Back in the early 2000s, utility companies were introduced to smart meters to provide a practical, hands-off way of collecting and monitoring data on how customers used their utilities. This was a predecessor for enabling other digital connections among remote devices and business systems, with the Internet as the go-between.
Today, this is known as the internet of things (IoT) and is used almost everywhere from smartphones, watches, refrigerators, and cars to medical implants and industrial machinery. With the increased use of IoT devices comes an increased security risk as well. So, our question to you is, has your organization fully prepared to secure IoT connectivity?
Check out my on-demand webinar to learn more "Privileged Access and IoT: How to Clear the Path for IoT in Your Organization Without Increasing Risk" view now
Recently, there have been many examples of security breaches related to the increased use of IoT devices – from the hacking of baby monitors and smart TVs to remotely hijacked cars. However, one of the biggest threats to any business is understanding who has access, or the ability to access, from what devices to the infrastructure and the level of access they have.
Real world examples of cyber-attacks against IoT in the past few years include:
- Texas Tornado Alarms being set off, causing panic across the city
- A German Steel mill blast furnace being damaged
- Ukraine Power Grid being taken off-line and impacting 86,000 homes
- Hospital devices hit with ransomware, causing a state of emergency to be declared because the hospitals were unable to continue critical services
- IoT devices being turned into a BOT, and then being controlled and used to participate in a DDoS (Distributed Denial of Service) attack like the one that has targeted Dyn, bringing popular websites like Netflix, Twitter, Amazon, AirBnb, CNN and the New York Times to their knees and offline
The 2017 Verizon Data Breach Digest report stated “Today, the IoT is not confined within an organization’s typical control boundary, as the connected infrastructure has moved far beyond those control lines. These devices exist virtually everywhere, are available anytime, and are on a variety of platforms. This must prompt organizations to think about IoT threat modeling in a manner that incorporates security and privacy by design.” If you are not already figuring out how to control your IoT devices, you are behind and need to start working on this right away.
IoT Devices Generally Lack Security Controls
Several things in common with all IoT devices is that they collect data, they communicate across the internet, and in most scenarios, they have credentials and passwords to protect their configuration or to communicate across networks. IoT connected devices pose a significant risk to enterprises and governments alike. These devices typically do not have the same security controls that protect the rest of the enterprise network. For example, industrial control systems are often maintained for many years before being replaced or updated—some with a lifecycle of 15 or more years. Attackers know this and are increasingly exploiting the weaker security associated with IoT devices to compromise them and use them as launching platforms to gain unauthorized access to network systems.
IT teams are becoming more vigilant about securing access to the networks that connect valuable things, like factory equipment and smart grid hardware. IoT focuses on how such things interact with each other, including the things themselves, people, tools, and apps. To secure these devices, Gartner noted that privileged access management (PAM) would be essential for ensuring IoT networks cannot be hacked. This will not be an easy feat though. With the increased number of endpoint devices due to IoT, the demands on PAM will become much more complicated.
How Privileged Access Management Helps Secure IoT
PAM helps to manage the people and the hundreds of thousands of “things” that are connected to a network. As stated by Garner, PAM will be vital to effective IoT solutions and will become an integral part of every IoT solution. PAM IoT is substantially different from traditional PAM. Security specialists must treat PAM IoT as a specialized domain and not simply as an extension of traditional PAM because there are huge differences between PAM IoT and traditional PAM, and, unfortunately, legacy PAM tools and technologies are largely unprepared to deal with these differences.
Applying PAM will help defend against IoT related security threats. But what makes things more complicated is that the “someone” with privileged access can be a systems administrator or just another connected device or back-end service. This is what complicates matters. For instance, consider how many potential access points will be available to hackers as IoT devise continue to expand. Also consider that almost every major hack, including IoT-related hacks, can be attributed to privileged accounts.
That’s why good PAM is so important. It enables you to secure the credentials for these at-risk accounts, no matter how they’re accessed. It also allows you to audit and log account activity to help prevent breaches and demonstrate compliance.
The increased threats contributed to IoT devices demand stronger security measures be put into place. So, while password-based and two-factor authentication methods have proven sufficient for devices like ATMs and smartphones, risky IoT scenarios require more robust safeguards. PAM systems give you the capability to monitor access against many and to manage all credentials through the same PAM system. This approach provides a centralized point of authentication and is especially effective to help prevent exposure and risk to privileged accounts.
As the number of IoT devices continue to increase, your privileged access measures need to keep up. Specifically, they need to provide for privilege account management capabilities that can scale to accommodate the anticipated surge in connected devices and related access requests. The increase in IoT devices leads to a larger network of devices that creates a target-rich environment for hackers. Having a strong PAM solution that can rapidly monitor and detect anomalies in device access and usage patterns will help prevent compromise.
PAM will nullify the IoT machine to machine connectivity issue. If a device is not recognized, it will not be allowed to access the network, system or any information. In the case of a breach or unauthorized access, it will become much easier to identify in real-time and lock systems down. A full-featured PAM solution will help give your organization better protection against hacks while also ensuring access is seamless for authorized users.
PAM can also help with compliance. A good PAM solution will create a paper trail to record who accesses what.
Since PAM IoT is still relatively new, it could be some time before available solutions are equipped to address security requirements in IoT scenarios. But you can get a head start by protecting communication among devices and service providers. Make sure you send user credentials using secure channels. Also, properly secure any APIs you use to connect IoT devices and services and add an additional layer of protection beyond password usage by using advanced authentication methods, such as multi-factor and risk-based authentication.
Check out my on-demand webinar to learn more "Privileged Access and IoT: How to Clear the Path for IoT in Your Organization Without Increasing Risk"
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.