IoT devices: An unfortified attack vector
Dec 14, 2021
As security professionals grapple with locking down complex infrastructures, the proliferation of IoT devices poses a significant and easily overlooked security threat.
IoT manufacturers have historically focused on new features, neglecting the security complexities that might arise from them. Consider that any remote solution to lock a door also represents a remote solution to unlock it. (The Internet of things refers to devices with sensors such as consumer watches, TVs, gadgets, and enterprise devices such as pressure, location, and status indicators).
While new valuable features have made IoT devices attractive to consumers, they have also introduced an unfortified attack vector for cybercriminals and malware. With ubiquitous access and skyrocketing traffic volumes associated with IoT devices, their popularity will increase exploit opportunities.
Businesses, too, have been deploying IoT devices for many years for similar convenience reasons. Over almost a decade, the business community has leveraged data-streaming, IP-aware devices to handle various tasks such as pressure-flow monitors, video cameras, moisture sensors, and countless other applications.
And as the basic principle of adding computational intelligence to the operational infrastructure has become more appealing, the complete range of use cases has continued to grow at an incredible pace.
Some industries are now dependent on these devices to assist and control business-critical operations such as pipeline flows, production line progress, temperature monitoring, factory operations, and blast furnace operations. Today, these industrial devices are better known as operational technology (OT) and share the same characteristics as older or consumer-focused IoT devices. They can be managed and monitored over a standard IP network. They generate and stream data. They offer a single, unified point of control over what was previously a sprawling infrastructure of disparate hardware.
Over time, OT devices, just as IoT devices, are acquiring a broader range of capabilities and generating more and more data. For example, streamed OT device data can be (and is) an essential resource to analyze the health of bearings on railroad cars. Artificial intelligence systems commonly leverage this data in various ways to adjust, refine, or optimize business processes and thus minimize risks and costs while increasing business value. Once data informs a trained AI engine, it can generate the insights needed for more efficient and effective maintenance, dramatically reducing the odds of a physical failure, a business catastrophe, and potential loss of life. These are all very desirable outcomes.
Unfortunately, we forget in this context the extent to which corporate dependence on IoT/OT devices simultaneously introduces new security concerns. Enterprise IT teams may not even be aware of all the devices generating traffic (shadow IoT), further expanding IoT-based attack vectors. The root cause for such absentmindedness among businesses is the same as it's always been for consumers: the focus is nearly always on the new features, added convenience, and cost reductions – not the new open doors introduced for criminals and malware.
Dedicated IT pros operating in non-industrial settings spend little time thinking about IoT/OT as an attack vector. They fixate on securing traditional computational infrastructure, their highest visible attack surface. As businesses have come to depend on IoT/OT devices in all the ways just discussed, IT managers often leave them out of the security discussion entirely, failing to grasp the extent to which hackers regard them as low-hanging fruit. While many IoT/OT devices are, by design, not exposed to the vector of attacks as smartphones, laptops, and computers, some are easy to find and are usually far easier to compromise.
COVID-19 has only compounded this problem. When the pandemic struck, offices around the globe emptied, and IT teams shifted to focus primarily on delivering safe and secure remote access capabilities for displaced workers. That shift empowered cybercriminals to devise specific strategies and toolkits to attack the now-neglected corporate offices, compromising IoT/OT devices such as smart card readers and internet-connected printers at will.
ESG (environmental, social, and governance) initiatives have also complicated IoT/OT security in several ways. For instance, environmentally-conscious mandates have led corporations to deploy smart IOT devices en masse to track and reduce electrical consumption when possible and thus minimize greenhouse gas generation (the company's carbon footprint). But each new device must also be taken into account from a security perspective, based on the risk of an exploit potential that it represents and secured to the fullest possible extent. Yet, the usual outcome is focusing on cost reductions rather than the door opened to malicious actors.
Most consumer-grade IoT devices are often poorly constructed and ill-designed from a cybersecurity intrusion perspective. Because they mostly communicate with the Internet directly, they can be easily detected and, too often, exploited when they become active. As part of the activation process, the first configuration step for many of these devices is to establish an Internet connection and, thus, stream data and receive instructions from an administrator.
This process announces their existence to the outside world, including the global range of criminal organizations, hackers, and in some instances, malware variants. A simple scan can identify these devices, their IP addresses, and the networks and companies that deem them as assets. Subsequently, such compromised IoT/OT devices can double as an unmonitored beachhead for attackers to move laterally, steal credentials, exfiltrate data, implement ransomware exploits, and carry out many other malicious activities.
A straightforward solution
Today, corporations can secure their complete infrastructures from end to end by routing all their IP traffic through a trusted partner that offers advanced analytical capabilities based on zero trust architecture (ZTA) principles. In addition to securing conventional IT infrastructures, this approach gives companies a convenient and cost-effective way of detecting, classifying, and securing all their IoT/OT devices as well.
Because the third-party ZTA acts as a fortified buffer between company assets and the rest of the world, each corporate IoT/OT device is effectively hidden from the Internet. Criminal scans cannot identify a device's location, network, or company association. Furthermore, security professionals can quickly inspect all traffic routed through such devices and provide qualified remote access (often needed for maintenance and support activities) through advanced identity management capabilities.
The same architecture provides benefits by providing a complete inventory and exposure of their IoT/OT devices. That's because managers can easily quantify the number of devices that communicate with the Internet without adequate control, monitoring, or inspection – all of which can now be secured.
If you'd like to learn more about identifying and shielding your company's unsecured IOT and OT devices, or if your zero trust journey is getting started, connect with us to find out how we can help.
What to read next