The Internet of Things (IoT) has entered the corporate building, and it's not always a welcome guest. In 2018, 21% of companies reported a data breach or cyber attack due to unsecured IoT devices, according to a recent Ponemon Institute survey. But what's most alarming is the trend. In the same survey last year, only 16% reported IoT-based attacks.
Ensuring enterprise security in the face of this trend should be a major concern for businesses. Unfortunately, many are still not taking it seriously. "With security, there is an attitude of 'If it hasn't happened to me yet, I don't have to worry about it,'" said Merritt Maxim, a Forrester principal analyst with a specialty in security and risk.
Chris Romeo, co-founder and CEO of the security training site Security Journey, thinks many people are just hoping for the best or playing the odds because IoT attacks haven't made the news very often.
Hope is not a security strategy, and not many CISOs survive a data breach, he said.
"That's a terrible approach. Like an ostrich with its head in the sand. It's not a matter of if you're going to get burned, but when."
So how should enterprises protect themselves? Here are seven steps you can take to begin securing your enterprise against IoT cyber attacks and data breaches.
1. Take the risks seriously
Forrester's Maxim believes the lack of urgency comes from an overall lack of awareness. "With IoT," he said, "because some of the threats are newer and not as widely used, some companies may delude themselves into thinking that these aren't issues they have to worry about, and they get a little complacent." Maxim compares IoT security to buying insurance. You hope you won't ever have to use it, but the odds are, you might. And when trouble comes knocking, you will be enormously glad you have the protection.
In spite of all the known risks, many companies haven't done much to secure their IoT devices. Maxim wishes everyone would take the risks more seriously. Most CISOs realize they have a lot of connected devices in use that have vulnerabilities but that hasn't been compromised yet. Maxim thinks a lot of CISOs just "roll the dice and hope they won't find themselves highlighted in the press."
"There certainly are plenty of things companies could and should be doing around this. But we almost need more IoT breaches to raise awareness of the seriousness so people will spend time assessing where the gaps are and put in controls to address those problems."
Why it's so hard to control
In The State of IoT Security 2018, a Forrester Research report from January 2018, author Maxim said: "IoT-enabled connected devices can be a security risk because they expand your company's attack surface, putting your company's core systems and data at risk. Some solutions enable admins to set policies on which actions, data collection, and software updates can be performed on a device."
But the report goes on to acknowledge one of the primary problems with such devices: They can be extremely hard to patch. In many cases, they don't have a physical UI or screen, so you can't even instruct the users on how to deploy an update.
Another issue: IoT attacks are different from other kinds of attacks, and this may be contributing to a general lack of awareness and urgency. "The threat dynamic of IoT is different from other threats," Maxim said. In the online world, hacks are primarily focused on data exfiltration for identity theft, credit card fraud, etc. In the IoT world there is some of that, he said, but connected devices have more riding on them.
"[A] connected device has the ability to cause more disruption, which could cause actual physical injury or even death."
That gives the IoT a different dynamic. The threat actors tend to be different: potentially more nation-state involvement or organized groups with a cause, and not just out for monetary gain. It can also be a disgruntled ex-employee who knows the secrets about connected devices and wants to cause them to stop working. "They turn it against the company, rather than outright theft of data, which is what we are used to seeing," said Maxim. "All of this leads to lower awareness in the attacks that you see."
This lack of awareness is a blind spot with ruinous potential. In the Second Annual Study on The Internet of Things (IoT): A New Era of Third-Party Risk, the Ponemon Institute surveyed people who participate in corporate governance and risk oversight and know how IoT devices are being used in their organizations. While more than 80% of them believe a cyber attack or data breach from unsecured IoT devices is likely to hit them in the next two years, many of them aren't confident they know what's happening to them right now. And one-third of them admitted they may have already had a data breach but just don't know it.
2. Discover what you have
The first thing to do is take an inventory to find out what IoT devices are already connected to the network, according to Maxim. While it may seem self-evident, this foundational step is not happening in most organizations.
The Ponemon study, published last March, found that most organizations don't inventory their IoT devices because they don't have centralized control over the IoT devices and apps that are present in the workplace.
Maxim believes that most companies have network management tools in place already that can give them information about what is going on in their environment at any point in time. "A basic discovery audit will reveal devices that might be IoT-enabled that are connected to the network," he said.
What to look for
During this inventory, you should look for any devices that shouldn't be connected to the network but are. They might be employee devices that really shouldn't be connected but somehow got hooked into the network. They might be devices that belong to your partners or vendors and shouldn't have a permanent connection. They may represent a security vulnerability or simply don't belong there and should be removed.
In looking at all your connected devices, consider the potential privacy issues associated with them as well. Be sure to look at what kind of data is stored and transmitted by the device. "Not just what is the device," said Maxim, "but what is the device doing, and what can it potentially do?" This can help you prioritize the devices that should be removed first if you have a lot of them.
This kind of impact analysis is even more urgent now that we are governed by the EU's General Data Protection Regulation (GDPR). Maxim pointed to the giant data breach experienced by Equifax in 2017, which affected more than 143 million people, and observed.
"If that happened now, under GDPR, they would be fined for waiting a month before notifying everyone."
The Facebook data breach that happened on September 24, 2018, and could result in fines nearing $1.63 billion highlights the dramatic new consequences that the GDPR brings to the issue.
It is particularly important that you find a way to inventory personal devices that people are using in conjunction with your network (BYO IoT). They increase your risks and are much harder to manage. According to the State of IoT Security 2018 report, "Traditionally, BYOD applied to smartphones, but as employees work away from the office and have other connected devices like digital assistants or fitness devices connected to the same network, there are new concerns around data security: If one of those devices is compromised, hackers can move laterally to compromise a connected corporate asset such as a laptop."
3. Design a secure network architecture
Security Journey's Romeo believes that a big part of the solution lies within your control: the design of your network architecture. For example, he cites security cameras, which have been used for years, "but what is new is that we now think of them as part of the attack surface."
"If your security cameras are Internet-accessible, shame on you. You should never connect something that critical to the physical security of your entire operation publicly to the Internet."
Instead, you should put them into a separate network that's isolated from everything else, he said.
If you are careful with your network design, you can "embrace that technology and the benefits of IP-connected devices. But it's a network architecture play," Romeo said. "You have to protect your devices from the network, and protect your network from the devices."
There is a surprising gap in this area. The Ponemon study found that less than 10% of organizations are confident they know about all of the printers, cameras, and building automation systems on their networks that are connected to the Internet. And if you can't identify all of them, you obviously can't isolate them properly.
Why it matters
Maxim noted that the Mirai botnet was an example of an attack that came in through unprotected devices. In October 2016, "Unprotected, Wi-Fi-enabled security cameras were compromised and used to launch denial-of-service attacks against sites like Twitter. In that scenario, it was an IoT hack, but it leveraged connected devices to carry out the attack," he explained.
Romeo cites a different example, where a vendor exposed the company to the risk. "When you look at the Target breach, it was the company that was managing Target's heat and air conditioning systems" that caused the problem. He pointed out that even if Target had been completely isolated on the network side "they still would have been hit because the company managing their HVAC in their buildings had security challenges and problems at their monitoring center."
4. Keep an eye on your suppliers and vendors
As Target learned the hard way, the companies that supply goods and services to you are just as vulnerable to IoT risks as you are. This is a great concern for many CISOs, especially those who depend on a complex supply chain for the products they sell.
Eric Sorenson, CISO at doTERRA International, a global provider of health and wellness products, said he worries a lot about the many suppliers that his company depends on because they could be exposing company data in different ways via unsecured IoT. He grills them about their security practices as part of his vendor risk management process.
"We currently don't have vendors using IoT devices in their services they provide us. I do worry about this. The use of these devices is gathering steam, and they most certainly present risks to organizations."
Monitoring and controlling vendor practices in this space is a daunting task that feels impossible to many security teams. Almost half of the respondents to the Ponemon survey said they can't manage all of the complexities of multiple IoT platforms specifically because of the number of vendors they have to deal with.
Romeo said he believes that IoT security issues exist for anybody that is part of your supply chain, including any developers you might engage.
"We're talking about shadow IoT here that other people bring into the office and the supply chain. Anyone building apps for you puts you at risk."
Ask the right questions
Obviously, the risks are not limited to BYO IoT. Internet-enabled devices that are part of the approved tech stack frequently put the enterprise at risk. It is important to assess the security levels of any Internet-enabled product before you purchase it.
Many of Maxim's clients understand this. One procurement team in a large enterprise that planned to buy networked printers asked him what security-related questions to ask the vendors. "They knew that printers could be hacked, and they wanted to know what kinds of backdoors they should look for." Those are the right things to worry about when buying any Wi-Fi device, he said. Unfortunately, vendors don't usually disclose that information.
Romeo believes that you need to increase your diligence with all of your suppliers and vendors during the selection process, as well as post-purchase.
"You really have to vet the providers a lot more than people have done historically, to ensure they have the same level of security-or stronger-that you have inside your own data center."
Romeo has worked for large enterprises that took this seriously enough to perform regular security audits of their key vendors. Whole teams of people would go out and assess them one or two times a year to see if they still had the same amount of rigor they had when they sold the company the solution. "If the answer was no, they had a short time to fix it," said Romeo, "or we considered them in breach of contract, and the company moved in a different direction."
5. Use any available certifications
Most vendors will claim their products are secure, but it is difficult to prove. There is a growing awareness of the need for some kind of authoritative certification process that can verify the security of a device. This would benefit both the vendors and their customers.
Maxim noted that Underwriter Labs (UL) is building out an IoT certification, "but has not yet had a great deal of success trying to drive better standards and common practices around better security techniques in the IoT space."
From his perspective, Romeo doesn't think the UL testing is all that useful. He said, "UL is the only front-runner in this space, and it is debatable as to how useful their testing actually is from a security perspective. Safety and security are two different test suites. UL owns safety; not so much security. I am not familiar with any certification marks for IoT devices that are valuable."
"Beyond the devices, there is a whole parallel effort in the network connectivity space," said Maxim. "NIST is doing some work in that space. Networking protocols have emerged, and there is quite a lot to choose from, but they are all trying to drive some kind of standardization that will improve overall security and minimize breaches longer term."
Watch for emerging standards
This area is likely to grow as groups scramble to fill this important need. For example, there is a new vendor consortium of building automation, lighting, and semiconductor manufacturers called the Fairhair Alliance that is attempting to define an open standard for IoT in commercial buildings. It leverages the work of several organizations such as BACnet, Zigbee, and KNX, which have established application-layer protocols and ecosystems.
"I am not familiar with Fairhair, but this is another example of the types of groups that are emerging to address a range of IoT interoperability and certification issues," said Maxim. "Fairhair is an interesting idea-the challenge will be how much momentum it can generate with suppliers and enterprises. But the lack of standards is definitely an issue in smart buildings and something we hear from our clients."
Many vendor certifications serve verticals, such as the medical devices market. "This is easier to do because they share common goals and architecture," Maxim said.
"No one certification is the best, but going through any kind of certification process is a good thing, because it will expose the gaps you need to address."
6. Practice for the data breach
Maxim strongly recommends you prepare for an IoT data breach the same way you prepare for a fire, earthquake, or any other disaster: Make a plan, have regular drills and keep the plan updated. "You should simulate a breach, just like you do fire drills," said Maxim. Have regular exercises to test your data-breach preparedness. If you get breached, you will have a well-documented plan for how you're going to deal with it.
Keep up your guard
He cautioned against the one-and-done approach he has seen in some organizations. Your plan needs to be updated and evaluated regularly, not put in a "three-ring binder on a desk that no one pays attention to," said Maxim. "We do see companies spending more time doing that kind of effort to improve their responsiveness if there is some type of breach."
"The time to test your incident response plan is not when the incident happens," added Romeo. "If you do that, it will break in the first 15 minutes when you hit something that you didn't imagine was going to happen."
Romeo noted that there is a whole range of drills you can undertake to test your readiness. He said that some companies do "tabletop exercises, all the way through to actually doing some event that causes everyone to spin up. Sometimes they know ahead of time-like, it will happen in the next 30 days. Other times it's blind. All of them test different levels of your organization's ability to respond to an incident."
Here are a few resources to help you plan a cyber attack drill:
7. Control what you can, and learn to live with the calculated risk
CISOs need to take a pragmatic approach and recognize that while you should do everything that you can do, you can't expect to prevent everything. As Romeo explained, "For something that's as crucial as a backdoor into your entire network, which is really what a smart-building management company represents, you really need to keep a close eye on their security practices. But while you can try to keep yourself completely isolated, in this modern day someone will always need to VPN in once in a while. You can control or limit, but can't completely block access."
Pick your battles
There are so many benefits to IoT, it is not reasonable to try to fully block it out. "Except for some industries like maybe the financial industry, where they even lock down their laptops," said Romeo, "I don't feel like we can just say, 'You shall not have IoT at the office.'" But with anything else, CISOs need to understand the true risk behind each device and use case and make an informed decision.
For example, in the case of voice-activated devices (Alexa, Siri, Google Assistant, etc.), Romeo thinks companies need to take a practical approach that acknowledges the difficulty of controlling them and exerts control in the specific use cases where it makes the most sense.
"I don't think we can say, 'No, we can't do it. That will just increase the shadow IoT world, where people do their own thing and you just don't know about it."
Companies need to be able to say, "The risk is worth it in these situations, and not in these." "You shouldn't have Alexa for Business running in your corporate boardroom," Romeo elaborated, "because the threat is so much higher when the conversations that are overheard could be about earnings for next quarter. If you've got someone listening in on that, they can go short the stock and make a lot of money." CISOs need to decide how much risk to tolerate.
Start now, and get ready for whatever comes next
For better or for worse, there is no stopping IoT in the enterprise. Devices are multiplying, hackers are becoming more creative, and the risks are getting more profound and potentially devastating with each passing day. If you do not feel adequately prepared, the time to start is right now.
"There is a risk that comes with IoT... Some that you can control, as a security executive, and some that are completely out of your control. But you should do the things that you can control and influence to the best of your ability."
If this feels a lot like the Wild West to you, that's probably the right way to feel about IoT security right now. We still have a lot more problems to face in this space.