The IoT Security Problem in 2020: Taking a Deeper Look

Risk assessments, iot security
Risk assessments, iot security

In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill-conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium. Today’s organizations have a lot more to worry about than the old fish tank trick: this year, experts estimate that the number of devices connected to the Internet will reach 30.1 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency. In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?

Why IoT is A Supply-Side Problem

To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on our website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors. But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT. According to the Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.

Manufacturing in the 21st Century

The way that technical products are developed today – especially technology based products – has evolved from a pure engineering perspective to a model based more on component-integration. Rather than manufacture a new TCP/IP network card for your new product, for instance, it’s quicker and less expensive to integrate one already produced by a third-party vendor. On the positive side, this means that your product can reach the marketplace quicker, or in manufacturing speak, “reduced time to market”. On the negative side, the same components may end up in hundreds of products from a variety of manufacturers, and – if one such component has a security flaw – it may end up in all those products at the same time.  This phenomenon is well-attested by the current state of IoT.

What This Means for Security

With a lack of industry regulations that encourage high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners can drive sloppy development, a lack of vulnerability testing and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with. The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers:

  1. Quick Turnaround

The term “Internet of Things” has been around since the 1990s, and the basic premise has never changed: it promises to automate basic tasks, from turning on the lights in your home to adjusting the window shades in a conference room based on the level of ambient sunlight to measuring the temperature gradient over a pipeline in a refinery. At its most basic, IoT is simply the implementation of connected technology to solve a problem. But in order to drive IoT adoption, products must have a reasonable price-point. Consumers won’t pay excessive amounts of money to automate tasks they can easily do by themselves. Manufacturing costs have to be kept low enough that the final products will sell, and this is why manufacturers generally choose to integrate cheap and readily available components.

  1. No Vulnerability Testing

Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.

  1. Convenience at the Cost of Risk

When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a network address translation (NAT) firewall can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks. Rather than go to the trouble of building a dedicated customer support channel, vendors have even been known to add easily exploitable backdoors into a device’s firmware.

  1. Poor Firmware

Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information. Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves a completely unprotected attack surface exposed to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.

  1. API Flaws and External Threats

From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea, but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.

How to Avoid Bad Vendors

The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers. But until that happens, irresponsible IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:

  1. Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
  2. Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
  3. Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.

Prepare for the Future

While they have never been more serious than they are today, the risks of IoT and principles of supply chain security have been understood for over a decade. But sadly, it’s difficult to apply them, especially when the component integration strategy of many product developers depends on technology sourced from countries that are hostile to the U.S. The Department of Defense (DoD) believes that foreign espionage through IoT products purchased by government agencies in America will be a major issue in the near future, and soon it will require all DoD-partners to follow the policy and procedural controls in NIST 800-178 and to comply with the Cybersecurity Maturity Model Certification (CMMC). Until that happens, government contractors would do well to proactively adopt compliant security strategies, fortify their networks, and analyze their own IoT assets for vulnerabilities. The right time to beat hackers is before they strike.


Securicon Can Help

Securicon offers comprehensive IoT security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2020, there’s no room to be lax about security – contact us today!

 

Breaking Down CISA/NSA’s Warning to Industrial Control System (ICS) Operators

ics and ot security
ics and ot security

At the beginning of 2020, we predicted that strengthening America’s critical infrastructure would become a renewed focus of cybersecurity for federal agencies and contractors. In spite of everything else that has happened since then, this prediction is coming true more rapidly than we would have guessed.

At the end of last month, the Cybersecurity and Infrastructure Security Agency (CISA) posted an alert (AA20-205A) warning government agencies of an increased threat to the Industrial Control Systems (ICS) and operational technology (OT) that power the country’s National Security Systems (NSS), Defense Industrial Base (DIB) and other critical infrastructure.

In the alert, CISA urges “immediate action” to strengthen the security of vulnerable OT, outlining key risks and remediation strategies. Should your organization be concerned, and if so, how should you respond? In this article, we’ll break down CISA’s warning and comment on its recommendations.

What happened?

CISA contextualized its bulletin in general terms – apparently the agency has noticed a heightened level of activity from malicious cyber-actors targeting critical systems on protected federal networks. These attacks generally target OT through Internet-accessible programmable logic controllers (PLCs) and SCADA devices. While these incidents have increased in recent years, this is the first time an advisory has been released in response. Whether a particular actor or group of actors are involved has not been disclosed.

Why is this happening?

According to CISA, the rise in malicious activity is explained by multiple factors that closely map to our list of predictions for ICS risks in 2020. They include:

  • Increased Internet connectivity and Internet-connected assets within industrial environments, alongside and exacerbated by the growth of Industrial Internet of Things (IIoT).
  • Deprecated or legacy systems that are expensive to replace, and have not been protected against modern threats
  • Search engines that cull the IP addresses of public facing ICS systems – like Shodan and Kamerka – enable hackers to target them easily. For organizations with an inaccurate or outdated inventory, critical assets can go online without the knowledge of operators, and sometimes authentication will not even be required to interface with them.
  • Increased availability of exploit frameworks (Metasploit, Core Impact, etc.) that come pre-loaded with attack vectors and vulnerabilities that affect ICS systems

Ultimately, a rise in cyber-actors targeting ICS is not surprising. Because the OT/IT convergence is such a recent phenomenon, many organizations and federal agencies have not prioritized cybersecurity for OT, and threats have advanced much faster than infrastructure has developed in those organizations.

What tactics should I be worried about?

CISA lists several “Tactics, Techniques, and Procedures” (TTPs) that cyber-actors are using to exploit ICS-systems. Some are expected, including ransomware that encrypts data until the organization pays a fee to malicious actors, while others – in particular spearphishing attacks – are less commonly associated with OT-security, and show that insider threats (in this case, poorly trained personnel) remain a primary attack vector across multiple domains.

What Does CISA/NSA Recommend?

A week after the initial alert, CISA and the NSA provided a lengthy list of recommendations, urging “immediate action” to resolve vulnerabilities and strengthen the security position of critical infrastructure.

In abridged form, the recommended actions fall into three strategy groups:

  1. Develop an OT resilience plan – operators should ensure that their systems will maintain critical functionality even if components must be deactivated after a hostile takeover. They should isolate critical systems from further sabotage by disconnecting them from the Internet wherever possible and educate staff on processes for manual control in case ICS-functionality ever ceases.
  2. Develop and exercise an incident response strategy – in the past, we have written about the importance of responding quickly during a breach or threat event. CISA agrees and urges organizations to rehearse their strategy through “tabletop exercises”. All personnel who are involved in the strategy should know their roles, especially key decision makers, and third-parties should be consulted for further support.
  3. Harden your network – crucially, organizations should maintain an accurate inventory of all network-accessible equipment. Without this, it is impossible to guarantee their protection. CISA recommends the use of tools like Shodan to discover which assets are publicly accessible, and continuously monitor network activity to catch malicious behavior as soon as it begins.

The full list of recommendations – available on CISA’s website – is a great resource that OT operators should both read and retain for future reference. In particular, the actions recommended under “harden your network” fall under perimeter security, and protecting ICS assets on the perimeter is the most effective way to prevent them from falling into the wrong hands.

Know Your Infrastructure

The actions recommended by CISA and NSA are geared towards providing OT operators with a way to strengthen their security position in the short term. But in the long-term, defending against threats requires systemic improvement of an organization’s culture, alongside strategic replacement of deprecated software and physical systems.

Every organization that depends on industrial technology should aim to improve its infrastructure over time, but it’s not possible to do that without first assessing its current position, unique vulnerabilities and gaps. Download our free eBook: Industrial Cybersecurity in 2020: How to Conduct An OT/ICS Gap Analysis and learn:

  • OT/ICS security standards for proactive risk prevention
  • ICS-specific security gaps
  • Organization culture gaps
  • The dangers of complacency

Moving forward, ignoring ICS security risk is not an option. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more!

Why A Compliance-Based Approach to Cybersecurity is Not Enough

compliance, cybersecurity
compliance, cybersecurity

The RMS Titanic was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. Since then, many have wondered why the ship was not carrying enough lifeboats to save all the souls on board.

There’s a simple answer: the designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required. Since then, the story of Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security.

Today government contractors and organizations working with the federal government are required to implement a host of regulatory security controls from National Institute of Standards and Technology (NIST) to Federal Information Security Management Act (FISMA) and Defense Federal Acquisition Regulation Supplement (DFARS). But not all organizations are equally secure: in 2019, 80% of companies were expecting to experience a data breach. But what set them apart from the 20% who were confident that their cybersecurity program would succeed?

The Problems with Compliance

At least part of the answer to that question lies in the difference between a compliance and a risk-based mindset. While government regulations provide a minimum standard of security to businesses, these truly only satisfy a lowest common denominator of security controls. The best security officers and IT administrators know that their organization needs more. When it comes to cyber risk, a compliance-based mindset can actually make organizations significantly less secure for the following reasons:

  • Regulations lag behind technical threats – today technology is advancing at a faster pace than ever, and as it does, threat actors find new ways to penetrate organizations and leverage their weaknesses. By the time regulations are updated, they may be weeks behind the latest attack vector, leaving compliant businesses vulnerable.
  • Compliance is NOT security – to ensure that security controls are followed, they must be meaningfully contextualized by a broader security strategy that is understood by everyone throughout an organization. Unfortunately, compliance often devolves into a list of boxes that must be checked off which obscure the reason behind each control.
  • Compliance is expensive – gone are the days when companies could conduct self-audits or track their IT infrastructure without the assistance of expensive products and solutions. The more a company struggles to comply with regulations, the more it will spend in that effort with no clear guidance to prioritize expense.
  • Compliance is siloed – a compliance strategy is usually carried out from a centralized position which assigns security controls to every department in an organization. Rather than helping them to work together and share data, compliance efforts are limited by silos that don’t communicate with one another.

But the number one problem with a compliance-based cybersecurity mindset is this: compliance is only a basic foundation – even most regulators will admit that the requirements imposed by security regulations are a bare minimum standard for organizational security. Although it may cite cost, capability or time as a reason for stopping at mere compliance, an organization that has not taken the steps to move beyond mere compliance by building on top of its unique needs and circumstances has not seriously considered the responsibility it bears to its clients and shareholders.

What is Risk-Based Cybersecurity?

Although the Titanic was built to the British government’s specifications, one prescient observer noticed its flaws. Civil safety officer Maurice Clarke advised that “the ship needs 50% more life-boats,” and that advice was ignored. While the Titanic’s owners were thinking from a compliance-based perspective, Clarke was thinking from the perspective of risk.

The basic contours of risk and risk-based approaches to security are spelled out in NIST SP 800-37, which lays out a Risk Management Framework (RMF) for government organizations and businesses to follow. This document provides a useful way to talk about risk. In short, risk is:

  1. The likelihood that a threat event will happen
  2. The impact if it does

Organizations that take a risk-based approach to security are looking at it with the goal of protecting their most valuable assets, the safety of their customers, and the security of their information. They proactively search for weaknesses in their IT architecture through risk assessments and seek to continually improve their position.

Benefits of a Risk-Based Mindset

At first glance, risk-based security might seem like a significant time investment: it requires preparation, strategy, and continuous monitoring. But while it is not as linear as compliance, those who adopt it will quickly find that it is not only less resource-intensive, but also provides many benefits:

  • Stay ahead of threats – when organizations pay attention to risk, they quickly discover new and developing threats long before they are reflected in legislation. This allows them to protect their organizations from attackers at their most powerful and gives them a competitive edge.
  • Prioritize security efforts – by revealing areas of high vulnerability, a risk-based strategy helps organizations to continually improve their cybersecurity position with time while effectively protecting their customers and most vital assets.
  • Cost-optimized – a risk-based mindset enables organizations to allocate resources more efficiently, spending the greatest amount of money and manpower on the areas which need it most. Greater overall security and reduced labor leads to lower costs.
  • Integrated cybersecurity strategy – by embedding cybersecurity goals within their overall enterprise risk management strategy, organizations connect cybersecurity concerns with business goals, bringing together all departments and personnel to protect its assets.

Ultimately, a risk-based mindset reduces “check-the-box” routines that obscure the real purpose of cybersecurity from an organization’s people. It helps executives and decision makers to reflect on cybersecurity with every choice they make and empowers everyone else to make a meaningful contribution to the reduction of risk.

Risk vs. Compliance: Better Together

While a risk-based approach to cybersecurity fills many of the gaps in a compliance-dominated organization, they are better together. Firstly, compliance offers a simple foundation that all organizations should be able to meet before they look for ways to improve. Secondly – due to the impact of a failed audit – lack of compliance is itself a risk which should be accounted for in any risk management strategy.

Today all federal contractors and an increasing number of businesses in the private sector are being asked to comply with federal security regulations. But newer standards like the Cybersecurity Model Maturity Certification (CMMC) recognize the limits in a traditional approach to compliance, and demand that businesses think about risk. Organizations who don’t start today won’t be prepared tomorrow. Contact us to learn more!

Why Third-Party Vendors Are Responsible for the IoT Security Problem

iot security problems
iot security problems

In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill- conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium.

Today’s organizations have a lot more to worry about than the old fish tank trick: this year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency.

In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?

Why IoT is A Supply-Side Problem

To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on this website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors.

But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT.

According to Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.

How Vendors Cheat on Security

In the lack of industry regulations incentivizing high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners drives sloppy development, lack of vulnerability testing, and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with.

The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers.

  1. Quick Turnaround

By now, we have been talking about the “Internet of Things” for years, but the hype cycle isn’t over yet: because it is still cited as one of the best ways for organizations to modernize and take advantage of “big data,” the demand for IoT motivates companies to join the market as fast as they can with an often-questionable supply.

Vendors with no history in the IoT market may introduce products too quickly without an adequate development cycles, patch “IoT” features into their existing product lineup, or simply label existing devices as “IoT”. Practices like these lead to devices that not only suffer from general quality issues, but easily succumb to probing and attack.

  1. No Vulnerability Testing

Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.

  1. Convenience at the Cost of Risk

When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a firewall with NAT can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks.

  1. Corner-Cutting

Vendors frequently cut corners to make their products work as intended, and these tactics incur a high security risk. Because most IoT devices are embedded, they lack the power to perform data encryption or key negotiation. While these functions could be implemented with a dedicated security chip, most vendors won’t bother due to the added cost of production.

Similarly, when IoT devices lack adequate data storage – or any storage at all – vendors will connect them with the cloud and advertise this as a feature rather than a security liability. Rather than build dedicated customer support channels, vendors will add easily exploited backdoors into the device’s firmware. The list goes on and on.

  1. Poor Firmware

Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information.

Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves an unprotected attack surface completely visible to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.

  1. API Flaws and External Threats

From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea: but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.

How to Avoid Bad Vendors

The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers.

But until that happens, bad IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:

  1. Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
  2. Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
  3. Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.


Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, vulnerability testing and ethical hacking can help through technical consulting and federal security services. Contact us today!