The city of Atlanta is the latest entity to suffer a ransomware attack. How did the invaders get into multiple municipal computer systems? The investigative team is not yet sharing details. The attack provides yet another example that proves what pundits have been preaching for years: computer systems reachable through a public network can, and will, be breached. And these experts point to the internet of things (IoT) as an especially weak link in the security chain.
A joint Ponemon Institute-Shared Assessments Program study released on March 25, 2018, the day before Atlanta’s civic employees turned their computers back on, reveals that 97 percent of respondents to the study survey believe that IoT connected devices will be catastrophic for their organizations. Only 29 percent actively monitor third-party IoT device risks, and only nine percent are aware of all such devices connected to their networks. The situation is like a dry-as-tinder forest, where one stray match can start a devastating blaze.
Why Such Vulnerability?
The deployment of IoT devices has quickly outpaced the ability of security systems and system managers to provide protection. But the sheer number of connected devices is only one part of the problem. Understanding the sources of vulnerability can inform the design of secure systems.
Device manufacturers bear some of the responsibility for leaving doors open to intruders. They have known about some vulnerabilities for years; only now are these vulnerabilities a problem. Manufacturers understandably do not build in sophisticated security into inexpensive devices intended for consumer use, and preprogrammed passwords can be difficult to change — if the owner thinks to take that step. Security software requires frequent updates, another expense that manufacturers often avoid.
Organizations’ networks usually have much more sophisticated equipment hooked up to their networks, everything from process controllers to critical temperature monitors to MRI machines, and a lot of it. According to the study mentioned above, organizations can soon expect to have an average of 24,762 such devices — or almost 25,000 potential endpoint vulnerabilities. And about half of survey respondents indicated that they do not keep an inventory of IoT devices or related applications. The survey points to the larger organizational problem: lack of accountability, possibly driven by lack of understanding, for this new class of devices.
Other sources of security vulnerability are inherent in the nature of IoT devices. Some connected devices are intended to have long lifespans; Cisco lists power meters in its IoT security framework. Can, or will, their security software get proper updates? These devices generally have multiple users — workers in a manufacturing facility who share a controller, for example, or homeowners who use smartphones to manage household systems. Every user needs to supply credentials, which increases overhead. The Cisco document also points out that not all networks have the capacity to sustain device-management overhead.
What To Do?
The first step toward a robust security program is awareness of the potential problems if connected devices are left unprotected. The second is ownership of the problem and the solution — and spreading this information through the organization. As the study cited above points out, C-level executives often do not understand the potential security risks connected devices bring to an organization’s computer infrastructure.
Staff directly involved in developing and enforcing security protocols can follow best practices suggested by experts. Multiple reliable sources publish up-to-date advice (see links in the References section); network security staff can easily search for new threats and solutions or consult hardware and software vendors for updates. The following summarizes current (2018) best-practices advice.
- Maintain a current, accurate inventory of all networked hardware; every one is a network endpoint
- Ensure that hardware is tamper- and theft-resistant
- Limit the number of people who have access to physical devices
- Require identity-level, not device-level, authentication
- Assign robust boot-level passwords
- Update firmware and apply patches as soon as these are available
- Perform dynamic testing
- Define a process to protect data when a device is taken out of service
- Use strong authentication and give each device a unique username and password
- Use strong encryption and secure protocols
- Minimize device bandwidth
- Segment networks
- Understand risk; designate critical devices
- Require regular password changes
- Use penetration testing
Device manufacturers can also play a large role in IoT security by building better security into devices. If a device reports use data back to the manufacturer, the manufacturer should be upfront with the owner about data collection, limit the data reported to a minimum and stop collecting in a reasonable timeframe.
Best Practices References