Friday’s distributed denial-of-service attack on domain name service provider Dyn may have seemed like the end of the world for millions of Netflix, Twitter and Spotify users, but security professionals say the service disruption was merely a nuisance attack – although an eye opening one – compared to the potential damage that can be unleashed by billions of unsecure IoT devices.
“It’s really just the tip of the iceberg,” says Nicholas Evans, vice president and general manager within the Office of the CTO at Unisys, where he leads its worldwide applied innovation program. “You can grade the threat intensity as the IoT devices become more autonomous, like self-driving cars, or more controllable, like some of factory-type devices that actually manipulate the physical environment. That’s where the real threat is.”
Some 20.8 billion things could be connected to the internet by 2020, according to research firm Gartner. That’s about 5.5 million devices added every day, fueled by more affordable and ubiquitous sensors, processing power and bandwidth. Also by 2020, more than half of major new business processes and systems will incorporate some element of the IoT, according to Gartner.
[ ALSO ON CSO: How to approach keeping your IoT devices safe ]
Friday’s attack brought glaring attention to the potential danger of having billions of devices connected to the internet with little or no cybersecurity protections. The DDoS attack used malware called Mirai to infect tens of millions of internet-connected devices found in businesses and homes to disrupt service at many popular sites.
Gigamon security consultant Justin Harvey
Gigamon security consultant Justin Harvey blames the device manufacturers for the Dyn DDoS attack, but he also acknowledges that most ISPs could do a better job with security.
“I’m critical of the IoT vendors who are rushing their products out there, because there is an IoT gold rush,” Harvey says. Cheap IoT devices have become even easier to produce as hardware manufacturers develop inexpensive devices that run Linux and can perform many home monitoring functions such as controlling a thermostat. Those vendors “are focused more on rushing to market and not with security. [As a result] they’re shipping an insecure product with absolutely no oversight or consequences if and when it goes bad. Their view is that it’s up to the customer to secure those machines or change passwords.”
Indeed, one of the main problems compounding the situation is that security is often an afterthought, usually bolted onto solutions once issues arise, Evans says. IT security experts and IT managers have been calling for security to be built into device designs for decades, just as they had in the past for a long line of technology innovations ranging from the Web, to mobility and cloud computing, and now IoT.
Some security pros believe that Congress should get involved to develop regulations and oversight over device manufacturing. “If something happens, and your device is being used by a nation state, whether part of a million devices or just one, are you liable? Is Your ISP liable? Your manufacturer? Congress needs to put out regulations and guidelines for these manufacturers,” Harvey says.
On the ISP side, Harvey takes issue with today’s DNS architecture. “I don’t understand why ISPs and other organizations that provide internet access are not putting in a more geographically diverse DNS system,” he says, adding that he is not familiar with Dyn’s specific architecture. “DNS by nature is supposed to be fault tolerant” with two IP addresses assigned to a single device, for instance, but oftentimes both IP addresses are reconciled to the same data center, he says. With today’s DDoS threats, “Why do we have an architecture where you can target one ISP and take down half of the internet for the U.S.?”
For enterprises using IoT solutions, the security puzzle is complex. Any one IoT solution that an enterprise plugs in could involve 10 or more partners in the ecosystem, including the application layer, devices, gateways, communication and analytics pieces, Evans says. “Any weak link in the chain is where the cybercriminals can get in” and manipulate devices, he adds.
Even the public sector is taking notice. While most government agencies don’t use commercial IoT devices inside their own walls, the government workforce has established telework programs, and workers are going through their home broadband connections, says Sadiyg Karim, vice president of cybersecurity and CTO at NSSPlus, a network security systems provider that works with the Department of Defense and other government agencies.
“The DoD and federal government have instituted more standards and guidelines over what people should use from home, even if they’re going over VPN,” including changing default passwords, Karim says. Still, he thinks about the demographics of internet users today who are not IT professionals and are expected to carry out these security steps. “The capability is there for individuals to do it on their own, but the learning curve is very steep. It’s still pretty cryptic out there,” he says.
A security framework
Recent IoT device hijackings have targeted commercial devices rather than industrial devices, and the Industrial Internet Consortium wants to keep it that way. In September the group, made up of some of the biggest players in the IoT ecosphere, rolled out its Industrial Internet Security Framework, a set of best practices to help developers and users assess risks and defend against them.
The framework also lays out a systematic way for implementing security in IoT and provides a common language for talking about it. Consortium participants say the long-term goal is to make security an integral part of every IoT system and implementation.
“There has always been an acknowledgment that this is critical. It was just a question of what do we actually do about it,” says Sven Schrecker, chief architect for IoT security solutions at Intel, and co-chair of the IIC security working group. “In [the framework], we explain what to do about it at a number of levels.”
The IIC believes that original owners of industrial equipment shouldn't be responsible for implementing security, but rather the systems integrator, “who can lean on the device builders, components builders, chip builders and software vendors” to include security. “When all of that flows from the bottom up, it is much more manageable security solution.” Since its release, the new framework has received “tremendous response,” he adds.
Some IoT device providers think security is a shared responsibility. “Manufacturers of IoT devices need to focus on cyber secure design, development and deployment,” says Jason Rosselot, director of global product security at Johnson Controls, which has provided internet-connected building controls, security and fire technologies for more than a decade. Equally important, Rosselot says, is that “consumers of IoT devices must prioritize security in those devices,” including deploying updates and patches as soon as they become available and changing passwords from factory defaults to complex passwords.
How can companies protect themselves?
Organizations need to assess what internet-connected device they currently have, their vulnerabilities, and how they will address them, Evans says. Gartner classifies IoT devices into four categories. Passive, identifiable things like RFID tags have a low threat risk. Sensors that communicate information about themselves, like pressure sensors, have a moderate threat risk. Devices that can be remotely controlled and manipulated, such as HVAC systems and self-driving cars, hold the highest risk for sensitive data loss, malware and sabotage.
At the most basic level, default user names and IP addresses should be changed. Prevention measures could also include micro-segmentation of devices to limit the damage caused by a breach or at least control or restrict the movement of cyber criminals who get inside. Enterprises could also opt for a “cognitive firewall,” which places security controls into the cloud instead of on the device, and uses artificial intelligence to determine if a requested action on a device is appropriate or not, such as “turn on the microwave for 100 minutes,” Evans says.
While the Dyn DDoS attack may be an opening salvo for future attacks, it may also mark the beginning of industry mobilization to introduce standards to IoT devices, Schrecker says. “Two years ago, I would’ve said it would be fruitless to pursue a standard for IoT security, but we’re seeing a collaborative effort now to solve this problem once and for all, so there may be a silver lining here.”