Securing IoT with Privileged Access Management

Derek A. Smith, Founder, National Cybersecurity Education Center
August 8th, 2018

Back in the early 2000s, utility companies were introduced to smart meters to provide a practical, hands-off way of collecting and monitoring data on how customers used their utilities. This was a predecessor for enabling other digital connections among remote devices and business systems, with the Internet as the go-between.

Today, this is known as the internet of things (IoT) and is used almost everywhere from smartphones, watches, refrigerators, and cars to medical implants and industrial machinery. With the increased use of IoT devices comes an increased security risk as well.  So, our question to you is, has your organization fully prepared to secure IoT connectivity?

Check out my on-demand webinar to learn more “Privileged Access and IoT: How to Clear the Path for IoT in Your Organization Without Increasing Risk”
view now

IoT-Related Breaches

Recently, there have been many examples of security breaches related to the increased use of IoT devices – from the hacking of baby monitors and smart TVs to remotely hijacked cars. However, one of the biggest threats to any business is understanding who has access, or the ability to access, from what devices to the infrastructure and the level of access they have.

Real world examples of cyber-attacks against IoT in the past few years include:

The 2017 Verizon Data Breach Digest report stated “Today, the IoT is not confined within an organization’s typical control boundary, as the connected infrastructure has moved far beyond those control lines. These devices exist virtually everywhere, are available anytime, and are on a variety of platforms. This must prompt organizations to think about IoT threat modeling in a manner that incorporates security and privacy by design.” If you are not already figuring out how to control your IoT devices, you are behind and need to start working on this right away.

IoT Devices Generally Lack Security Controls

Several things in common with all IoT devices is that they collect data, they communicate across the internet, and in most scenarios, they have credentials and passwords to protect their configuration or to communicate across networks. IoT connected devices pose a significant risk to enterprises and governments alike. These devices typically do not have the same security controls that protect the rest of the enterprise network. For example, industrial control systems are often maintained for many years before being replaced or updated—some with a lifecycle of 15 or more years. Attackers know this and are increasingly exploiting the weaker security associated with IoT devices to compromise them and use them as launching platforms to gain unauthorized access to network systems.

IT teams are becoming more vigilant about securing access to the networks that connect valuable things, like factory equipment and smart grid hardware.  IoT focuses on how such things interact with each other, including the things themselves, people, tools, and apps. To secure these devices, Gartner noted that privileged access management (PAM) would be essential for ensuring IoT networks cannot be hacked. This will not be an easy feat though. With the increased number of endpoint devices due to IoT, the demands on PAM will become much more complicated.

How Privileged Access Management Helps Secure IoT

PAM helps to manage the people and the hundreds of thousands of “things” that are connected to a network. As stated by Garner, PAM will be vital to effective IoT solutions and will become an integral part of every IoT solution. PAM IoT is substantially different from traditional PAM. Security specialists must treat PAM IoT as a specialized domain and not simply as an extension of traditional PAM because there are huge differences between PAM IoT and traditional PAM, and, unfortunately, legacy PAM tools and technologies are largely unprepared to deal with these differences.

Applying PAM will help defend against IoT related security threats. But what makes things more complicated is that the “someone” with privileged access can be a systems administrator or just another connected device or back-end service. This is what complicates matters. For instance, consider how many potential access points will be available to hackers as IoT devise continue to expand. Also consider that almost every major hack, including IoT-related hacks, can be attributed to privileged accounts.

That’s why good PAM is so important. It enables you to secure the credentials for these at-risk accounts, no matter how they’re accessed. It also allows you to audit and log account activity to help prevent breaches and demonstrate compliance.

The increased threats contributed to IoT devices demand stronger security measures be put into place. So, while password-based and two-factor authentication methods have proven sufficient for devices like ATMs and smartphones, risky IoT scenarios require more robust safeguards.  PAM systems give you the capability to monitor access against many and to manage all credentials through the same PAM system.  This approach provides a centralized point of authentication and is especially effective to help prevent exposure and risk to privileged accounts.

As the number of IoT devices continue to increase, your privileged access measures need to keep up. Specifically, they need to provide for privilege account management capabilities that can scale to accommodate the anticipated surge in connected devices and related access requests. The increase in IoT devices leads to a larger network of devices that creates a target-rich environment for hackers. Having a strong PAM solution that can rapidly monitor and detect anomalies in device access and usage patterns will help prevent compromise.

PAM will nullify the IoT machine to machine connectivity issue. If a device is not recognized, it will not be allowed to access the network, system or any information. In the case of a breach or unauthorized access, it will become much easier to identify in real-time and lock systems down. A full-featured PAM solution will help give your organization better protection against hacks while also ensuring access is seamless for authorized users.

PAM can also help with compliance.  A good PAM solution will create a paper trail to record who accesses what.

Since PAM IoT is still relatively new, it could be some time before available solutions are equipped to address security requirements in IoT scenarios. But you can get a head start by protecting communication among devices and service providers. Make sure you send user credentials using secure channels. Also, properly secure any APIs you use to connect IoT devices and services and add an additional layer of protection beyond password usage by using advanced authentication methods, such as multi-factor and risk-based authentication.

Check out my on-demand webinar to learn more “Privileged Access and IoT: How to Clear the Path for IoT in Your Organization Without Increasing Risk”
view now

Derek A. Smith, Founder, National Cybersecurity Education Center

Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently the Director of Cybersecurity Initiatives for the National Cybersecurity Institute at Excelsior College, responsible to perform complex duties relating to the development and coordination of cyber initiatives at NCI. Formerly, he has worked for a number of IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He has also taught business and IT courses at several universities for over 20 years. Derek has served in the US Navy, Air Force and Army for a total of 24 years. He completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education.