IoT Device Cybersecurity

CONNECTED DEVICE SECURITY ASSESSMENTS BY TRIPWIRE
Text

Devices running embedded software exist all around us—and industries across the board are accruing these IoT devices faster than they can keep up with securing them. The rise of such devices stands to benefit the quality and efficiency of products and services in smart grid, manufacturing, retail, critical infrastructure, and more. The market for industrial IoT (IIoT) alone was projected to hit $123 billion by 2021.1

Tripwire supports manufacturers of connected devices and organizations that utilize them by providing rigorous security assessments. Tripwire’s device testing approach includes identifying security risks and vulnerabilities that may exist in the physical construction of the device and its network interfaces. Our goal is to identify potential control exposures through security configuration analysis and vulnerability testing of the platform and the operating environment. Tripwire analyzes the security configuration of the operating system.

Text

IoT Devices Can’t Be Assumed to Be Secure

Manufacturers of connected devices— and the industries that use them—often do so with a lack of cybersecurity awareness. It’s tempting to think of these devices as self-contained and self-maintaining. However, the truth is that these devices are computer systems with hardware components, as well as operating systems and applications within their firmware—often featuring communication interfaces to the outside world.

Just like the application systems hosted on servers within networks, the security controls of these devices must be designed, maintained, and updated to address security vulnerabilities and to fit within the security architecture of the larger systems and networks in which they function. Unfortunately, an explosion in new usages for embedded devices means that many of them are often rushed to market without appropriate security controls.

 

The Risks Posed by Connected Devices

The United States Government Accountability Office’s assessment of the status and security issues surrounding the IoT identified the following type of attacks as primary threats to IoT:3

  • Denial of Service
  • Malware
  • Passive Wiretapping
  • Structured query language injection (SQLi controls a web application’s database server)
  • Wardriving (search for Wi-Fi networks by a person in a moving vehicle)
  • Zero-day exploits

Ransomware (in conjunction with malware) would be a good addition to the GAO list. A variant of ransomware called “WannaCry” spread swiftly in 2017 and 2018, reaching over 100 countries and infecting over 200,000 computers. WannaCry disrupted government entities and many organizational and company networks that have connectivity to IoT.

Image
IoT Spending Stats
Text

The Solution: Connected Device Assessments

Tripwire supports manufacturers of connected devices and organizations that utilize them by providing rigorous security assessments. Tripwire’s device testing approach includes identifying security risks and vulnerabilities that may exist in the physical construction of the device and its network interfaces. Our goal is to identify potential control exposures through security configuration analysis and vulnerability testing of the platform and the operating environment. Tripwire analyzes the security configuration of the operating system.

Tripwire offers a range of customized services to protect distributed control systems (DCS), programmable logic controllers (PLC), and networked devices, and also perform analysis against such standards as the National Institute of Standards and Technology Special Publication (NIST SP) 800 series, American Petroleum Institute (API) 1164, ISA 99, ISO/IEC 27000, and others. Our clients include owners of refineries, pipelines, liquefied natural gas (LNG) plants, hazardous chemical plants, water treatment plants, and more.

Tripwire’s device testing engagements have revealed devices that allowed the login screens to be by-passed or login screens that failed to actually authenticate user sessions with the device so that any user could become an administrator. In-depth testing has also revealed weaknesses allowing by-passing of encryption controls and allowing malicious intrusion between circuit boards within the device. For devices which reside in public areas, this vulnerability could grant malicious intruder access to the critical control network, such as a smart grid network.

Each assessment begins with a review of the architecture of the device and the intended application in which it will be used. This sometimes involves testing encryption controls, circuit board interfaces and the protocols by which the device communicates with other systems or networks. This enables the testing results to be expressed within the context of the systems and business functions they support, as well as to enable recommendations for risk mitigation to be practical and realistic within the applicable environment.

Text

IoT Security Considerations from NIST4

Consideration Device Constraint Security Concern
Power Consumption Many IoT devices require a long battery life, without access to a permanent power supply. Power-efficient hardware may lack additional capabilities like ability to support encryption or hardware security mechanisms.
Low Cost The consumer’s perceived value of a device greatly depends on the cost to purchase and implement the device. Market drivers often require that companies produce devices at a very low cost. In meeting these price pressures, devices may have low processing power and constrained hardware space, offering limited support for security mechanisms.
Lifecycle The lifespan of devices vary greatly, some devices (like simple sensors) are short-lived, while others are meant to last for decades. Overtime, devices may become hardware- constrained and cannot be updated. Built in security mechanisms may be found vulnerable or deprecated, like old encryption suites.

Learn More

Let us take you through Tripwire’s device assessments and other professional service and answer any questions you have.

CONTACT US
Text

1 https://www.forbes.com/sites/louiscolumbus/ 2018/06/06/10-charts-that-will-challengeyour- perspective-of-iots-growth/#1b1db1163ecc

2 https://www.gao.gov/assets/690/684590.pdf

3 https://www.forbes.com/sites/louiscolumbus/ 2018/06/06/10-charts-that-will-challengeyour- perspective-of-iots-growth/#1b1db1163ecc

4 https://www.nist.gov/itl/applied-cybersecurity/ iot-cybersecurity-considerations