How to secure the IoT in your organisation: advice and best practice for securing the Internet of Things
All of the major technology vendors are making a play in the Internet of Things space and there are few organisations that won’t benefit from collecting and analysing the vast array of new data that will be made available.
But the recent Mirai botnet is just one example of the tremendous vulnerabilities that exist with unsecured access points. What are the main security considerations and best practices, then, for businesses seeking to leverage the potential of IoT?
Read on for some advice on securing the IoT from the cybersecurity industry.
1. Best practice for IoT security: Read the literature
“Comprehensive security guidelines and industrial standards for IoT manufacturers would help,” says Alex Mathews, lead security evangelist for Positive Technologies.
There has been progress on this, and Mathews points to the Industrial Internet Security Framework published last September – a collaborative project between players including Intel, AT&T, Hitachi, Fujitsu, Kaspersky, and many more – as a solid start.
There are other papers out there on the matter, including a 2016 whitepaper from the US’ Department for Homeland Security called Strategic Principles for Securing the Internet of Things. It warns: “Many of the vulnerabilities in IoT could be mitigated through recognised security best practices, but too many products today do not incorporate even basic security measures.” Click through for a more comprehensive rundown on advice from the US government (PDF).
2. Best practice for IoT security: Think long-term when choosing your supplier
Although budget constraints could make it tempting to opt for a newer business that promises the world or less well-known player at cheaper cost, keeping your network of devices updated is critical to security – so if your supplier suddenly isn’t around anymore your organisation becomes exposed.
“Make sure it’s a well-known and reliable supplier that’s likely to be around for the long-term,” says R&D director at Rocket Software, George Smyth. “IoT devices need to be updated regularly when a new security flaw is discovered. If you bought from a company that has gone bust, you’ll end up with a device that’s basically useless. You need to buy from a manufacturer that will be around for years to come, so they can provide patches and fixes to any bugs that may arise.”
3. Best practice for IoT security: Don’t be part of the problem
In the wake of the Mirai botnet attack, Michael Marriott, research analyst at Digital Shadows, had this to say: “Don’t be part of the problem. Secure your own devices and don’t use default or generic passwords – and consider disabling all remote access to devices and perform administrative tasks internally. Instead of via Telnet, FTP and HTTP, use SSH, SFTP and HTTPS.asdf.”
“To address DNS reflection, disable recursion on authoritative name servers and limit recursion to authorised clients,” he says. “To address NTP reflection, update ntpd to the latest version and disable the monitor function for legacy ntpd versions.”
Click through for Digital Shadows’ Mirai and the Future whitepaper here (PDF).
4. Best practice for IoT security: Separate IoT from your the business network
It goes without saying that the internet is integral to the internet of things – but it’s easy to lose track of exactly what that means. The IoT search engine Shodan allows anyone in the world to browse thousands of internet-connected devices.
Each and every connected device needs to be considered a potential access point for malicious actors.
“Businesses should place all IoT on its own VLAN, and that VLAN should not have routable access to the internal enterprise business network,” says research lead at Rapid7, Deral Heiland. “The VLAN should also not be directly accessible from the internet, and egress firewall filters on that VLAN should be configured to only allow IoT devices to connect to specific cloud IP addresses, as needed for cloud API communication.”
“This method will reduce the risk and impact to an organisation by reducing the exposure footprint. If there is a compromise, it should help isolate it outside the business network environment.”
And Verizon’s Data Breach Digest (PDF) recommends that IoT systems should be air-gapped from critical networks wherever possible.
5. Best practice for IoT security: Protect and encrypt your passwords
The recent MongoDB database ransomware was largely thought to have occurred in test environments – but not always test environments – where default or weak passwords were used. So it should go without saying that these should be changed. Again, basic security practice should be applied to the IoT network.
“Only large, complex passwords should be used,” says Rapid7’s Deral Heiland. “This password should not contain any dictionary word or any part of the organisation’s name. It’s also important these passwords be unique across the IoT technology, because this will help avoid the compromise of all devices within an organisation if one device is compromised.”
“And if the IoT technology utilises its own wireless access point, it is critical that it be configured with the highest level of security possible – often this is WPA2 with AES256. The WPA2 Pre Shared Key should also be changed from default and a complex PSK should be utilised, this shouldn’t contain any dictionary words or any part of the organisation’s name.”
6. Best practice for IoT security: Pay attention to the full network
Businesses taking advantage of IoT are increasing the range of the scale of their full infrastructure and by doing so create more potentially weak points in the chain.
“Organisations must look at the full IoT infrastructure from end-to-end and secure all points,” says Winston Bond, EMEA technical director for Arxan. “A typical IoT framework consists of edge devices like sensors, adapters and beacons, as well as a gateway to communicate with these devices, and a back-end server in the cloud or on-premises.”
“Companies need to take each section separately and start addressing security issues for each,” he says. “From protecting the endpoints to hardening the binary code on the apps.”
7. Best practice for IoT security: Don’t count on the manufacturers
As with many nascent technologies, manufacturers don’t necessarily consider the full security risks when they rush to build and release their products.
That’s no exception for the internet of things, and although some will be more secure than others, it’s best not to trust the manufacturers to have baked in security from the beginning.
“IoT devices are hard to protect and most were not made with any consideration to security,” says Peter Nguyen, Director of Technical Services at LightCyber. “They are built for easy connectivity to share information or receive instructions. Many lack robust access control or the ability to use secure, changeable passwords – it’s unlikely that effective endpoint protection software can run on such devices.”
Rob Miller, head of operational technology at MWR InfoSecurity, believes that Manufacturers need to wake up to the fact it will also benefit them to design products with the latest attacks in mind, plus remote updating by default.
“There are no golden badges to look for when assessing a product’s security features, so instead many consumers and businesses choose to buy from manufacturers that can demonstrate their interest in security,” Miller says. “This might be in a warranty that includes security updates, or activity in the security community such as having a bug bounty programme.”
CISOs will need to 'start small'
All the latest tech trends delivered right to you
Is your business ready for the deluge of new, connected devices?