The Internet of Things (IoT) and operational technologies (OT) significantly expand the threat and vulnerability landscape for organizations that choose to adopt them. The notion of “You are only as strong as your weakest link” took on a new meaning when IoT and OT devices and capabilities were introduced. IoT is typically focused on integrating networking into traditionally isolated technologies, while OT is primarily focused on network-enabled infrastructure and operations-oriented devices, technologies, and solutions.
When performing threat and vulnerability analyses, risk and security professionals now must treat IoT devices and items that were once considered out of scope or low risk (e.g., printers, door locks, heating, ventilation, and air conditioning [HVAC] systems, thermostats, digital video recorders, network-connected consumer appliances) as high likelihood of attack sources and/or probable targets of attack. The traditional viewpoint that nation-state adversaries are the primary threat is quickly being dispelled as knowledge methods and practices used to effectively attack and compromise OT capabilities are now accessible to all classes of adversaries.
Every network-enabled endpoint is a potential entry point into an organization’s information infrastructure that needs to be carefully considered when developing security strategies. Security needs and expectations must be comprehensively and continuously addressed. Securing IoT and OT effectively challenges device manufacturers, end users, and risk and security professionals to think differently and progressively. The first step is for organizations who use these technologies to expand their security strategies and capabilities to effectively incorporate IoT and OT technologies into their planning, maintenance, and monitoring on an ongoing basis. There are many risk and security considerations that organizations and individuals must consider as IoT and OT solutions become less of a concept and more of a reality.
There are 5 key considerations for developing an integrated security strategy:
- IoT and OT asset discovery and network segmentation–IoT and OT devices are produced by numerous manufacturers on multiple open source and proprietary operating systems, and each have various levels of computing power, storage, and network throughput. Each IoT and OT endpoint must be identified and profiled, added to an asset inventory, and continuously monitored for its health and safety. IoT and OT devices are likely to become advantageous attack points for adversaries due to these factors and their summation that organizations and individuals will be unable to adequately monitor them or efficiently address their security.
The emergence of IoT and OT brings an exponential increase in the number of devices that are attached to networks. When developing a security strategy, it is important to recognized that devices often require bidirectional network communication to both internal networks and the Internet to operate effectively.
Whenever possible, devices should be segmented into separate network virtual local area networks (VLANS) and have access control lists (ACLs) applied that limit their traffic paths to known sources, destinations, ports and protocols. They also should be supported by network firewall proxies that can enable deep packet security inspection (and, in the case of encrypted traffic streams, secure sockets layer [SSL] and transport layer security [TLS] deciphering capabilities) and intrusion detection capabilities as traffic passes between VLANs and network segments including Internet access. - Continuous IoT/OT threat monitoring–Threats and vulnerabilities associated with IoT and OT devices and systems should be monitored on a constant basis and require adjustments and tuning compared to traditional security monitoring tools and techniques. Since these solutions are relatively immature compared to other technologies, so are the methods, practices, and capabilities employed to monitor their security. IoT and OT devices often generate a limited amount of log and telemetry data, especially data that are security centric.
Effective IT and IoT security monitoring starts with obtaining an understanding of what is expected and of the normal behaviors and telemetry that these devices should generate. Once baselines are established, margins of error and thresholds for action should be developed using a risk-based approach to limit the false positive rates generated by IoT and OT devices. Datapoints, metrics and the telemetry data from the devices can then be added to security incident and event monitoring (SIEM) solutions to allow organizations to enhance their visibility and security monitoring of their information infrastructure.
Threat intelligence is also evolving for IoT and OT devices and solutions, and it should be monitored and integrated into an organization’s security threat and vulnerability monitoring capabilities. Some threat intelligence for IoT and OT devices can be found in traditional security intelligence feeds, but it often needs to be supported by direct monitoring of advisories and insights from their manufacturers. It is important for risk and security professionals to review all advisory data including informational updates that manufactures may believe are benign and have no security implications, so they are not categorized as security notices. Individually, this information may not be of obvious concern, but when viewed in the context of how solutions are deployed in an organization’s information infrastructure, they may create vulnerabilities that need to be evaluated and appropriately addressed. - Data collection of IoT and OT devices–IoT and OT devices are likely to gather, store, process, and transmit a significant amount nonpublic personal information (NPPI), personal identifiable information (PII), and, in the case of healthcare environments, personal health information (PHI), either intentionally or unintentionally. These data are vulnerable to exploitation and have the potential to be used by adversaries to gain intelligence about an individual or organization. Since these devices are not easily recognized for the data that they gather or interact with, it is important to have a full understanding and disclosure of how the device operates and the data with which it works. Only then can an appropriate information risk and security analysis be made.
An example of such a situation can be found in the telemetry data of network-connected door locks. Users are often given individual access codes and provisions that provide unique data about user access activities and their movements within a secured facility. The same can be true in OT use cases in which electronic switches or mechanisms are enabled at scheduled periods or based on event thresholds. Movements can be correlated with other data points to build a profile of an individual’s movements and activities which can be exploited as part of an attack strategy by an adversary. - IoT and OT manufacturer risk and security–Enabling network connectivity for devices that traditionally did not incorporate IT into their function and design requires manufactures to develop new capabilities, provide new support functions, and integrate security capabilities into their IoT and OT solutions. Manufacturers may not realize the risk and security considerations, impacts and/or requirements that they should consider, which creates the opportunity for vulnerable devices to be produced. For example, numerous early generation network-connected door locks from traditional door lock manufactures were found to be easily compromised and often missing basic security features such as complex passwords and encryption.
It is important for risk and security professionals to develop evaluation methods, practices and criteria to evaluate IoT and OT devices prior to their introduction to an environment or connection to internal and external networks. A comprehensive threat and vulnerability analysis should be performed to identify the possible, probable and materially impacting threats. This analysis can be used to inform risk and security professionals and operators of the potential material threats and vulnerabilities within an IoT or OT device so they can be factored into a risk assessment prior to a device’s introduction and use. - Patching, configuration management and maintenance–IT security hygiene is core to any successful risk and security strategy. Key elements of IT security hygiene include patching, configuration management and system maintenance. The introduction of IoT and OT devices has the potential to make this already daunting task exponentially more difficult for many organizations. It is essential that IoT and OT devices can be centrally managed, configured and maintained to ensure that effective and appropriate risk and security measures can be implemented and maintained. When considering IoT and OT solutions and devices, risk and security professionals need to consider how they will ensure that all devices are maintained and how responsive manufactures will be able to identify and remediate vulnerabilities. They must also ensure that they understand their options for implementing compensating controls when manufacturer-produced fixes are not readily available or able to be easily introduced.
Conclusion
IoT and OT technologies, solutions and capabilities are quickly becoming part of the fabric of the information infrastructure of organizations. They represent an evolving threat vector that is quickly creating new classes and types of threats and vulnerabilities that greatly expand the surface of concern for organizations that use them. These threats and vulnerabilities need to be analyzed and integrated into an organization’s information risk management and security strategies and planning to effectively meet their information risk and security requirements, goals and objectives.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.