By Phil Neray
An attacker’s next point of entry to your corporate network just might be the Internet-connected smart TV in the boardroom, or a connected HVAC device accessed remotely by a third-party service technician. Once inside your network, the attacker can find a way to pivot to the OT network and compromise plant operations and safety. In the plant itself, an unmanaged weak point could be an unpatched Internet-facing VPN router or even a wireless access point.
With Gartner predicting the number of Internet of Things (IoT) devices will grow to 25 billion by 2021 — including CCTV cameras, sensors, smart lighting, even medical devices — boards and management teams are increasingly concerned about the risks posed by unmanaged devices and the expanding attack surface they represent. And with good reason.
For too long IoT device makers have deprioritized security in favor of faster time-to-market and lower costs. Devices lack even the basics of security, including automated patching and removal of default administrative credentials.
Because these embedded devices cannot be protected by legacy agent-based technologies — due to limited CPU/memory resources — and are often unpatched or misconfigured, they can easily be compromised by adversaries to threaten safety, conduct destructive ransomware attacks, steal sensitive intellectual property, and siphon computing resources for DDoS campaigns and cryptojacking.
For example, misconfigured wireless access points can be accessed by unauthorized clients such as employee or contractor laptops and mobile devices. They can also be compromised via the KRAC WPA2 vulnerability. CyberX’s 2019 Global ICS & IIoT Risk Report found 40 percent of the 850 industrial sites we assessed with Network Traffic Analysis (NTA) have at least one direct connection to the Internet, and 16 percent have at least one wireless access point.
Access points such as routers are also exposed to sophisticated malware such as VPNFilter, enabling attackers to capture ICS traffic such as MODBUS, perform network mapping, destroy router firmware, and launch attacks on endpoints from compromised routers.
This widespread vulnerability has led to the introduction of the Internet of Things Cybersecurity Improvement Act of 2019, a bi-partisan bill that would require the U.S. government to only purchase devices that meet the legislation’s minimum-security requirements. The bill also calls for NIST to craft recommendations that address secure development, identity management, patching, and configuration management for IoT devices.
The bill is an important step toward steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world. But what can organizations do in the meantime to protect their operations, safety, and intellectual property?
Mitigating IoT and ICS Risk
Today’s security teams need a simple way to identify the risk posed by unmanaged IoT devices, as well as a scalable, risk-based approach for mitigating those risks –-one informed by sophisticated behavioral analytics and machine learning combined with the latest M2M-aware threat intelligence.
The most straightforward approach is to select a non-invasive, agentless monitoring platform that provides a unified view of IoT and ICS devices and works across multiple sites, networks and virtual zones. That platform should be able to address the following five critical requirements:
1. Asset discovery. Any successful security program begins with knowing what IoT devices you have, how they’re connected, and how they communicate with each other. Look for a solution that can identify detailed information such as device type, manufacturer, model, serial number, firmware revision and open ports. This discovery should include identifying who touches your devices (third-party contractors, for example) and how they connect to them.
2. Risk and vulnerability management. What are the top risks and vulnerabilities for your assets — particularly your crown jewel assets — and how do you prioritize mitigation efforts when you have scarce resources? Look for a solution that provides a ranked analysis of risk exposures along with recommended mitigations so you can identify the high-risk/high-impact exposures you want to address first.
3. Threat monitoring and incident response. By the time organizations learn about cybersecurity breaches, particularly in OT environments, the attackers have been in your network for months and the damage has already been done. Relying on a signature-based approach can result in gaps in coverage — for example, when you’re targeted by a Zero Day attack. Consider instead IoT- and ICS-aware behavioral analytics approaches combined with machine learning that leverage Deep Packet Inspection (DPI) to detect Zero Day and known threats in real time. Incident response capabilities should help you investigate historical traffic so you can mitigate quickly.
4. Threat intelligence. Select a vendor that can offer you broad and deep threat intelligence geared for IoT and ICS devices, including the latest Zero Days, malware, campaigns, and adversary groups. You want to stay apprised of how devices are being targeted in the wild, who the adversaries are, and what they intend to do if they successfully penetrate your environment. Use this intelligence data to continuously update your IoT/ICS threat monitoring and threat hunting system.
5. SOC integration. A unified approach should include tight integration with your existing SOC workflows and security stack, including SIEMs, security orchestration and ticketing systems, secure remote access solutions, NACs, and next-generation firewalls. This integration enables your SOC to gain continuous visibility into the current state of your IoT and ICS assets, as well as correlate alerts across both IT and OT, and rapidly block or quarantine compromised devices.
IoT and ICS devices are always on, always connected, and typically invisible to legacy IT security tools. For that reason alone, they offer an appealing entry point for attackers — on top of which, these unmanaged devices are often insecure by design, making them easy targets. It’s critical to your overall security posture to address both categories of devices in an automated, integrated fashion that reduces risk across both IT and OT.
Phil Neray is vice president of industrial cybersecurity at CyberX. Prior to CyberX, he held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium.