastructure. They simply don’t have policies for [these IoT devices] because they didn’t realize that they were there until they realize they have a security vulnerability,” he said.
Health care organizations have experienced this shadow IT problem in high relief, said panel participant Seth Fogie, director of information security at Penn Medicine, as demand has increased in the wake of COVID-19 for remote care and digitized services.
To learn more about IoT device security at the edge, register for our Edge Digital Symposium, March 17.
“There has been a really big push to take the medical device out to the patient,” Fogie said. This “consumerization” of patient care with connected devices augments IoT device vulnerabilities, providing entryways to attack other parts of the enterprise. “Special-interest groups will want to learn more about their specific niche and want to put an IoT piece on the network to run a quick pilot,” and those demos can threaten network safety. “It’s a real challenge we deal with on an ongoing basis,” he said.
Fogie noted that Penn Medicine had installed a temperature monitoring system to gauge the temperature of refrigerators for drugs and food. “If something went wrong there – drugs and food can go bad – it can impact patient care,” Fogie recalled. “But it was pulled off the internet, with default passwords that came right off the internet,” he said. That kind of password exposure is a simple fix for IT pros, but also a surprisingly common mistake, Leadbeater said.
Further, Fogie noted, the temperature monitoring device was vulnerable enough to become a launching point, where malicious attackers could hop from that system to the back end. “The answer is to segment things off,” Fogie said, whereby IoT device networks are cordoned off from other key IT data networks.
Lack of Visibility Into IoT Devices on the Network
Within the health care industry, the move toward digital health care and remote monitoring of patients – with patients and practitioners using pacemakers, glucose monitors and other devices – has exacerbated the shadow IT problem.
Fogie emphasized that with trends like digital medicine having exploded in 2020, the attack surface has increased and created new attack points for malicious actors
But IoT device security requires taking a solid inventory of these shadow IT devices so malicious actors don’t access them first.
Steps to IoT Device Security at the Edge
There are three key steps in addressing vulnerabilities in an IoT estate, said Russell Schafer, head of product marketing, security platforms, at Check Point Software, during the panel discussion.
- Discovery. During this stage, IT pros should take a comprehensive inventory of the components of their IT environments. They should assign a risk profile to each device, noting operating system, patches and known vulnerability attacks.
- Policy and segmentation. Malicious actors exploit holes in organizational security by jumping from device to device. Given the risk profile, IT should automate security policies that dictate communications that the organization allows and those it blocks. For example, an MRI machine might be allowed to send an image to a particular database but not communicate with other devices.
- Monitoring and threat prevention. IT should use software to look at connections between devices and the network to detect anomalies in traffic and behavior.
No Quick Fixes for IoT-at-the-Edge Vulnerabilities
While the panelists indicated there are no speedy remedies to the problem of malicious attackers infiltrating IoT devices at the edge, they noted a few tactics that could help. One is the notion of building in security by design. While many industrial devices as well as consumer devices were not built for constant updates and patching, the panelists noted that more development efforts now incorporate security upfront – and before building devices.
Yet another, Fogie said, is the prospect of enlisting vendors’ “bug bounties.” Google and Microsoft, for example, actively enlist researchers to test systems and identify vulnerabilities before malicious forces do.
“If I knew a device went through that level of exploration, I would be more likely to [use it],” Fogie said. Ultimately, though, experts said that IoT device security is devoid of quick fixes.
“There [is] no ‘We’re going to fix this in two days’ kind of a fix,” Leadbeater said.
Sidebar: Common Vulnerabilities for IoT Devices
For IT pros trying to assess their IoT landscape and their risk profile, experts cite a few kew sources of vulnerability that you should assess and remediate up front to reduce IoT device security risk.
- Windows 95. This operating system has reached its end of life, so it is a target for malicious actors.
- Zigbee protocol. This is a known vulnerability, and many lighting systems use Zigbee building management systems.
- Phishing attacks. Phishing attacks via email can be a launch point from which to infiltrate IoT devices. According to Schafer, one manufacturer in Asia had to shut down its plant for two days following a phishing attack.