The importance of managing IoT devices on your network
By Mesay Degefu and Colby Proffitt
In the United States, critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
While we can easily see changes in the systems making up our physical infrastructure – physical data centers and servers – changes to our digital infrastructure are harder to ascertain. We can put a lock on the door to the data center itself, but it is more challenging to lock the virtual doors that provide access to the data – especially when new doors are added daily, sometimes without notifying the IT department and security operations. These new doors aren’t the result of malicious actors (though they are keen to exploit them); one of the greatest threats to our virtual infrastructure lives in your pocket – the internet connected devices collectively known as the Internet of Things (IoT).
The U.S. National Intelligence Council originally warned that the IoT would be a disruptive technology by 2025 and said that individuals, businesses, and governments were unprepared for a possible future when network interfaces reside in everyday things. However, IoT became disruptive far sooner than predicted: since 2008, internet-connected devices have outnumbered humans.
The pervasiveness of IoT devices has led to an undeniable outcome – the attack surface of our critical infrastructure is now virtually limitless. Metcalfe’s law suggests that the value of a network is proportional to the square of the nodes on the network. The more connections, the more valuable the system. The networks tied to our critical, physical systems have always been targets for malicious actors, but the designed access points to these systems have historically been guarded with defensive monitoring systems and firewalled entry points. IoT changes things substantially by introducing a host of additional entry points to the network – points that are likely poorly protected, if at all.
What’s different now
In the past, an attack on critical infrastructure meant damaging a building or destroying a weapon. Now, any Internet-enabled device connected to the network – be it a smart phone or an internet-connected thermostat – can serve as a hackable entry point and an attack on critical infrastructure. This is evidenced by events like Target’s data breach via HVAC, leaked account credentials from a ‘smart’ teddy bear, and even hacked smart TVs. This leads to the question: as IoT evolves, how does the definition of critical infrastructure need to change? Clearly we’ve moved beyond a definition of bridges, dams and hospitals, but should it include thermostats and light bulbs?
While 16 critical infrastructure sectors have been defined by the Department of Homeland Security (DHS), the attack surface has changed. What the government needs to consider is that it’s not just the systems that can be hacked, but it’s how those systems can be used by the hacker once they break in, and what they can do with the data on those systems. This goes beyond a bad actor’s ability to penetrate one system; the interconnected nature of the digital world means that once in one system, shortcuts may be found to others. A relatively benign (and less secure) system may provide the gateway to a critical system. For example, if someone gained access to a smart device connected to a state Department of Motor Vehicles (DMV) network, for example, that would be bad, but not necessarily devastating. However, if they could use the device to access the systems that store sensitive information or personally identifiable data (PII), everything from driver’s license numbers to traffic records and other sensitive information could be collected, manipulated, and used for a wide array of nefarious purposes.
Ownership complicates critical infrastructure
More than 85 percent of the nation’s critical infrastructure and resources are owned and operated by the private sector. When coupled with the explosive rise of IoT, this presents a major challenge since the private sector has no mandate to make IoT devices secure. More importantly, IoT manufacturers have no mandate to secure their products. While nothing connected to the internet can ever be 100% secure, some measure of built-in security is better than leaving the device wide open. The onus of cybersecurity is currently on the organizations using the devices, not the manufacturers. Some manufacturers argue that security is the responsibility of the individual or organization using their device; the costs for securing the software would, after all, cut into already thin profits.
With security resting in the hands of customers for the near future, organizations that manage networks and IoT devices should do a few things in the short-term:
1.) Inventory and assess their infrastructure and IoT devices to determine what networks, systems, and data are critical, and determine what devices really need to be connected to the internet over the organization’s network;
2.) Prioritize their defense around critical networks, systems, and data – start with the most sensitive and critical data and follow it to the network perimeter; and,
3.) Establish a schedule and process for reassessing infrastructure and connected devices.
In short, look at what you have now, document it, and decide what you really need and what can be removed. Next, determine what needs to be secured – some networks and devices may be more costly to secure and require special arrangements. Define your organization’s critical assets and establish definitions for the less-critical but still important parts of your network. Then, document the process, and establish a schedule to keep everything up to date as the network continues to mature.
Until the manufacturers of the latest IoT devices are properly incentivized (or compelled by government mandate) to provide built-in security for the latest devices that will inevitably find their way onto the networks of our critical infrastructure, organizations must anticipate their existence and take the necessary steps to protect their networks. Failure to take some simple precautionary steps would be akin to installing a new screen door on a submarine – with similar disastrous results.