The recent legal action against the developers of Mirai, a bot net which quickly paralysed large parts of the Internet in 2016, has brought IoT security back on the radar for many people. There’s talk of a new smart device every month, and though the concept of a smart lightbulb or smart coffee machine may seem archaic, research by Telsyte predicts that Australian households will more than double the number of internet connected devices they own by 2021, to over 30 devices.
This highlights a point worth making about the securing up the Internet of Things (IoT). In an industry that’s rapidly moving from being worth millions to billions, it’s clear for most IoT vendors security is second to speed-to-market. While this has provided plenty of content opportunities for humorists like @InternetofShit, the impact of poorly conceived and executed IoT devices extends far beyond satire.
It’s up to us IT pros, to more often and more explicitly, point out that implementing secure IoT requires both strategic and tactical actions. Strategic because if our organisations have even an inkling that they might consider IoT technology, then policies and procedures need to be hammered out before the first device even enters the doors. From a tactical perspective there’s a high chance the first IoT device is already on the premises and the IT team is just last to know. So, you need to take action now to find and manage those devices.
Arguably strategy is the trickier hurdle to navigate. It takes time. Strategy requires you to navigate office politics, obtain management buy-in and deal with a lot of questions. But strategy is also what’s going to ultimately save your business by helping you avoiding a massive breach.
In my not-so-humble opinion, your corporate policy regarding IoT devices (defined as anything beyond smartphones, tablets, laptops and watches that connect to networks, be they the internet, corporate, personal, Bluetooth or otherwise) should start with a framework something like this:
- To be considered, vendors must commit to:
- Certifying the security of their device.
- Publishing changes in advance of each new version of the device “operating system.”
- Informing customers when they are changing the choice of hardware components and sub-components for future production runs of the device.
- Provide a manual/internal update process as an alternative to an internet-wide push.
- Meanwhile, corporate adopters—departments or the management sponsors of the project—must agree to budget for both funds and staff which allow for:
- Security review and testing, including penetration testing, as part of the adoption cycle.
- Ongoing reviews and testing of the vendor’s hardware and software updates prior to rolling to production.
Complex strategy like this is going to increase the cost of ownership of IoT devices significantly. It’s going to create friction and frustration among both management, who want the benefits, and us IT professionals, who don’t want the added hassle. But it’s also going to drive secure results and is really the only logical way forward.
Now that you have a sense of the kind of planning that’s needed long-term, there are also the tactics you can put in place straight off the bat.
I want to start with something you should already have in your toolbox: a NetFlow analyser. Central to the NetFlow protocol is the ability to expose “conversations,” or the transfers of data between two specific endpoints via the same port and protocol, that are occurring across your organisation. NetFlow is most commonly used to figure out where large bandwidth usage is going, but it can be just as easily used to track the hundreds or thousands of small conversations. This means that you can leverage one of the tools you likely already have to identify IoT-like behaviour in your environment, as well as monitor which external sites are receiving connections from inside your environment.
Another tool you should have but many organisations don’t is an IP address management (IPAM) tool. While this is a must-have for organisations of any size irrespective of the IoT question, IoT gives you one more reason to love the tool you have, or justify the one you need if you’re unlucky enough to not already have one. Why? Because IoT devices take up IP addresses, a lot of them. Additionally, IoT devices have MAC addresses that fall within a single vendor’s grouping. So, your IPAM tool can help automatically identify and report on IoT devices in the course of the normal operation of business.
Finally, the last tool in your tactical arsenal is a relative newcomer to the monitoring party: deep packet inspection (DPI). DPI is similar to NetFlow in that an interface in the middle of IoT traffic is used to slurp up packets and analyse them for the source and destination IP, port and protocol. This information is used to categorise the packet by usage, such as business application, social, streaming media, potentially malicious, etc. The intended use case is to determine whether packets are moving slowly due to a network issue or a problem at the application level, but the applicability to IoT should be obvious.
Why it Matters
This is all very important because above all, we’re really talking about significant risks to personal safety and corporate security here. With IoT set to take over Australian households, there’s no doubt we’ll see similar rise in connected devices in the workplace. In the last 12 months alone, we’ve seen on a global scale security flaws exposed in children’s toys, baby monitors, corporate HVAC systems, cars, pacemakers and insulin pumps. It’s time to take a proactive approach to IoT security that covers both the strategic and tactical posture.