IoT Cyber Security
- Aug 8, 2018 2:08 pm GMT
- 322 views
Source: Roger Rademacher, Solution Architect - FoxGuard Solutions, Inc.
Truth be told… I think drawing a distinction between IoT devices and any other type of networked device will only cloud discussions on cybersecurity. While in Rome…
First, we need to level set what an IoT device is. You might be an IoT device if…
You are now “Smart”, previously known as “Un-Smart” or “dumb”
You are managed from a remote location that could be on the moon
You previously shared data only over an actual serial port (or, better yet, an analog 4-20ma circuit)
You were forced to learn Linux, TCP/IP and/or HTML against your wishes
Someone questions why you have access to the Internet
Your owner thinks you’re cool… but the hackers salivate when you are on the menu
I also want to rule out a huge family of devices. You might NOT be an IoT device if…
You have been bequeathed access to the Internet and take your job seriously
You had access to the Internet a decade ago
You are solely or partly responsible for providing or controlling access to the Internet on behalf of endpoint network devices.
You are considered a “Standard” device (desktops, laptops, servers, smartphones, tablets, firewalls, routers and switches… just to name a few)
Some devices are “supposed” to have unfettered Internet access and if they are not designed to be secure they should be ignored, thrown in the trash, used as a replacement for clay pigeons or some other useful task. “Standard” devices are not IoT devices; instead, they are enablers.
Do we need to access the light level settings in our house while we are not there? Doubtful. Can we? Of course we can; along with numerous other use cases that are useful, novel, and/or quaint. I particularly like the example where the lights changes color to a relaxing setting based on the stress level detected by a pacemaker as the car enters a garage that automatically opens when you pull in the driveway. What could possibly go wrong in that scenario?
When I see an IoT hack post mortem article that starts with compromising a wireless router I die a little on the inside. How can the IoT devices, which have cybersecurity bolted on as an afterthought, possibly fair better than a purpose-built network device with cybersecurity features?
IoT devices are resource constrained and, therefore, not well suited to support the gambit of cybersecurity controls demanded of them. IoT devices are all special flowers that need to be protected. Often they are purpose built for enabling very specific functionality with the hopes of making our lives easier and cybersecurity is not one of them. In many ways, endpoint cybersecurity is contrary to the user experience. We need to use IT to protect IoT.
Here is the thick of it. The basic approach to protecting IoT devices is no different than protecting other network enabled endpoint devices with one exception. These endpoint devices cannot do for themselves. It might help to consider a use case.
Let us say that you are going on a month long trip and cannot take your cat with you. I say cat since my cat could care less if I am absent for extended periods, she just sits in the sun and ignores me. Whereas my dog will start ripping up pillows sometime after 5 to 10 seconds. In addition, you do not trust the neighbor kid to check in periodically and leaving a month’s worth of food will result in piles of wet cat food all over the house (or a Garfield). Nevertheless, you love your cat and procure a WiFi connected and automated water/food dish that you control from your phone and, thankfully, does not connect to some ethereal and magical cloud service.
Phone -> home router -> food/water dish website -> food/water for cat -> yay us
We want to protect your new toy from hackers and ensure that your cat continues ignoring you while sunning anywhere other than the cat bed you bought her for Christmas. Oh, and do not forget that if someone hacks your new toy they could just pivot to everything else in your network. However, we only care about the cat… she is so cute.
This means we tunnel, encapsulate, segment, whitelist, monitor, manage, give some level of consideration to keeping our devices up to date when and if the vendors actually provide updates and pray. Why? Because the toy is only capable of feeding your cat. It cannot secure your network. It is not an IDS or IPS. It does not run anti-malware. Do not trust it to do anything else but feed your cat.
I am not the first to suggest it, and I hesitate to do so, but we could aim to force cybersecurity development standards onto all network-enabled devices regardless of their “Internet” relegation to IoT, IIoT, IoE, or the next initialism or acronym to round the corner; and contrary to any sane criticality analysis. Only those devices being sold to the federal government or critical infrastructures and industries seem to be in scope and that would need to change. When vendors start developing and certifying all their network enabled products to ISA 62443 standards we might consider delegating some of the cybersecurity responsibilities back to endpoint devices. Of course, they will be larger and more vulnerable as a result of the increased capabilities, codebase, and attack surface.
Maybe we don’t need to network-enable everything?