Blog

The notion that IoT devices are secure by design and/or that security features are enabled by default is deceptive, auditing and controls must match the fundamental challenges of IoT security today to be prepared for zero-day attacks. IoT projects promise unparalleled ROI for monitoring, diagnostics and analytics, enabling new business models. However, these projects lack scalable centralized management, introduce primitive access controls and often leave data domains vulnerable.

Meanwhile, evidence suggests that threat actors are doing their homework; they quickly scan for CVEs in target environments and focus on techniques to maintain undetected access to systems and devices. In many cases they pose as legitimate users and specifically target malware (ransomware/malware) to infect systems and produce specific results.

Manufacturing and energy remain the leading targets of known threat actor activity, and targeting of healthcare and commercial facilities is also on the rise. These disparate sectors have one thing in common: widespread adoption of internet of things (IoT) technologies, often consisting of vendors and use cases that serve and serve multiple sectors.

There are numerous ongoing efforts by government agencies and industry groups to cover and scale IoT security. Many are well on their way to adopting best practices that can be extended to the secure lifecycle of devices, depending on business priorities and the security requirements of end users.

Nozomi Networks has a unique perspective on the scale of the problem, with research on the intriguing rise in botnet traffic and work on identifying IoT vulnerabilities. We have the experience to help solve the challenges of complex network connectivity and secure deployment of IoT devices to strengthen our customers’ security posture.

Challenges

With the addition of IoT and analytics technologies for business outcomes, security concerns are emerging for IoT hardware, software, interfaces, data storage and applications. Beyond network vulnerabilities, IoT hard-coded passwords and internet interfaces with remote access and end-user credentials are often targeted.

Many critical infrastructure sectors are moving to adopt new levels of connectivity between systems, networks and devices. Working in distributed locations, they are simultaneously implementing increasingly complex SCADA architectures and IoT deployments to streamline operations. Auto-hacking and the spread of botnets is a constant threat to IoT devices.

This connectivity and associated security concerns now extend to networked cyber-physical systems, IT/OT integrations, building automation, performance and efficiency software and investment.

IoT devices are increasingly being deployed in critical infrastructure networks:

• To monitor critical functions, diagnose potential problems, analyze and report machine and environment status updates
• Closely connected to real-time controllers that measure the temperature of a cooling system, the effectiveness of a security system or the pressure in a pipeline
• As control elements included in Building Management Systems (BMS)

Some are added to networks without change management procedures and without addressing configuration and security concerns. If they are inadvertently misconfigured or intentionally sabotaged, they can have dire consequences, including potential impacts on health and human safety. The size and scope of these devices will make them increasingly difficult to manage and monitor effectively.

Many security researchers agree that focusing on the security of individual devices is not a practical, long-term solution for IoT security. Patches are often unavailable, difficult or impossible to install. In addition, quantum computing presents a potential roadblock for the future of IoT encryption.

Estimates suggest that there will be up to 3.2 billion 5G IoT devices connected to the internet before the end of 2023. 5G represents a threat multiplier for the future of IoT devices and ecosystems. The bandwidth allocated to a 5G device can reach up to 1 Gbps. The underlying hardware, usually ARM64-based, has the potential to be effectively used to create adaptive Distributed Denial of Service (DDoS) attacks.

The primary attack surface for IoT devices is default credentials over SSH. When a system is targeted, the attacker attempts an average of 40 passwords for a username, usually through another infected IoT device. Other common attack surfaces of these devices include UPnP, HTTPS and its underlying java packages and various source code modifications.

These systems and variations tend to remain unpatched for long periods of time after a patch is released. This is because most IoT devices are “headless” and not set up for automatic updates without the owner or user agreeing to a risk-based notice in their end-user license agreement.

Once the attacker has gained entry, they usually check to determine the underlying operating system to decide which payload to install on the system to deploy a botnet attack. The server hosting the malware will most likely be from an IP address hard-coded in the attacker’s script.

To hide the payload, many IoT botnets use naming conventions for their payloads, common operations such as ‘ntpd’ (network time protocol daemon), along with packers and encryptors to block deep packet inspection engines.

Once infecting the system, it immediately changes its default credentials before determining the purpose of infecting other machines. These IoT botnets can grow to have hundreds of thousands of controlled devices and their main focus is to perform DDoS attacks against targets.

Compensatory Controls

Security solutions must go beyond simply identifying and understanding all critical elements in an IoT/OT network. They must include a deep understanding of all potential risk scenarios and proactively continue to monitor such activities. With the potential for IoT deployments to be compromised for malicious purposes, their adoption requires both a clear ROI and a security plan.

Workarounds for efficient operational expenditures must always be tempered by the actual financial and potentially physical damage that can result from a cyber incident. Risk tolerance must therefore balance the benefits of IoT, automation and efficiency with the need to monitor operations with security solutions built specifically for digitized, cyber-physical environments.

At the end of the day, the desk of decision makers looking to utilize IoT is overflowing with data from the field, but often lacks the actionable intelligence to make sense of an often bleak and complex cybersecurity picture.

The Four Main Compensating Controls Nozomi Networks Recommends:

• An asset management mechanism with real-time data to include IoT devices that can provide network security engineers with zone and network location data, lifecycle and patching information.
• A firewall that can isolate or terminate connections identified by the monitoring solution, such as those associated with malware or identified as anomalous.
• Using a monitoring solution that can integrate IoT with network access control (NAC) products and uncover the greatest potential risks in real time. For example, directing NAC to place critical or vulnerable IoT assets on private VLANs – capable in DMZ configuration.
• A process that network security engineers should follow to patch the highest risk and most vulnerable assets first to reduce overall risk exposure and increase resilience.

Security research into products and devices, reverse engineering of malware, widespread vulnerabilities and critical weaknesses, and the mounting tactics, techniques and procedures of threat actors all add up to a seemingly impenetrable landscape. However, progress in cybersecurity is dynamic, continuous and incremental. In the case of a distributed IoT incident, monitoring can work quickly to identify, protect, detect, respond and recover from a potentially catastrophic outcome.