The ZDNet article The first big Internet of Things security breach is just around the corner just smells like unnecessary security fear mongering to me. Fear mongering is, according to Google definitions, “the action of deliberately arousing public fear or alarm about a particular issue.” I used the term “unnecessary” because organizations should already be prepared for rogue and unmanaged devices in their networks.
While reading this article, several things popped into my mind:
- Of course another large-scale security breach is coming.
- Of course a future security breach is going to involve some type of device that can be considered a “Internet-of-Things” (IoT) device.
- It is more than likely, dare I say statistically probable without doing the math, that a large-scale security breach is going to start with an IoT device.
I contemplate that a large-scale security breach involving embedded devices, much like IoT devices, has already occurred. The attack on the Ukrainian Power grid is an excellent example. The SANS report Analysis of the Cyber Attack on the Ukrainian Power Grid outlines a combination of phishing, malware, network bridge (an embedded device) firmware updates, and Industrial Control System (ICS) protocols to facilitate a complex and well-coordiated attack. The only thing missing here is the tea-pot and refrigerator mentioned by the ZDNet article’s author. But the use of embedded devices and unusual protocols to facilitate and extend a successful attack on a large organization matches the criteria for a large-scale security breach. The outcome, in this case, was kinetic rather than specifically associated with the sensitive information of individuals.
Security architecture is not overly threatened by individual systems and devices (IoT devices if you wish). Saying they are is akin to saying that if the 1986 New England Patriots would have stopped William “The Refridgerator” Perry they would have won Super Bowl XX. The Patriots could not control any of the other aspects of the Chicago Bear’s offense and defense and therefore lost miserably. Organizations that do not prepare for normal security architecture issues are obviously going to have issues with IoT devices, because they already have issues with anything on their networks. Additionally, the adversary is going to do everything in their power to leverage anything to their advantage, IoT device or not. Singling specific things out is not helpful when the environment as a whole should be taken into consideration.
Here are some things I believe are important to consider when talking about the security of IoT devices that are not mentioned in this article. For these point let’s consider large and medium-scale organizations which will generally have more support for up-to-date architectures and personnel. They are also more than likely the organizations that will generate what we all consider, without specifically defining it, a “large-scale” security breach.
- Organizations are not home networks and therefore the risks of IoT devices are completely different.
- Organizations should have wired and wireless border control architectures which limit, prevent, and alert on unauthorized and even unusual activity from any internal system, not just IoT devices.
- Organizations should have wired and wireless network logging and monitoring to detect and address the activities involved with attackers pivoting from any internal system, not just IoT devices.
- Organizations should have authentication and authorization mechanisms that prevent and alert on malicious activity from authorized and unauthorized systems and devices, not just IoT devices.
The ZDNet article would be less fear mongering if it had pointed out methods that organizations can use to protect themselves from rogue and authorized IoT devices. At the risk of tooting Robert M. Lee’s horn too much in one diatribe, the SANS resource The Sliding Scale of Security provides a good outline of how organizations can approach implementing a solid security posture. This advice begins with the implementation of a secure architecture. It is this basic, and least costly, effort that will help organizations, of all sizes, begin to protect themselves from rogue and authorized IoT devices.
In summary, YES, there WILL be a large-scale security event that is initiated through IoT devices. Stating it over and over may help CEO’s, CIO’s, and investors start asking critical questions about these devices. However, a mature article addressing this subject should provide guidance about the approach security professionals, managers, and executives should investigate to address the issue. That is the direction and instructions they need to protect their organization. Not statements akin to “the sky is falling.”
Go forth and do good things,
Don C. Weber (cutaway)