How to bring security to edge computing
When you think about IoT security, the risk of a massive distributed denial-of-service attack might be the first threat that comes to mind. But for industrial companies and other enterprises, there are bigger concerns.
The Internet of Things poses unique security challenges because it puts data, computing power, communications, and potentially insecure sensors and other devices in complex or fluid environments like manufacturing plants, smart cities, and enterprises where traditional notions of security don't always apply. Unfortunately, edge protection like firewalls and antimalware software do not provide the visibility or security needed in this new computing world.
What’s at stake
How concerned are IT professionals about IoT security, and what are they doing about it? A recent report by security company Pwnie Express is an eye-opener on both fronts. The report’s findings are based on interviews with more than 800 security professionals and data from the company’s sensors, which monitor wired, wireless, IoT, and personal device data.
According to the report, IT pros are more aware than ever of security risks surrounding the IoT: 44 percent of respondents said insecure IoT devices are more of a concern than traditional network security, up 16 percent from last year. Yet despite increased awareness, many organizations neglect even basic IoT security precautions. The report found:
- 66 percent of respondents haven’t checked or don’t know how to check their company’s IoT devices for Mirai malware.
- 66 percent of respondents don’t know or aren’t sure how many connected devices employees bring into work.
- Only 23 percent of respondents monitoring connected devices brought into their business said they have checked the devices for malware in the past year.
In a separate study from Aruba, a Hewlett Packard Enterprise company, 84 percent of 3,100 line of business and IT pros said their companies have experienced an IoT-related breach. Over half said external attacks are the greatest IoT threat. The two most common breaches are malware, cited by 49 percent, and spyware, at 38 percent.
It’s a precarious situation given that the IoT is becoming an integral part of every enterprise. More than half of all major new business systems and processes will have some element of the IoT in them by 2020, according to Gartner. By that year, IoT security measures will consume 20 percent of the average enterprise’s security budget, up from less than 1 percent in 2015.
To put that into perspective further, the sheer number of IoT devices is exploding in the enterprise, making companies more vulnerable to attacks. Gartner estimates that enterprises will have 3.1 billion IoT devices in use by the end of 2017. That number will grow to 7.5 billion by 2020, the company projects. And when consumer devices are included, those numbers increase to 8.4 billion by 2017 and 20.4 billion by 2020.
IoT security challenges
Much of the risk is due to the nature of the IoT and IoT devices, notes Cheryl Soderstrom, Americas cybersecurity chief technologist at HPE.
“Many IoT devices are designed with what [the Open Web Application Security Project] calls “implicit trust”— designed to trust without verifying the credibility of connected sources,” she says. “If all these devices natively trust each other and then share data, how can we know when a device is lying? And if we can’t know when a device is lying, what does that mean for security?”
Another issue is that IT has traditionally secured devices inside a perimeter and used technologies such as firewalls to keep out threats and malware scanning to protect devices. But the nature of IoT is that there is no perimeter. Many devices are situated at the network’s edge, and IT is learning to adjust to the change.
“With IoT, we’ve got a proliferation of new, small devices that really weren’t the responsibility of IT in the past, and IT is still coming to terms with that,” says Sven Schrecker, co-chair of the security working group of the Industrial Internet Consortium and chief architect, IoT security solutions, for Intel. “Making things more difficult is that there are many more devices that are becoming smart. With that smartness comes connectivity. And with that connectivity you get increased exposure to threats. It’s like in the early days of PCs when suddenly they gained Internet connectivity, and at first no one recognized the threat that it posed and how to secure against it. We’re going through the same thing now with IoT devices.”
Such devices can also be, by their very nature, insecure because manufacturers have other priorities. “Many IoT devices are insecure by design because of the pressure to be first to get a product to market,” says Malek Ben Salem, R&D senior manager at Accenture. “Companies want to innovate and get their products out fast. They don’t spend the time and money required to make them secure.”
The bring your own device (BYOD) ethos that has taken hold in many enterprises adds another complication as an overwhelming array of “things” become Internet-connected. To underscore how challenging it can be to lock down rogue devices, Aruba discovered that an e-cigarette with malicious code was connected to a customer USB port and sending sensitive corporate information to a foreign country. Even something as innocuous as a doll can theoretically be weaponized in this way. Germany, for example, banned a doll called My Friend Cayla as an espionage device because the doll transmits everything it hears to a U.S.-based voice recognition company that also has intelligence agencies as customers.
Beyond these kinds of devices, Schrecker notes that the Industrial IoT (IIoT), composed of sensors and devices used in factories and the manufacturing process, has its own set of unique issues.
“With IIoT, you have many very old devices with outdated protocols mixed in with newer devices. You’ve got a mix of vendors, and they’re all doing different things for security. One device might be quite secure, while a device next to it has no security at all. It’s a very complex environment for managing security,” says Schrecker.
But no matter the precise mix, the intelligent edge exposes data, devices, and communications to threats in ways not previously possible.
“There is a drive to keep the costs of these IoT sensors and devices down, which limits their computing power,” says Paul Paget, CEO of Pwnie Express. The issue is that low-cost IoT devices often lack the capacity to run antimalware or other security software, making it more difficult to keep them secure. “You are talking about a much larger threat surface that is unmonitored, which introduces the same risk to a company as we’ve seen from traditional endpoints,” Paget adds. “This exposes a company to loss of data and confidential information, IP theft, and even ransomware attacks.”
That may sound extreme, but Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT.
IoT data protection
Is it possible for a company to protect itself against IoT security risks? Yes, but it requires a great deal of work, planning, and vigilance.
“The intelligent edge is where people, places, and things converge, and where rights converge as well. So not everything should be permissible there," says Soderstrom. "This convergence must be controlled by security policies and architectures.”
Start by examining the devices your company uses. “Not every vendor needs to be in your ecosystem, because not every vendor has good security practices," adds Soderstrom. "You also need to vet every device’s security and decide what you will allow those devices to do. It gets down to very basic questions: What is this device allowed to do inside my cyberspace, and how is it allowed to do it? Based on that you determine what kinds of rights and privileges to give them.”
IT must also work closely with operational technology (OT) on security issues. Traditionally, OT is in charge of the control and automation technologies that support a company’s operations, especially in manufacturing, separate from IT. But given the risks, IT and OT must cooperate and come up with a unified approach to security. In many cases, IT and OT will merge, making that job easier.
Specialized hardware and software can go a long way toward unifying IT and OT security, and protecting devices traditionally overseen by OT, says Vinay Anand, vice president and general manager for ClearPass Security at HPE Aruba. A server placed at the edge of the IT network can include ports that both IT and OT devices can plug into. Software can then be run to monitor both OT and IT devices. In addition, he notes, highly specialized firewalls, designed specifically for OT hardware and protocols, can be deployed to protect OT devices.
Soderstrom also recommends applying a variety of traditional IT security techniques to IoT and the intelligent edge. “Take highly sensitive parts of your operation and segment them off onto a network with higher security controls. Apply rigorous identity management to devices and workflows, as well as people,” she says. ”Encrypt, encrypt, encrypt.”
It’s important to build security and privacy directly into a company’s network at all levels, including sensors, devices, firmware, applications, and data. Soderstrom calls it the IoT version of “defense in depth, starting with device discovery.” And IoT defense must be aggressive, not passive. She recommends using analytics to continually monitor network operations to scan for dangerous changes. She also believes companies must look beyond only their own security needs and work with others to develop security IoT standards.
“Industry needs to participate in developing the open standards that this kind of environment desperately needs,” she says. “We probably need to develop a security schema for each industry. In the meantime, put security where you can, in and around those IoT devices, gateways, and communications channels.”
IoT security standards
The effort to develop security standards for IoT is already underway, notably for the IIoT. The Industrial Internet Consortium has published a security framework for IIoT, which Schrecker helped develop. Beyond that framework, he advises companies to do constant monitoring and checking for possible security-related anomalies, especially at the edge.
“For example, if you see a video camera doing an HTTP request through an external website, ask yourself, is that something that should be happening? Most likely not, so go ahead and block that,” says Schrecker.
When it comes to IIoT, he recommends having different security plans for new equipment (generically called greenfield) and existing equipment (brownfield). New equipment, he says, will likely have some kind of security built into it, and companies should take the effort to search out the most secure ones. Brownfield equipment likely has no security or poor security, so he recommends putting that gear behind gateways that will authenticate and authorize any traffic going in and out.
“Manufacturers need to make sure security is built in from the beginning, from encryption through authentication,” adds Paget.
Locate and monitor IoT devices
Every expert contacted recommended identifying the devices on a network and performing continuous monitoring of them and all network traffic at the edge as well as inside. “Organizations need to fully understand what IoT devices are in their environment, what information they are gathering and sharing, and what vulnerabilities and risk they pose to the environment. Asset discovery must take into account on-network and off-network, wired and wireless devices, and must be a continuous, always-on process that covers the entire organization,” says Paget.
Companies also should search for Wi-Fi hot spots that don’t connect to the corporate networks, including hot spots employees might have set up on their own.
A number of companies have comprehensive systems for scanning networks and identifying mobile and wireless devices and threats. Aruba’s Anand recommends using one that doesn’t just identify devices, but also monitors them and automatically creates a model of their behavior, making it easy to determine if they ever go rogue.
Finding all of an enterprise’s IoT devices isn’t enough—it’s the starting point, not the ending point. Next, IT must understand the function and normal behavior of every device, and automatically monitor them. Policies that determine what each device can and cannot do must be created and enforced. What happens when a device violates the policy—is it kicked off the network or put into a quarantine zone? Also important is tracking where the data gathered by the devices is stored, and securing it, whether it be at the network edge or deeper inside the network.
With more devices come more exposure. Soderstrom notes that more control over devices, better analytics, and improved security ecosystems will go a long way toward protecting them. But ultimately, she says, IoT security “is a human challenge as much as a technical challenge.” That means changing the culture that tolerates IoT insecurity, and constantly analyzing threats and attack vectors to protect against them. Only then can businesses benefit from the IoT’s full potential.
IoT security check list
Enterprise security in the IoT world is a daunting task. Here’s advice on what to do first.
Know what’s on your network. Step one in IoT security is device discovery—finding every IoT device possible on your network. If you don’t know if something exists, you can’t protect against it. “From a security perspective, companies don’t even know what’s on their networks anymore. Just understanding what’s on a network and what they do is probably the most important thing a company can do,” says Vinay Anand, vice president and general manager for ClearPass Security at HPE Aruba. There are plenty of tools that automate this to make the task easier.
Create profiles of every device. Just knowing what’s on your network isn’t enough. You must also understand each device’s normal behavior and create a profile. That should include information such as the device’s purpose, the ports it uses, the kind of traffic it sends and receives, normal traffic destinations, and so on. The profile for a Linux-based camera, for example, would include what port it opens and where it sends its data, among other things. You don’t need to waste time checking manufacturers’ manuals. Choose a tool that monitors device behavior and automatically creates a profile based on that information.
Create and enforce device policies. Once you have profiles for every device on the network, you need to create and enforce device policies. Policies include information such as what ports each device can really use, what happens when they send information to something outside of their profile, and who can log in to these devices. Once policies are in place, you must monitor the devices and enforce an action when the policy is violated. Actions may include initiating a trouble ticket, putting it in a quarantine zone where the device and its software can be examined, or kicking it off the network. This can be done using a category of software called network access control (NAC).
Change default passwords. Many IoT devices come with default passwords that are either easy to guess or well known to hackers. Change the default passwords of every device on the network, using your company’s rules for creating secure passwords.
Bridge IT and OT. Operational technology (OT) departments are traditionally in charge of a company’s control and automation technologies, particularly in manufacturing. OT oversees many types of IoT devices, including sensors, factory-floor devices, and more. Many of these devices are older or use different protocols than IT is used to handling and don’t run on an IP network. IT and OT must work to put together a unified IoT security strategy. Part of that is using a server or device at the edge of IT’s network that connects to both IT and OT devices. Using specialized software, the entire combined network can then be monitored.
Know where data is stored. Tremendous amounts of data are created and stored, and it’s easy to lose track of where it goes. Carefully track your data and make sure it’s secure.