Rapid7 offers IoT Security Testing Services as part of our portfolio of assessment services. Please contact us if you are interested in securing your vehicles, medical devices, and every last connected thing. Our team of experts are ready to identify and mitigate risk across your IoT ecosystem.
The Internet of Things (IoT) is more than just smart coffeepots and Amazon Alexa. Whether you know it or not, IoT has probably already arrived at your business, bringing new security risks along with it.
In a recent webinar, I discussed what security professionals should be doing to secure their IoT devices and where companies often go wrong with IoT security.
What is IoT?
It sounds like a simple question, but most definitions of IoT are lacking. The term itself confuses people, since we tend to associate it with consumer toys that aren’t used in most businesses. Quite frequently, IT and security team members don’t even believe their businesses use IoT devices in the first place.
However, if your workplace uses multifunction printers, you use IoT. Other places you might find IoT devices include HVAC systems, lighting control systems, building security, conference room systems, or vending machines. These oft-overlooked spots are all potential security risks.
So, how do you decide what counts as an IoT device? Three components must be present: First, there has to be embedded technology. Second, IoT devices have some kind of management and control, such as a mobile app or a driver on a workstation, that interacts with and controls the embedded tech. Finally, it will have access to cloud services, APIs, and storage.
Having a model like this to define IoT is important because it allows us to better understand risk and build threat models. A common pitfall is focusing on the embedded technology but failing to secure the other components of IoT. Instead, we should look at IoT as an ecosystem. Strive to understand how the pieces interact and communicate with each other and what that means for security.
IoT and security risks
We already mentioned that many people still don’t know exactly what IoT is or how to define it. That lack of knowledge poses a big security risk. If you have IoT in your organization—and you do—you need to know how it works, where it is, and what it’s doing. To do that, businesses must embrace the technology.
Think about smartphones. Not too long ago, IT security teams everywhere were panicking about employees bringing phones to work or checking work email on a mobile device. By embracing the technology and accepting smartphones as a new part of the landscape, businesses were able to move forward with creating effective policies and processes regarding mobile devices.
We’ve reached the point at which embracing IoT is critical. If your organization doesn’t embrace it, you won’t have a basis for creating ground rules and policies around it.
The biggest risk with IoT is something I call the “ghost in the shadows.” The phrase refers to IoT technology that is purchased, connected to the network, and then forgotten. Each unmonitored IoT device is a potential entry point or hiding place for an attacker.
For example, when I was a penetration tester, I worked with one government agency that had deployed highly advanced camera systems that were installed and then forgotten. Because of this, we were able to gain access to one of them. Even though the camera systems’ networks were segmented, the agency had allowed them to communicate through the firewalls of the different segments.
By pivoting from one camera to the next, my team eventually gained access to cameras in the governor’s mansion and police forensic labs. All of these systems should have been isolated from each other.
Communication, identification, and mitigation: Building a proper IoT security strategy
The first step in developing an IoT security strategy is to start the conversation with stakeholders. Bring senior leadership into the discussion—if they aren’t involved, you won’t be able to develop an effective, enterprise-wide plan.
Discuss how you can leverage IoT technology to help your company do business more efficiently. Identify the risks involved with using IoT as well as the risks you’ll face if you don’t embrace the technology.
Next, talk about any existing policies that define how IoT is used at your company and how you will approach it in the future. Can an employee bring his or her own IoT device to the office? How should a department go about getting approval for a new IoT technology? Define who will own any IoT devices that you allow on your network—otherwise, you could end up with ghosts in the shadows.
One of the hardest aspects of creating an IoT security plan is IoT recognition. First, you need to identify things like printers and cameras that are already part of your environment. Then, work on finding any other technology that is classified as IoT, including devices managed by other divisions of the company or third-party vendors. Construct processes for continued support of current and future IoT.
Once you’ve gotten your stakeholders on board and laid the foundation for your IoT strategy, you’ll need to develop an enterprise-wide risk management approach for IoT. There are several things you should consider:
- Be aware of what data is being collected by IoT and how
- Include IoT in your patch management solution
- Implement strategic incident detection and prevention
- Have contingency plans—what will you do if an IoT technology is compromised?
IoT is everywhere, and it’s time to stop ignoring it. By understanding and embracing IoT, organizations can improve the way they do business as well as their security posture.