Once connected to a network, IoT devices provide impressive amounts of data to streamline and automate many manual processes. From environmental monitoring to smart metering to asset tracking, IoT applications create previously impossible efficiencies. However, a massive obstacle blocks many IoT projects: how to secure notoriously insecure IoT devices.
To learn about prevalent IoT security risks -- and how to best deal with them -- I visited the IoT Village at DEF CON 27. Here's what I learned.
Why IoT remains a major security risk
One of the most asked questions is why IoT devices have more security-related problems compared to other network-connected components.
At DEF CON, presenters and fellow hackers offered two key reasons. First is that nontech companies are making supplementary network-connected components for the first time. Take a washer and dryer manufacturer. After years of making such machines, the manufacturer understands the ins and outs of what makes washers and dryers work. Yet, suddenly there's a market for IoT-enabled washers and dryers. To get the connected machines to market quickly, a system on a chip is slapped onto existing equipment with little understanding of the OS and services and no long-term plan to manage SoC hardware and software.
The second major IoT security issue is that limited IoT hardware resources mean that data security capabilities often take a back seat. Constrained processing, storage space and system memory inherent to IoT devices severely restrict the use of modern data security prevention mechanisms, such as encryption. Additionally, since custom hardware is commonplace in IoT devices, modifying the OS to add new security features is often avoided due to the time and effort required to test and verify that patches won't brick the hardware.
Common IoT security problems
IoT security risks plague consumer and enterprise IoT devices alike, despite the fact that IoT devices connecting to enterprise networks demand higher levels of security.
Common enterprise IoT security shortcomings include the following:
- local authentication mechanisms
- insecure default network configuration settings
- static SSH keys
- self-signed certificates
In addition, many IoT products don't offer a management platform to track, monitor and alert when firmware is out of date or requires a security patch -- nor do many have a service to push a hardened configuration to multiple devices. Lastly, many security professionals have discovered unnecessary OS processes and services running on IoT devices that serve no practical purpose other than exposing the device to unnecessary risk.
How to reduce IoT security risks
Many IoT security issues are easily mitigated through diligent security planning and remediation, especially when conducted prior to device deployment. For flaws that can't be corrected through configuration changes, added layers of network security can be wrapped around the devices; this includes segmenting IoT devices onto secure wired or wireless networks using access control lists or Layer 4 through Layer 7 next-generation firewalls.
While creating policies, procedures and added security measures is great, these are manual processes that can easily unravel if not carefully managed. For large IoT deployments, mistakes in manual IoT security hardening can easily be made. In order to stay on top of this, the proper level of IoT and network monitoring must be put in place. This is where an artificial intelligence for operations, or AIOps, platform comes into play. An AIOps platform collects raw network and device telemetry data that is then sent to an AI engine where network and device baselines are formed and anomalies are detected and alerted upon when data veers outside baseline thresholds.
From a security perspective, an AIOps platform can prove invaluable since it can automate the discovery, identification and categorization of all IoT devices deployed on a network. From there, the AI will collect characteristics of each IoT device, such as OS patch level, what services the device is running, who the device is talking to and whether the device has been deployed on the correct subnet or wireless service set identifier. This automates dozens of time-consuming inventory and analysis processes in a single autonomous platform.
IoT risks -- get used to them
Because of the very nature of IoT devices and their manufacturers, don't expect the security problem to be fixed overnight. That's why the topic remains popular at IT security conferences, like IoT Village at DEF CON.
The design, deployment and ongoing management of IoT projects must include processes and platforms to ensure the connected devices meet enterprise-grade security standards when they're deployed on day one, as well as have a way to gain deep visibility and intelligent alerting when deployed devices veer outside set security thresholds.