The expanding threat landscape resulting from the convergence of cyber and physical systems is providing cybercriminals with additional entry points into the corporate network. This is not going unnoticed by cybercriminals. The Fortinet Threat Landscape Report for Q4 of 2018 not only showed that half of the top 12 exploit spots were held by IoT, but that four of those spots were held by IP cameras. As it turns out, bad actors are now focused on exploiting the inherent IoT weaknesses in these cameras to possibly monitor or control the very same devices we use to monitor our physical safety and security.
Access to IoT IP cameras not only enables cybercriminals to snoop on private interactions and enact malicious onsite activities (such as shutting off cameras to better physically access restricted areas), but also enables them to be used as a gateway into the cyber systems they are connected to in order to launch distributed denial-of-service attacks, steal proprietary information, initiate ransomware attacks and more. The adage “who’s monitoring the monitors” is quite apropos here.
To prevent this sort of compromise, organizations need to establish security protocols designed to protect connected physical systems from attack, including segmentation, baselining behaviors, and alerts and quarantines that are triggered when behaviors change. This is also a reminder that every IP-enabled device, especially those that are part of your physical security system, needs to be part of your vulnerability and patch management process. This is especially essential as more and more physical security devices traditionally assigned to operational technology networks are now being converged into the IT environment. In this new interconnected world, security cameras are merely the canary in the coalmine. Criminals that gain access to things like fire suppression systems and alarms could potentially cause catastrophic harm.
These security protocols will also need ongoing updates as IoT threats continue to evolve. Fortinet’s Q3 report for 2018 contained an entire section detailing the evolution of IoT botnets over the last few years. One important 2018 adaptation was the ability to implant cryptojacking malware into infected IoT devices in the home. There is no reason why business devices wouldn’t be next. While mining cryptocurrencies requires high CPU resources, and individual IoT devices may not offer much in the way of processing power, hordes of easily compromised and largely idle IoT devices may offer such power through scale.
However, that Q3 report also revealed the merging of destructive tendencies with IoT botnets. Traditional malware like BrickerBot rendered over 10 million devices completely useless since its launch in 2016. While this might only be an inconvenience when your internet-connected coffee maker in the office break room bricks up, but what about a medical device in a hospital, an HVAC system in your building or a connected thermostat regulating the temperature of an industrial-sized boiler filled with caustic chemicals?
We don’t have to wonder because we now have malware like VPNFilter designed to target IoT devices, and even industrial control systems. Once installed, it can not only steal website credentials and monitor SCADA protocols, but it also includes a kill switch that can physically destroy an IoT device. And it also has the ability to inject malicious code back into the network session it is monitoring, allowing for crossover infection to endpoint devices. And the bigger issue is that traditional security systems do very little to secure vulnerable IoT systems.
Shifting security strategies
This weakness in many security strategies is about to get worse. The sudden, exponential growth of the attack surface due to the rapid expansion of IoT devices and edge-based computing, especially when deployed in emerging 5G networks, means that literally billions of IoT devices will be interconnected across massive meshed edge environments, where any device can become the weakest link in the security chain and expose the entire enterprise to risk.
To address this challenge, organizations will need to make some fundamental shifts in how they think about networking and security:
- IT security teams will need to develop new segmentation strategies to isolate devices and limit exposure. Segmentation will also need to be extended across networked environments for which organizations may or may not have full control, such as 5G networks and public cloud services, in order to protect wide-ranging workflows, transactions and applications.
- Security must become an edge-to-edge entity, expanding from the IoT edge across the core enterprise network and out to branch offices and multiple public clouds. To do this, everything connected to the enterprise ecosystem needs to be identified and rated, and their state continuously confirmed. Once effective visibility and control are in place, all requests for access to network resources must then be verified, validated, authenticated and tracked.
- Organizations must devise security that supports and adapts to elastic, edge-to-edge hybrid systems, combining proven traditional strategies with new approaches and technologies that operate seamlessly across and between multiple ecosystems.
- Disparate security tools will need interoperability to share information and stop threats. This will require vendors to establish new open 5G security standards, integrate APIs into their systems and develop agnostic management tools that can be centrally managed to see security events and orchestrate widely distributed security policies.
In the meantime, organizations need to adopt open standards and common operating systems to ensure as much consistent interoperability as possible across their evolving network. Correlating event data, sharing real-time threat intelligence and supporting automated incident response will require security technologies to be deeply integrated. This will mean the development and adoption of a holistic security architecture that uses machine learning, artificial intelligence and automation to accelerate decision-making and close the gap between detection and mitigation.
Situational awareness is also key. Organizations need to understand their critical processes and data, identify cyber assets and know what OS and applications are installed. They will also need to map their network architecture to understand data flows and possible blind spots, and identify threat actors to get an idea of how they will try to break in and what resources they are most interested in obtaining.
Knowing is half the battle. It will help you engineer as much risk and vulnerability out of your network as possible, and it will also help you select those security systems that are most appropriate to protecting your unique environment. Just remember, to be the most effective, any security technologies you choose need to be able to interact with your other enforcement points by sharing events, correlating intelligence and coordinating a holistic response to threats.
Because multiple exploits targeting IoT devices not only topped Fortinet’s charts for Q4, but indeed, for the whole past year, organizations cannot afford to take a wait-and-see approach to network security. Real-world exploits are already causing business disruption, including the destruction of IoT devices, and are poised to inflict further damage as techniques evolve and IoT-enabled networks continue to expand. Being aware of these changes is the first step toward creating stronger defenses across the expanding network — a necessity as IoT increases in size and momentum, and becomes increasingly embedded deep into our business strategies and networking strategies.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.