Internet of Things (IoT) systems in business and operational environments have increased the attack surface and introduced new risks to the confidentiality, integrity and availability of critical data and systems at many enterprises.
Security leaders need to update their organisation's threat profile to account for these risks and implement a formal plan for proactively managing them. Otherwise they risk becoming soft targets for adversaries looking to exploit vulnerable IoT environments to spy, steal data, launch distributed denial of service (DDoS) attacks, escalate privileges and disrupt operations in other ways, analysts say.
"IoT devices present a unique risk because organisations typically have hundreds of these devices on their IT and OT [operational technology] networks each expanding the attack surface and increasing organisational risk," says Kyle Miller, chief engineer and senior associate at Booz Allen Hamilton.
In recent years, internet-connected devices have proliferated within traditional IT and in operational environments. Organisations looking to remake themselves as connected enterprises have deployed IoT sensors and devices on plant floors, on equipment, in the field and elsewhere resulting in a massive data deluge.
Within enterprises, everything from facilities management and security monitoring systems to printers and lighting systems are being connected to the internet.
Analysts expect that over the next few years, enterprises will deploy billions of IoT devices to support myriad use cases. That will force organisations to reconsider the following factors when developing their threat models.
What IoT proliferation controls are in place?
A lot of the IoT use within organisations has happened in an incremental and non-strategic manner with little IT or security oversight, says Robert Boyce, North American cyber defence leader with Accenture's global cyber security practice. "Many organisations are deploying IoT devices without going through a formal governance process," he says. As a result, few have a clear picture of their IoT asset landscape and associated risks. Smaller IoT deployments are sometimes overlooked entirely from a threat perspective.
For instance, many of the devices used in enterprise settings including IP cameras, digital assistants and other smart devices connect directly to the internet. "A lot of these devices call home for upgrades," Boyce says. "And a lot of the time, China is home."
Similarly, when employees and executives interact as a group or individually with technologies like voice-activated virtual assistants, data confidentiality and privacy can become important concerns, says Dan Cornell, CTO at the Denim Group.
Conversations that happen in conference rooms or in an executive office can involve privileged and protected information that are sent to the device manufacturer's cloud, Cornell says. Considerations like whether confidential data is stored locally or in the cloud, where the data travels and how traceable it is, all become vital to understanding and mitigating the threat, he says.
Securely sending data over IoT systems is another challenge, because a high percentage of the traffic is not encrypted. Organisations also can underestimate the risk around device identification and authentication, provisioning and maintenance without formal threat modelling, Cornell says.
The consequences of such issues are far greater in an operational technology and industrial environment than they are in an IT network. Attacks on IoT vulnerabilities or security failures resulting from weaknesses in these environments can result in physical damage and safety-related consequences.
Increasingly, organisations are connecting smart devices to old and new industrial control systems (ICS) and other operational technologies. Critical OT systems and networks that once used to be safely air-gapped from the external world are now open to internet access and therefore more vulnerable to attack.
Where OT systems rarely extended beyond the operational environment they are now accessible to business users, suppliers, vendors and others.
Adding to the risk are third-party manufacturers who put new access functions into critical industrial control systems and then lock them down so others cannot update them. This has left many organisations in a situation where a third-party has a direct and permanent connection into the operational environment, Accenture’s Boyce says.
How much visibility do CSOs have into their IoT network?
Visibility is key to understanding and modelling threats in the IoT environment, says Cornell. To mitigate IoT risk, CSOs need to know their assets and identify the threats associated with each of them in a systematic and planned manner.
It involves identifying all the different ways in which a particular IoT asset might become a security liability and then applying measures to mitigate the likelihood of that happening, he says. These measures can include removing or disabling risky features, deploying operations controls, or implementing the technology differently.
When building a threat model, don’t look at IoT devices in isolation particularly in industrial and OT environments, says Mark Nicholson, a cyber principal with Deloitte Risk & Financial Advisory.
In assessing IoT-related threats, organisations need to consider the broader ecosystem within which these devices might exist. That means looking at how the devices connect with each other, with other devices and servers and hosts, he says.
"If you are just looking at the security of the devices and not appreciating how the devices interact with the rest of the environment and data you might be missing some of the picture," he says.
Gaining the visibility needed to do threat modelling can be hard. The sheer variety of IoT devices, lack of a standard architecture and inconsistent availability of security features across devices of the same type can make threat modelling a challenge.
"IoT devices and systems come in a variety of flavours and not all are designed or built with the same degree of cyber security robustness," says Booz Allen Hamilton’s Miller.
Many IoT devices run off of simplified, real-time or legacy operating systems and software frameworks that do not support the same level of security protections as traditional IT systems. For these reasons, visibility of IoT systems in an enterprise environment becomes more challenging to achieve, he says.
"The first step most organisations should take is getting an accurate snapshot of what IoT devices are already deployed within their networks," Miller says. "This is frequently one of our client’s largest blind spots as it pertains to asset inventory."
Multiple active and passive network and wireless discovery tools are available that organisations can use to aid in IoT asset discovery, Miller says. Once an organisation understands their IoT assets, they can then begin to implement security controls such as network segregation and threat monitoring to help protect them.
How do CSOs vet device security during procurement?
For future deployments, the best place to begin is with procurement, the Denim Group’s Cornell says. Enterprises procuring IoT devices are in a good position to ensure the vendor implements the requisite security features in their devices.
The acquisition process is a good time to do threat modelling and assessments to identify potential risks and vulnerabilities in planned IoT deployments, he says. "You have a much bigger stick to influence the vendor's behaviour prior to completing the procurement process," than after.
If the IoT devices CSOs plan to use are consumer focused, the vendor is unlikely to have a sales channel to sell to or support enterprise security requirements. So organisations need to be careful on where they source their devices, Cornell says.
To fully understand the risks and build safeguards against them in the contract, IoT procurement needs to happen in collaboration with the security organisation. Get a comprehensive bill of materials and audit rights around all the components in the IoT environment, says Deloitte's Nicholson.
Organisations need to understand where the components come from and the provenance of any IoT software they might intend to use.
If a third party will manage your IoT devices—especially in industrial and OT networks—then the contract needs to talk about the vendor’s or contractor's liabilities for any security incidents, Boyce adds. "I would also recommend a security review of the physical device itself," to ensure it meets security requirements, he says.
How well do IT and OT communicate about IoT security?
The most critical step to mitigating IoT risks is to involve the IT security organisation, security analysts say. Often organisations that are increasing their IoT footprint, especially on the industrial side, barely recognise the potential security implications.
Some organisations have begun building security capabilities into their ICS environments, but in many cases, the OT and IT side barely communicate with each other, Boyce says. Despite the enormous security implications, very little coordination occurs between the two groups. OT groups are often wary of IT security teams introducing controls in the environment without fully understanding their potential impact.
"You can't really operate these groups separately anymore," Boyce says. "There has to be constant cross education."