Why is Everything Connected Now?
By contrast, enterprise interest in IoT is driven by pragmatic business needs and financial rationale. Moving data to the cloud and connecting sensors, devices, and equipment to the Internet has boosted productivity and lowered costs in the healthcare, manufacturing, utility and retail industries. For instance, healthcare is an early adopter of IoT and has been able to leverage IoT technologies to provide greater patient care and save costs. The rise in healthcare IoT is driven by demand in advanced healthcare information, patient monitoring device and mHealth technology. The global market for Internet of Things (IoT) in healthcare was valued at over $24 million. The same drivers exist in energy, manufacturing and enterprise environments.
Enterprise interest in IoT is driven by pragmatic business needs and financial rationale.
What is IoT?!
What is the Internet of Things? You cannot find a lot of people who like the term Internet of Things or can even agree on what it actually means. At Senrio we therefore refer to this new breed of miniature computers as Networked Embedded Devices (NEDs): In contrast to a PC or server, the embedded device is a single-purpose operating system. Networked embedded devices have a means of communicating either with other devices on a closed network or to the cloud via a link to the Internet.
In contrast to a PC or server, the embedded device
is a single-purpose operating system.
While consumer devices are flashy and get attention, they are just the tip of the iceberg. Enterprise IoT focuses on large-scale, high-value and/or critical networks of embedded devices used in healthcare, retail, corporate and critical infrastructure environments. Think of medical equipment, point-of-sales payment systems, inventory scanners, security cameras, industrial control systems, etc. It includes concepts (aka more buzzwords) such as Industry 4.0, healthcare IoT, mobility, connected vehicle, Industrial Internet, Smart City, Big Data and Machine-to-Machine communications.
Billions of Unsecured Embedded Devices
Networked Embedded Devices Make Ideal Targets
Low Barriers To Entry
Often "unpatchable": Once devices ship, it is more difficult to patch them. If a patch is possible, users have to manually download and install relevant patches. The update rate for consumer products is as low as 20%. In the case of enterprise IoT, it may even be harder to install updates. Medical devices are approved “as is” and a firmware update might trigger a new audit or compliance requirements.
And breaches undetectable: Embedded devices generally lack the "intimate" user interfaces that might "tip off" a user to strange behavior or compromise. So while you may notice redirects, pop-ups or a sluggishness in your computer, embedded device typically don’t have a screen or user interface that may tip someone off. Moreover, embedded devices are "small" so they generally don't keep the kind of verbose application logs that some security solutions require for visibility. Many embedded devices use "read-only" FLASH filesystems (if that). This means that if a device is compromised, forensics and incident response are virtually impossible. In fact, breaches typically go unnoticed for months as understaffed security teams ignore or dismiss alerts. Traditional systems may also not be able to pick up when a devices is misused or misconfigured.
Coupled With High Rewards
DDoS For-Hire: Embedded devices have been used to form a botnet and launch Distributed Denial-of-Service (DDoS) attacks. So while you might think your unsecured home webcam is harmless (who wants to watch my cat patrolling the living room?), when used cumulatively they are a potent danger. DDoS attacks have increased by 125%, largely fueled by the abundance of networked devices such as home routers and webcams. In fact, more than 7 million devices worldwide could be exploited for such attacks. A healthy ecosystem has developed around “DDoS testing services” and attacks can be purchased at the same price as a Starbucks venti caramel macchiato.
Industrial Sabotage and Espionage: At a national security layer, networked embedded devices provide attackers a surface to sabotage critical infrastructure such as power generation. ICS/SCADA systems (the controllers running our lives) can also be exploited for economic gain through industrial espionage. For example, by compromising the operational network and then moving laterally into the IT network to steal engineering documents or reverse engineer industrial process. The real threat is not traditional “compromised” devices (code injection, etc) but instead maliciously (re)configured devices that cause product recalls or intentional failures. This threat landscape impacts safety, reliability and quality assurance in our robot-driven factories and power plants.
IoT Security is a Hot Marketing Topic But Real Solutions Lag Behind
- The Inside-Out Approach Will Not Secure the Embedded World: Antivirus worked great on workstations because they addressed a highly homogeneous ecosystem. Computers and servers run on a handful of operating systems. By contrast, embedded devices lack homogeneity and run on a wide variety of, sometimes proprietary, hardware, OS and software stacks. Moreover, the devices themselves are often SWAP-constrained, meaning they have limitations on size, weight and power; therefore, placing an agent on the device is impractical. This rules out anti-virus.
- Traditional Outside-In Will Not Secure the Embedded World: Traditional network defense is not designed to address embedded device characteristics. They are signature-based and thus only alert on known attack scenarios. A false-positive on a firewall will block traffic and cause down-time which is unacceptable in many enterprise and industrial applications. Intrusion Detection Systems (IDS) catch shellcode but we see that exploits of embedded devices misuse or reconfigure the device; thereby flying under the radar. An added challenge for control systems is that an active port scan can or an incomplete protocol handshake will cause the devices to malfunction.
Security through Obscurity - Not an Option Anymore
Historically industrial control systems (as used in factories, power plants and other critical infrastructure networks) have relied on “security through obscurity.” This is an effective means of protecting assets as long as nobody knows the secret. For example, if you leave your key and alarm system password under the planter or doormat, the best home security system will not keep out burglars once they find out. Basically, the location of your home keys is plastered all over the internet and is accessible by anyone:
- STUXNET changed the game for Industrial Control: This worm technology infects Windows computers and gets propagated mostly through infected USB sticks. Its ultimate target is a specific brand of Programmable Logic Controllers (PLCs) which are used to control large-scale industrial facilities like power plants, dams, waste processing systems, etc. Stuxnet “reportedly ruined 20% of Iran’s nuclear centrifuges”.
- Increased research focus on Industrial Control Systems: With the public attention Stuxnet garnered, security researchers became more interested in this type of device (SCADA exploit modules within the Metasploit framework increased from 7 before Stuxnet to 57). Researchers started publishing vulnerabilities online. To make matters worse, a Russian security firm offered a software package for sale that contained 22 modules exploiting 11 zero-day vulnerabilities.
- Shodan puts ICS devices at your fingertips: Traditional search engines like Google index the web content intended for user consumption. By contrast, Shodan indexes headers which are intended for machine-to-machine communication. When searching for D-Link online, Google will serve you up with the company website and products. By contrast, Shodan will find all devices containing D-Link in their headder, reveal the IP address and provide location information. See here for an example of all D-Link devices found by Shodan, including live feeds from unsecured cameras. With that, finding targets for a publicly available exploits is akin to searching Google for the nearest Kinko’s.
Going Dark - Not Realistic Either
However, isolating or “air gapping” critical systems from the Internet is a fallacy in the 21st century. Firstly, even isolated networks can get infected either intentionally through worms like Stuxnet spreading through infected USB sticks or unintentionally by connecting an infected computer during service or maintenance of the system.
Apart from air gapping not providing the desired protection, the need for connectivity and greater insight is driving the smart grid effort to install smart meters and advanced electrical infrastructure capable of handling alternative sources of energy. Rather than trying to turn back time, we must embrace innovation and rethink cyber security with the new reality that networked embedded devices bring.