Just a few years ago, we lived in the time of the “Internet of Users.” Technology—in particular the PC—played an important part in allowing people to communicate with one another using IPs. Smartphones and tablets eventually made users more mobile, but the Internet was still more or less about facilitating user interactions.
That has since changed. In observance of week three of the National Cyber Security Awareness Month (NCSAM), we now are confronted with the Internet of Things (IoT), a new age of independence for the Internet in which devices are able to interact with one another with little to no human input.
However, although its benefits are many, IoT is not without its challenges, says Chris Conacher, Manager of Security and Compliance Solutions at Tripwire. “Networking and hardware companies see [in IoT] a chance to resuscitate their dying bottom lines and are doing everything to move their products as quickly as possible.
Conacher adds it’s easy for companies to repack old shelfware just to have something to sell as executives ask about IoT. Haste always precludes time to reflect, and it’s no different with IoT. In their eagerness to cash in on this growing market, companies are ignoring the significant security risks IoT integration creates.
“We need only to look as far as the Target credit card debacle to see an example of [IoT causing problems],” says Charles Kriete, Chief Revenue Officer at Wyless. “The hackers in that case came in through a connection enabled for Target’s heating and air conditioning contractor via the pipe they use to monitor temperatures in the stores.”
The problems become even greater and more numerous when we think about critical infrastructure. As we all know, critical infrastructure is already an attractive target for espionage, DoS, and other disruptive attacks. Unfortunately, with the Internet of Things, the attack surface for these installations increases, thereby making intrusions all the more likely.
As we continue to embrace IoT, we need to be careful about how we monitor, architecture and deliver our security controls, especially with regards to critical infrastructure.
Here are a number of recommendations for how we can secure critical infrastructure in the Internet of Things:
Network segmentation and VPN security
While IoT is a relatively new concept, we can apply a number of existing networking solutions to this new world of machine-to-machine computing and wireless networking. Two of our best hopes are network segmentation and VPN security.
As Kriete notes, “By placing your machines/things on strictly private networks with private IP ranges, and IPsec VPN access to the private network, you have essentially mimicked the same level of security that has been used to quell hackers in mainstream networking for years.”
Placing our ‘things’ on private networks comes with another advantage: lower costs. “Even in unsuccessful hacking attempts,” explains Kriete, “public IP ranges are often hit with high data usage charges, which, if you are running your IoT network on cellular or satellite, can be extremely costly in terms of overages.” By using private networks, we can secure our IoT-enabled machines effectively and affordably.
Reevaluate the role of CISO
Now that there are hundreds if not thousands of more Internet-enabled devices on your networks, you and your organization will need to determine where the Chief Information Security Officer (CISO) should report. After all, business leaders and other personnel might have organizational responsibilities that relate to these new devices. Determining how the CISO should address these changes and what their role should be, which includes the possibility of adding new duties, is essential for going forward in this world full of ‘things.’
Live Attack Intelligence
Most critical infrastructure runs on legacy systems that were created prior to the Internet and were, therefore, never designed for web connectivity. Acknowledging this, the need to secure critical infrastructure with respect to IoT is all the more dire.
IoT-enabled critical infrastructure systems will be attacked, but what makes the difference is preparation and network visibility. To achieve both of these things, Kurt Stammberger, CISSP, Senior Vice President, Norse Corporation recommends making real-time access to live attack intelligence available.
“By emulating a wide array of known vulnerabilities through a global system of honeypots and sensors, live attack intelligence could provide the ‘over-the-horizon’ visibility organizations need in order to prepare countermeasures against emerging threats long before they hit their own networks,” says Stammbeger.
“Visibility within an organization’s network is absolutely necessary to mitigate risks, and live attack intelligence provides the necessary insight to prepare those mitigations prior to a security event, not after the damage has already been incurred.”
Honor what has come before
Securing the IoT might seem like a daunting task, but there’s a lot of room for us to incorporate lessons we have learned from the past. Katie Moussouris, Chief Policy Officer, HackerOne and member of iamthecavalry.org, couldn’t agree more: “We have a chance to include security by design to reduce the number and severity of security issues, and to release new products and services with the knowledge and expectation that they will be under attack, and plan meaningful and effective response to those attacks.”
Our challenge is what it has always been—building resilient network ecosystems. How we choose to use and incorporate IoT is up to us. But in the end, we have a rich legacy of technology and expertise guiding our actions every step of the way.
- Hacker Myths Debunked
- Safer Online Surging: Security Tips for Non-Techies
- 3 Common Scams Your Non-Techie Friends Are Still Oblivious About
- A Guide to Securing Your IT Products
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerabilities.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Images courtesy of ShutterStock.