Having struggled with IoT security for years, rushing out more devices under the guise of 5G and edge without better controls can exacerbate existing problems.
IoT’s scale and reach remain a key part of its value proposition. By collecting data granularly across large areas and returning it to a central point for further analysis, one can obtain more detailed and actionable insights.
This same reach – and the number of devices required to achieve it – makes IoT endlessly challenging for those left to administer it.
At its smallest, IoT in smart cities might comprise tens of footfall sensors in park precincts or hundreds of sensors in a multi-story car park. That climbs to thousands of sensors in many industrial environments to measure air quality or the operational variances in the mechanical componentry of heavy earthmoving equipment fleets used in construction or mining.
But IoT is now also more than the vast fleets of sensors we once predicted. Use cases and device numbers for IoT are surging on the back of the rise of 5G and edge computing, which invite new uses for IoT and even more devices into production.
At this scale, it’s natural for problems to arise – and they are.
IoT problems today typically impact hundreds of millions of devices at a time, which multiplies with the number and rate of uncovered flaws.
In the past year alone, we’ve seen multiple sets of IoT flaws that fit this description:
- In June 2020, hundreds of millions of IoT devices were found vulnerable to a series of zero-day vulnerabilities in a software library they all used.
- In April 2021, conservative estimates put another 100 million devices vulnerable to a series of domain name system (DNS) flaws.
- Also, in April, another set of flaws emerged that attackers could use to execute malicious code or crash a “wide range of IoT and OT devices in industrial, medical and enterprise networks.”
- In May, vulnerabilities in wi-fi protocols further reduced the already flimsy defences of IoT and smart home devices.
Security problems in IoT persist because many devices, and the software they run, were never architected with security in mind and are designed to last tens of years. Attempts to harden existing device fleets remain challenging; IoT devices don’t have the computing power to run sophisticated security services. For that reason, they have very few built-in security mechanisms. They also very rarely get patched by manufacturers.
The attack numbers have dramatically escalated over the past year and show few signs of backing off, reflecting the difficulties of securing IoT.
Where attackers go next
The fears for IoT are twofold. Suppose an attacker compromises a device, whether in the IT or OT network. Can they exploit that initial compromise to move internally (“laterally”) within that same network and do further damage? And then second, can the attacker leap to the “other side of the network”, as it were, and continue to wreak havoc while staying undetected?
It is challenging to prevent attackers from using IoT devices as entry points for attacks. Recognising this, security professionals are focused on what lies at and beyond them as an initial entry point.
Best practices dictate that organisations isolate the IoT network segments from the rest of the OT network. However, mistakes can cause bridging between the two, enabling attackers’ access across both environments.
To reduce risk further, defenders can use visibility tools to find signs of compromise and deceptive systems which mirror real OT devices to keep would-be attackers busy while exposing their intentions.
OT Deception should exist on production OT devices. For example, placing decoy passwords and credentials on live devices makes the attacker easily recognisable when they try to use them, and defenders can then track and observe their activities from a safe distance. OT Deception should also exist at a network level – if an attacker accesses (say) a CCTV system and tries to discover other systems in the network – they will trip over decoys that look and feel exactly like real network elements.
The use of modern deception and data concealment techniques doesn’t stop with only identifying exposed credentials; defenders can use it to hide production shares, files, and objects, efficiently preventing attackers from finding and accessing the things they desire.
Together, these controls can help IoT remain a modern convenience rather than a security liability.
Jim Cook is the ANZ regional director at Attivo Networks.