Tim Bandos at Digital Guardian sets out five things that organisations can focus on to secure their Internet of Things infrastructure
Organisations around the world are now on alert to the new reality regarding cybersecurity: strong cyber defences are imperative if they want to prevent themselves from becoming a target. This is especially true for those organisations that operate key national infrastructure or provide critical health care.
This means not only deploying the right types of technology to prevent data loss and malware infections, but also pushing security education internally so every employee constantly keeps it top of mind.
Such vigilance is warranted against the backdrop of ransomware operators and other cybercriminals whos continue to develop new ways of attacking their chosen targets. Take the example of DarkSide, the group behind the recent Colonial Pipeline attack in the US.
This audacious cyber gang took a business approach far beyond simply hitting a target with malware and demanding a ransom be paid. It offered technical support to affiliates using its ransomware, provided a payment portal, and even operated a call centre to harass victims into paying.
DarkSide, of course, was driven into hasty retreat shortly after the Colonial attack; disrupting critical US national infrastructure may be a step too far, even for such a tightly run criminal organisation. In announcing that it was ceasing all activity, DarkSide pinned the Colonial attack on one of its affiliates and called it a breach of its own ‘code of conduct, which prohibited targeting critical infrastructure. This disclaimer did not prevent DarkSide from climbing many federal law enforcement agencies most-wanted lists, making its continued operation untenable.
Whether DarkSide resumes operations, such cautionary tales underscore the importance of having comprehensive cyber defences in place. After all, it’s not enough to blame the criminal group responsible for a high-profile cyber attack – the target must also take responsibility for having the appropriate security controls to prevent it.
As if this already complex challenge wasn’t enough, the explosive growth of the Internet of Things (IoT) has made it infinitely more difficult. How so? IoT expands not only the volume of devices that need protecting but also the geographical size and shape of the environment in question. Just think how difficult it can be to protect an asset as expansive as an oil pipeline, with thousands of IoT devices, ranging from flow meters and sensors to surveillance cameras, all connected to the wider IT environment.
Amidst this growing complexity, how can organisations relying on the IoT ensure their environments are as protected as possible?
The answer, in short, is to bolster your IoT security. To help get you started, below are five key areas of IoT security to know about. This information will let you collaborate with your programmers and IoT vendors to help your organisation eliminate current IoT vulnerabilities exploited by organisations such as DarkSide:
- Robust physical security: Start with the most obvious: physical security is paramount. Developers should primarily focus on integrating tamper-proofing measures into device components to ensure they cannot be decoded. Additionally, you can help prevent private data from being used maliciously by erasing device data related to authentication, identification codes and account information whenever a device becomes compromised.
- Strong data encryption: When utilising IoT solutions, organisations must always properly encrypt all traffic flowing between devices and backend servers. It’s vital to ensure encryption of commands and looking at command integrity via signing or a strong encoding. IoT devices should also encrypt any sensitive user data collected for further data security.
- Device authentication and identity: Proper and secure authentication with individual device identification lets you build a secure connection between the devices themselves and the backend control systems. If every device has its own unique identity, organisations can quickly confirm that the device communicating is indeed the one it claims to be. This requires individual device identification based on solutions such as Public Key Infrastructure (PKI).
- Firmware update capabilities: In the rush to get new IoT products to market, manufacturers sometimes build devices with no firmware update capability at all. Creating a consistent process that enables flexible firmware deployment over time allows for the creation of new products whilst ensuring important security fixes are distributed universally across existing product lines.
- Closing all backdoors: Building devices with a backdoor inside, whether for surveillance or law enforcement purposes, has become commonplace. This practice, however, compromises the integrity and security of the end-user. Manufacturers must ensure that no malicious code or backdoor is introduced and the device’s UDID is not copied, monitored or captured. Doing so will guarantee that when the device registers online, the process is not captured or vulnerable to interception, surveillance or unlawful monitoring.
With cybercriminal methods and attack vectors evolving all the time, organisations must stay one step ahead to ensure a hidden IoT vulnerability doesn’t make them the next target. This is particularly true for those responsible for critical infrastructure, where any unplanned downtime can quickly cause mass upheaval or even loss of life.
The explosive growth of, and reliance on, IoT devices has made this job significantly harder. But over time, close collaboration between developers, vendors and the organisations that rely on such devices can help to close the door on many of these vulnerabilities for good.
Tim Bandos CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cyber-security world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. The majority of his career was spent working at a Fortune 100 company where he built an Incident Response organisation and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.
Mai image courtesy of iStockPhoto.com