Guest post by Russell Rice
Organizations in all industries face the daunting challenge of protecting a large and diverse number of vulnerable devices. For starters, they should conduct an IT risk management assessment based on numeric risk ratings, such as the TIK and OWASP frameworks. This can be a valuable practice that forces organizations to take a granular approach to their device portfolio, including legacy and IoT devices in use.
However, in the new and complex world of IoT technology, risk assessment is just a first step. Today, automation is often the new necessity when it comes to IoT device security. The expanding universe of heterogeneous devices and operating systems is seemingly endless as their scale and velocity continue to accelerate. Since each group of similar devices, such as a specific model of Axis cameras and software, yields different values for vulnerability and criticality/asset value, automation is necessary to measure risk ratings across the entire IoT device inventory.
With these assumptions, I offer my top 5 tasks where automation is needed for managing risk and securing IoT.
Task 1: Discovery
If you don’t track your IoT inventory, you are not managing risk. If you don’t agree, check out the CIS or SANS top 20. This explanation validates their No. 1 best practice to follow. Keeping a list of what you have is more than knowing “I’ve got about 32 cameras in the building, mostly Pelco”. It means knowing precisely how many of each type of device you’ve got, down to the OS and firmware version, as well as the MAC and IP address. This spans all IP devices — HVAC systems in the data center, diagnostic equipment in the lab, sensors in refrigeration units, and surveillance cameras in entryways.
In reality, too many organizations find this practice too tedious, especially dealing with legacy OT systems that have been around for a while. However, without the inventory list, it is not possible for digital security to measure risk with any granularity for IoT. Mirai malware infected over one million cameras, and administrators started to take notice and ask what part of their fleet was vulnerable, leading to an inventory audit of every system. Figuring that out manually by walking room-by-room with a spreadsheet isn’t practical or sustainable. You need to automate the discovery process with tools that identify your online devices, determine the make and model details, and continuously keep the information current. And visibility is needed everywhere, inclusive of manufacturing, research, medical, security, gaming, and operational networks.
Task 2: Password Checking
Nearly everyone is guilty of installing devices at home without changing the default administrative account and password. Dealing with password security is, quite simply, annoying. This carries into the work environment — it is all too common for IP-enabled medical equipment, cameras, building automation systems, process control equipment, and research devices to retain the manufacturer’s default account settings. Our company finds nearly one-third of the business devices we scan are unchanged, meaning anyone able to connect to the device over the network can take control of it. No need for fancy malware tools to break in.
Although most organizations have secure password policies and use tools to verify, they are followed for workstations and servers. They do not have controls in place to automatically verify IoT devices. Given the large number of devices out there and how quickly new ones are being deployed, automating the audit process to ensure default or weak passwords are not in use is the only feasible approach to secure their administrative accounts.
Task 3: Vulnerability Assessment
Performing continuous vulnerability assessments and ensuring that remediation is baked into every professional risk management process and InfoSec team is critical. PCI DSS 11.2 requires quarterly scanning, as well as after any significant change in the network. All too often, however, organizations are hamstrung handling legacy OT and new IoT device assessments because scanning is limited to the DMZ, datacenter, and the corporate network, and it does not reach into traditional OT IP-enabled enclaves. Don’t fall into that trap! Scan everything everywhere because that’s what cyber-criminals can do, especially if they know you won’t detect them. In scans we conduct, staggeringly large numbers of devices have known vulnerabilities — bio medical devices with weak crypto libraries, cameras vulnerable to cross-site scripting, and sensors that tip over when scanned because they are terrible at handling IO memory. And yes, first do trial scans on devices by type. Any that crash should receive special protections and queued for replacement to prevent bad guys from knocking them out.
Task 4: Tracking Software & Patch Versions
When WannaCry ransomeware first hit, every organization was concerned it would be a target in the first 24 hours. Fortunately, for most, that didn’t happen. Nonetheless, it was a recent demonstration that it is crucial to be able to patch vulnerable systems quickly. However, this is challenging for IoT devices. There is a wide range of different device managers in use. For example, physical security teams often use different tools per camera manufacturer and medical device tools vary per supplier and device type. Usually, these tools are not designed to alert administrators when new security patches are available, and information security teams lack the ability to audit what software is in use versus what is available. Both gaps need to be closed — device administrators need to easily identify systems running old and vulnerable software, and auditors need to be able to assess version compliance across the organization, especially all critical assets. Given the scale and diversity of devices, automated tooling that tracks the entire IoT inventory would make this job feasible.
Task 5: Isolation
To protect an IoT device, the best approach is to isolate it so it can only communicate with other necessary systems. For example, a video surveillance camera should only talk to the VMS, the video storage system and possibly administrative workstations. Or a medical diagnostic device just needs to communicate with an EMR system and a patch-update server. The way to accomplish this is by using micro-segmentation, wherein each device is assigned a policy that controls inbound and outbound communication. However, since IoT devices cannot reliably enforce controls themselves, this needs to happen where the device connects to the network. In concept, this is the same approach organizations use to protect server communications as they migrate to the cloud. The complicated part is to accurately determine the correct policy for each specific device. It requires awareness of the natural and correct communication pattern per device in the environment, and given their diversity, technology is needed to automate the discovery and assignment process.
In Summary
Managing IoT risk requires a multi-pronged approach that can cover the entirely diverse and expanding inventory organizations adopt while providing detailed information for each deployed device. Automation of key steps of the process is necessary for this to be possible – from inventory discovery and classification, to password and vulnerability assessment, to simplifying the embedded software patch audit process, and inclusive of defining and implementing micro-segmentation access controls. Fortunately, purpose-built technologies are now available to security operations so they can tackle the challenge and finally get in front of the problem.
Russell Rice is Vice President of Products at CloudPost, which helps organizations reduce the risk of business IoT systems. He has more than 20 years of experience in the network security industry. Russell has held senior leadership roles in product management, technical marketing, and engineering in startups and established companies, spanning Cisco, Skyport Systems, Global Internet, and Dow Jones. At Cisco, Russell was the executive business leader for network access control (NAC) policy, and remote access products. Russell is an accomplished speaker and his teams were responsible for the Cisco SAFE network security guidelines. He graduated from UC Berkeley with a bachelor’s degree in computer science.