The explosive growth of IoT in the last decade is showing no signs of abating. Almost all new electronics are being fitted with an Internet connection. People love to buy new shiny toys and then take them to work to show colleagues. Sometimes they buy them for the office. In both cases they are often connected to the company network creating a major shadow IT challenge.
To see what risk this is creating, Forescout Technologies took a closer look at the impact of IoT on the enterprise. It has released that research in a report titled: Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT. It discovered a blurring of the boundaries between consumer and enterprise IoT. This results in an uncontained, unnoticed and uncontrolled spread of devices across the enterprise.
As part of the research, Forescout developed its own reference architecture for the smart building of the future. It will be showing off that architecture along with its research at DEFCON in Las Vegas on August 10th. It’s a good place to do so. Not only is DEFCON likely to result in people taking the research further, Las Vegas is in the early stages of becoming a Smart City. The architecture that Forescout has developed, could well find itself into some of the new buildings.
Elisa Costante, head of Forescout Research Labs, Forescout said: “Today’s connected world is made up of billions of devices that use a myriad of operating systems and network protocols to exchange data across industries and boundaries.
“We created Forescout Research Labs to explore the security implications of this hyper-connected world and research the associated threats and risks coming from these devices.”
IoT is the new shadow IT inside the enterprise walls
Smart TVs, Amazon Alexa, surveillance cameras, smart lights, heating controls and internet connected fridges are arriving in offices. In reality, some of these have been there for some time. Others, such as Amazon Alexa, are part of plans to deploy digital assistants as businesses look at the rise of the digital assistant. What they all deliver are routes into the enterprise for criminals to launch cyberattacks and steal data.
The research from Costante’s team showed:
- Many IoT devices, including surveillance cameras, are set up by default to communicate over unencrypted protocols, allowing for traffic sniffing and tampering of sensitive information.
- Forescout Research Labs demonstrated how sensitive information could be tampered with using surveillance cameras commonly used by enterprises. Researchers successfully replaced a network video recorder’s footage with previously recorded fake content.
- Compromising the video surveillance system is an example of a cyber-physical attack.
- A search on Shodan pulled up nearly 4.7 million devices that could be potentially impacted by using these unencrypted protocols.
The biggest issue here is the lack of encryption by default on these devices. This not only leaves them open to attack, many ship with well known default usernames and passwords. This allows any hacker using Shodan, BinaryEdge, Thingful or another search engine to identify and attack those devices. In some cases the devices are then used to map corporate networks. In others, they are used to launch attacks against other organisations.
How do we begin to address this?
To get control of the situation Costante says you need: “device visibility and control.” This should be driven by the right set of policies and controls. For example, when new devices arrive in the business, they should not be connected to the network without IT knowing about them. This allows IT to build an asset register of authorised devices. The problem here is that end-user technology from smart watches to tablets, are often connected without authorisation.
To deal with this, Costante believes that we should do a better job of segmenting networks. Users want and even expect their devices to be connected to the network. By segmenting the networks it means that users can be given networks to which they can connect their tablet, smart watch, mobile phone or other technology. If those devices need access to corporate data, there needs to be a method to allow that but only for those devices.
Monitoring network traffic will show up the unencrypted chatter from IoT devices. It can then be managed through the use of policies at gateways, switches and firewalls. It will also allow the IT department to build a picture of where that data is being sent. Given the increased compliance about data and privacy, this is a critical step. If the traffic is encrypted, organisations need to invest in the right technology to decrypt and check traffic to reduce the risk of data exfiltration.
IT security should also consider its own use of Shodan, BinaryEdge or Thingful. Using these to monitor the corporate environment will provide a way of quickly identifying devices that are insecure. It can also be used as an education tool to help end users understand how “at risk” their home environments can be.
Not just about the consumerisation of IoT
This is not just about the consumerisation of IoT. Costante’s team found numerous examples of Operational Technology (OT) that was just as poorly secured. These systems range from sensors on critical equipment to building management systems such as thermostats, badge readers, door locks and motion sensors.
Like consumer and some enterprise grade IoT, these systems are often installed independently of the IT department. In this case, by engineers seeking to solve problems. Many of them are not cyber security trained and their focus is on technology to solve an issue not security.
Like consumer IoT, many of these systems have poor security. They can also be hard to update and secure. For older OT systems, attempts to secure them can lead to catastrophic failure as Christian Koch, senior manager for GRZ and IOT/OT for NTT Security Germany told us in a podcast earlier this year.
When it comes to solving the difference between engineers and IT over OT, Costante told us: “It’s a communication problem. Management should bring them all them to the table because this is about solving a company problem. Both groups need to listen and speak the same language. IT should tell engineering that we are trying to provide visibility into the security of devices and improve the performance and life of devices in the field. Engineering needs to understand that and learn about cyber security.”
Enterprise Times: What does this mean
Creating their own smart building and then tearing it down to identify weaknesses and vulnerabilities has given the Forescout team a lot of data. This research puts some of that into the hands of IT security. Spotting data leaving the organisation is something IT should be used to. Printers, servers, storage devices, even manufacturing equipment send a lot of data back to vendors every single day. Most IT departments have built rules to manage it. This research shows that they need to expand those rules to deal with smart buildings.
As we rush towards ever smarter buildings and more and more IoT, there is a need to pause for a moment. Without security and controls, technology is as much an enemy as a friend. This is a piece of well presented, thought out and constructive research. Many of the reports we get simply focus on the negative without putting forward any solutions or architectures.
This research should be a must read for the CISO, CTO and the entire IT security team.