Tech Talk | Internet of Things (IoT) Cybersecurity: What You Need to Know
With all this interconnectivity, how do you stay safe from hackers and protect the data that needs to be protected? This article provides practical guidance for understanding and protecting Internet of Things (IoT) devices.
Mike Robey, MS
Senior Director, Information Technology
More devices are going online. From baby monitors to medical devices, it seems that everything is connected. You can’t buy a new heating, ventilation, and air conditioning (HVAC) system without the thermostat needing to be connected to your home Wi-Fi. With all this interconnectivity, how do you stay safe from hackers and protect the data that needs to be protected? This article provides practical guidance for understanding and protecting Internet of Things (IoT) devices.
What Are IoT Devices and How Are They Built?
To be fully aware, one needs to understand what an IoT product is, how it will be used, the risks involved in connecting it to your network (office and home networks), and how to mitigate those risks.
IoT devices are designed to do a specific task and may be comprised of different components, such as a network interface; companion application software like a mobile app; and a backend, like a cloud service where data from the device is recorded. Think of an Amazon Echo. There is the physical device, the mobile app used to configure it, and Amazon’s cloud services supporting its use. Each of these IoT components are potential attack vectors. The whole IoT device, including its components, must be securable.
One other important factor to note—to reduce research and development costs, manufacturers use open-source software, especially for the network interface. There is nothing wrong with using open-source software, but it must be patched whenever vulnerabilities are discovered.
IoT devices have a smaller footprint than your average computer or smartphone. The software running on these devices may be paired down and security may have been an afterthought. From an academic perspective, security needs to be baked into IoT devices and not bolted on afterward. Unfortunately, it is difficult to tell how security is integrated into the product. Often, one must rely on the reputation of the manufacturer.
Think of risks as having two parts: if [event] then [consequences]. The event is something that might happen. The consequences are the negative impacts of the event occurring. The consequences may be lost revenue, exposure of protected health information, lost staff time, and/or reputation harm.
Once you have determined what your risks are using the above format, the ones with high probability and/or high impact need to be identified. To weight each risk, multiply the likelihood of the event occurring by its impact. The probability of occurring may be somewhat subjective but the negative impacts are measurable. Weighting the known risks will help identify mitigation areas to reduce the likelihood of the event occurring and to lessen its impact.
Interconnected devices with no human interaction or interface are easy to set and forget. You will want to write down what IoT devices have been deployed, the date they were deployed, and the last time they were patched.
With respect to attack vectors and integrations with other IoT devices, think of the scenario where your garage door opener is connected to your home security system. It may be convenient for your remote to not only open the door but also turn off your home security alarm. But this means that if someone hacks into your garage door opener, they can disable your home alarm.
Several years ago, Target suffered a data breach involving customer credit card numbers. The hackers broke into Target’s network via the HVAC system. Somebody connected the HVAC controls directly to the data network and left default passwords on the HVAC devices. Once the hackers broke into the HVAC system, they had free reign on the data network. Remember, everything is connected.
To summarize, the risks involved with IoT devices center on the following:
- Risks of each product component (the device, companion app, and cloud-based service)
- Network intrusion through the IoT device
- How the IoT device interacts with other devices
- Data exposure for the information the IoT device collects and transmits
Mitigation aligns with the proverb, “an ounce of prevention is worth a pound of cure.” At a fundamental level, you need to understand what each IoT device does so that you can better understand if its benefit outweighs its risk of data exposure and/or network intrusion. You also need to know what devices are connected to your network. Prescriptive security measures are impossible to implement without knowing what devices are connected.
One recommended mitigation strategy, particularly for office networks, is network segmentation. This calls for creating logically separate subnetworks to isolate traffic from the primary data network. For example, creating a separate guest Wi-Fi that cannot cross over to the internal data network. Consider creating a network segment for IoT devices. If Target had created a network segment for their HVAC system controls, the unauthorized exposure of customer credit card information could have been prevented.
The National Institute of Standards and Technology (NIST) recommended IoT product criteria mention the following:
- Asset Identification. For cybersecurity purposes it is vital that a network administrator can identify all devices plugged into the network. Without the ability to identify connected devices, asset management for updates, data protection, and digital forensics are hindered.
- Product Configuration. IoT devices must be configurable and upgradable to avoid specific risks and support consumers' needs. This includes the ability to reset the device back to secure default settings.
Good IoT Cyber Hygiene
Think of the bullets below as a down-and-dirty buyers guide for IoT devices:
- Only buy IoT devices that are upgradable.
- Buy products from a reputable manufacturer. See what others are saying about the product before you buy, especially concerning security. However, this is no guarantee that there will not be issues.
- Change the default username and password. Hackers know what these are.
- Read through the documentation and concentrate on security-related configuration settings. If you cannot change the default configuration–do not buy it.
- Does the device have any built-in alarms or warnings when unauthorized access is attempted? This would be a bonus.
Once an IoT device is selected, be sure to write down the model number, media access control (MAC) address, and date of implementation for tracking purposes. Then, on a regular basis check for software and firmware updates.
When any IoT device reaches end-of-life, be sure to reset it to its factory default (or destroy it) before disposal. You don’t want to accidently expose any data it might have collected or expose credentials to any associated cloud service component of the IoT device.
Technologies and risks change over time. Review the deployed IoT devices on a regular basis for configuration changes, software revisions, and functionality to determine if these devices continue to serve your needs. Make sure the benefits of the IoT device outweigh the risks of usage. Review all mitigations since these change over time, too. Remember, everything is connected. It is easier to stop something from happening than it is to repair the damage.