Why Third-Party Vendors Are Responsible for the IoT Security Problem

iot security problems
iot security problems

In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill- conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium.

Today’s organizations have a lot more to worry about than the old fish tank trick: this year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency.

In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?

Why IoT is A Supply-Side Problem

To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on this website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors.

But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT.

According to Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.

How Vendors Cheat on Security

In the lack of industry regulations incentivizing high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners drives sloppy development, lack of vulnerability testing, and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with.

The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers.

  1. Quick Turnaround

By now, we have been talking about the “Internet of Things” for years, but the hype cycle isn’t over yet: because it is still cited as one of the best ways for organizations to modernize and take advantage of “big data,” the demand for IoT motivates companies to join the market as fast as they can with an often-questionable supply.

Vendors with no history in the IoT market may introduce products too quickly without an adequate development cycles, patch “IoT” features into their existing product lineup, or simply label existing devices as “IoT”. Practices like these lead to devices that not only suffer from general quality issues, but easily succumb to probing and attack.

  1. No Vulnerability Testing

Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.

  1. Convenience at the Cost of Risk

When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a firewall with NAT can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks.

  1. Corner-Cutting

Vendors frequently cut corners to make their products work as intended, and these tactics incur a high security risk. Because most IoT devices are embedded, they lack the power to perform data encryption or key negotiation. While these functions could be implemented with a dedicated security chip, most vendors won’t bother due to the added cost of production.

Similarly, when IoT devices lack adequate data storage – or any storage at all – vendors will connect them with the cloud and advertise this as a feature rather than a security liability. Rather than build dedicated customer support channels, vendors will add easily exploited backdoors into the device’s firmware. The list goes on and on.

  1. Poor Firmware

Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information.

Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves an unprotected attack surface completely visible to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.

  1. API Flaws and External Threats

From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea: but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.

How to Avoid Bad Vendors

The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers.

But until that happens, bad IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:

  1. Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
  2. Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
  3. Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.

Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, vulnerability testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

OT Security Risks Are Worse Than Ever: Here’s How You Fight Them

security risks,
security risks,

The convergence of IT and OT has come so far that – in a recent blog post – the SANS Institute recommended dropping the “IT/OT” nomenclature entirely. Judging by the state of OT today, it’s a reasonable suggestion: over 65% of industrial control systems (ICS) are linked to enterprise or third-party networks, shrinking the “air gap” which has historically defended them.

This connectivity hasn’t come without a cost – on the contrary, OT systems have never been more vulnerable than they are now. According to SANS, the percentage of control systems that experienced three or more incidents increased from 35.3% in 2017 to 57.7% in 2019. We’ve written about quite a few of them, from the BlackEnergy malware which took down swaths of the Ukrainian power grid in 2015 to the Triton attack which hit industrial facilities in 2019.

By now, everyone knows that organizations with OT infrastructure are at risk. In our last blog post, we talked about the top ICS risks that organizations should watch out for in 2020. In this post, we’re zooming out to explain the nature of OT risks more generally and strategies for beating them.

The Threat-Sources Behind OT Attacks

From the perspective of technology, it’s easy to understand why OT is more vulnerable than ever: integration with IT generally means more attack vectors. But just who is targeting OT systems, and what’s enabling them? There are three primary threat sources:

  • Insider threats – insider threats come in one of three shades: the careless insider compromises an organization through lack of digital hygiene, the unwitting insider is manipulated through social engineering, and the malicious insider deliberately sabotages their own organization for spite or profit. A significant percentage  of OT security incidents involve insiders.
  • Targeted attacks – thanks to the dark web and the increased availability of advanced hacking tools, the number of hackers with the chops to successfully target an organization has risen. According to SANS, growth in OT attacks is largely attributable to foreign actors who are motivated by destruction or disruption.
  • Malware – since Stuxnet hit Iranian uranium enrichment processing in 2010, malware targeting OT systems has become alarmingly effective. It is often – but not always – connected with a targeted attack. Triton malware is stealthy and manages to bypass multiple security controls; strains of ransomware capable of infecting ICS have also been discovered.

The Risks of An OT Attack

Attacks on control systems can accomplish many things, none of them good. Limiting the scope of risk to those that directly impact an organization, they include:

  • Data theft – exposing operationally significant data to intruders and leaking proprietary information like intellectual property.
  • Disrupt operations – leading infrastructure to function improperly or even shut down. This may cause significant risk to human life and safety within operating facilities.
  • Financial loss – with the rise of ICS ransomware, an OT attack can directly rob an organization. Beyond that, the cost to remediate any incident may be high, and extended periods of disruption can cause a loss in revenue.

Beyond an organization’s people and bottom line, it goes without saying that OT systems control a nation’s infrastructure meaning that any security incident can potentially affect millions of people.

Dealing with OT Risks: Three Steps

The principles behind OT risk management are not difficult to understand. They share many things in common with – and overlap – the risk management strategies used in IT for decades. Risks to OT permeate through an organization and must be addressed at every level of the enterprise.

1. Implement Perimeter Security

Malware targeting OT – wherever it originates – must spread through the IT chain connected with control systems. Beginning with the devices closest to OT, secure these networks using traditional methods and work towards routers and other peripherals at the edge of your organization.

  • Use vulnerability analysis to find and prioritize areas of weakness. Validate those weaknesses using penetration tests and remediate according to the level of risk.
  • Take inventory of the IT chain, and – wherever possible – reduce the number of routes to OT by eliminating unnecessary connections or devices.
  • Invest in personnel training to raise awareness of cyber hygiene and prevent social engineering attacks.

In general, lack of collaboration between OT and IT drives the risk of IT/OT convergence: bringing these teams together can ensure that there is no conflict of interest between OT and the rest of an organization’s infrastructure.

2. Solidify OT Architecture

In an ideal world, organizations would build OT from the ground up following validated architecture plans reviewed and approved by security professionals and the appropriate regulatory authority. In reality, existing OT often predates modern security concerns and total redesign may be prohibitively expensive. Nevertheless, changes can be made to improve the security of OT architecture:

  • Move away from legacy or open-source protocols: legacy protocols may not receive patches when new vulnerabilities are discovered. Open-source protocols are well understood by attackers and make for easy targets.
  • Adopt a zero-trust policy towards IIoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers.
  • Adopt air gaps wherever possible: air-gapping is still the most reliable way to protect OT. If integration with IT is not necessary or mission critical, reverse it, or consider data diodes to limit bi-directional traffic.

3. Incident Response Strategy

In the event of a successful OT attack, organizations can mitigate harm significantly by developing a robust incident response strategy. In summary, the plan should include steps to:

  • If possible, isolate the affected systems to prevent further harm, identify the threat source and remove it.
  • Record and document an ongoing attack for later analysis and review.
  • Reduce harm by resetting affected systems’ passwords and user profiles.
  • Inform stakeholders and implement measures to prevent future incidents.

During an attack, every second counts and knowing what to do ahead of time can make a world of difference. For more detail, check out our recent blog post on disaster recovery and response.

The Need for Expertise

When it comes to preventing OT attacks, no method of security is more reliable than cyber threat hunting which allows organizations to discover and eliminate attack vectors before they are exploited.

Unfortunately, threat hunting requires expertise, and – with the scarcity of available ICS security expertise – that’s hard to come by. Fortunately, some of those experts are employed by Securicon. With years of education and experience in critical infrastructure, nobody is better equipped to discover vulnerabilities and maximize safety in modern OT systems. To learn more, contact us today