IoT security is challenging—largely because the millions of IoT devices in the field can interact with enterprise systems in numerous ways.
Internal systems—Internet of Things (IoT)-enabled door locks and lightbulbs in corporate office buildings, for example—as well as external ones, typically sitting at a remote site (aka an employee’s or contractor’s home more than not these days) and jumping onto the enterprise local area network (LAN) or wide area network (WAN), courtesy of a VPN piggyback.
In addition, devices can be compromised in a couple of ways: (1) the original code from a manufacturer could include bugs or malware (with or without the manufacturer’s knowledge) in it when shipped; or (2) malicious attackers can hijack a unit’s code months later with malware. Once IoT gains access to the network and often its very own IP address, it unleashes all of these security nightmares.
Even worse—and this undercuts security triage—malicious code can prompt malicious actions from devices (such as to change the chemical percentages at a pharmaceutical’s assembly line), contradicting its manufactured purpose. But insidious code might just as easily use a device merely as a network conduit, so it doesn’t matter whether it’s official purpose seems dangerous, given that its goal is to simply access the network and do damage from afar.
With all these avenues for a breach, what is an enterprise CISO or CIO to do? Having a team of benevolent “hackers”/penetration testers repeatedly review the code of every IoT device for nefarious instructions can be cost-prohibitive. Besides, it is unlikely to help the legions of consumer-grade IoT devices sharing the home LANs of your personnel as your security team won’t typically have full access.
To Pen Test IoT Devices or Not?
Still, many argue that pen testing an enterprise’s IoT devices is critical. The questions is, How often is prudent and cost-effective? The answer to that question will vary widely from one enterprise to the next.
Steve Zalewski, the deputy CISO for $6 billion global apparel firm Levi Strauss & Co., said that he sees IoT pen testing as a no-brainer. “These are untrusted unverified devices on my trusted networks,” Zalewski said. “This is immature technology without mature security controls.”
“We have got to bring some rigor,” he continued. “The problem with IoT devices is that security is not considered within the functional capabilities of the devices
Forrester security and risk senior analyst Brian Kime also sees IoT pen testing as inevitable, but he encourages a more limited approach. He encourages CISOs to focus overwhelmingly on what the IoT device is supposed to do and how risky that environment is, as opposed to focusing on the conduit risk, which would mean repeatedly testing every single IoT device with network access.
“Using IoT pen testing makes sense, but you need to scope [it] appropriately,” especially, he said, “if the CISO has the luxury of dedicated red teamers or (staff) pen testers. Those broadly scoped pen tests just go everywhere, and no one really knows what to do with that.” The risk with too extensive a test effort, Kime said, is “scope creep and now you’re pen testing the whole company.”
Kime argued that CISOs look at device context and functionality. “Not every device is created equal, and not every system is just going to be that critical. The badge reader that gets into the nuclear control center (should be tested), not the one that gets into the gym. Understand the criticality of the asset.”
A recent Booz Allen Hamilton report stressed that industrial control systems (ICSes) will likely have a disproportionate impact on an enterprise’s cybersecurity, given the damage that such devices could inflict. “Current ICS/IoT environments rely on network segmentation to mitigate cyber risks. Organizations need to reconsider the structure of IIoT network setups,” the report said.
Kyle Miller, Booz Allen Hamilton’s director and OT cybersecurity practice lead, said that these ICS IoT devices can be invisible to security and IT teams. Beyond shadow IT (where a business unit will purchase the device without informing IT or security) and devices that are often ignored (such as IoT lightbulbs), some systems that enterprise has purchased for years may suddenly include connected devices. An engine, for example, might house a small IoT device that the manufacturer didn’t mention, which means the enterprise would have no reason to know it’s there.
Miller mentioned one enterprise in which the motor had vibration monitoring sensors. “They may have bought that motor without even knowing that these sensors were in there,” he said.
Booz Allen Hamilton VP Morgan Bjerke said another IoT pen testing consideration is contractual and legal. Given how enterprise IT contracts have been written, some enterprises have signed away their rights to do any testing, she said. This means that CISOs and CIOs must educate legal and contracts departments that the ability for the enterprise to do IoT pen testing is critical and that contracts must reflect that.
5G, Edge Computing Present New IoT Security Threats
Bjerke also stressed that 5G is likely to further complicate a wide range of IoT security issues. Although 5G primarily deals with transmission speed, it also can significantly increase connectivity, which makes IoT security that much more problematic.
“With 5G, some of the controls that are already in place will become less effective because the connectivity of those devices will be expanded. It’s really going to blur the edge,” Bjerke said, adding that the typical network segmentation approach will be undermined. “It is going to poke holes in that controlled space. If (IoT devices) get into one portion, they will easily move laterally because all of the devices will be connected.”
Another 5G IoT security consideration is that 5G introduces additional protocols into the network, protocols that Bjerke characterized as “less secure because they have more clear text,” he said. “As more businesses are becoming increasingly automated and connected, 5G gives more ability for the attacker to pivot.”