In an IoT ecosystem, you can interconnect multiple devices to the internet and to each other to process data and transmit it over a network. From controlling a home network to those that power gas lines, it is this connectivity to the Internet that makes IoT devices vulnerable to intrusion.
It is estimated that 1.5 billion IoT breaches occurred between January to June of 2021, most using the telnet remote access protocol, used by network admin to access and manage network devices remotely.
Kamal Brar, vice president and general manager, Asia-Pacific and Japan, Rubrik says the proliferation of unsecured (or less than enterprise-grade secure) IoT devices connected to the enterprise make them great entry points for ransomware and malware attacks.
“Depending on where we're talking about in terms of the IoT devices, the nature of the devices and the complexity of the ecosystem, it varies, but it's an obvious place for everyone to go look at, given the simplicity and the fact that it's so integral to our lifestyles,” he added.
Identity of Things
According to Brar, the identity of things relates to the verification or validation of a trusted device. Within an IoT environment, this ranges from a simple environment involving a single IoT device to a very complex one involving multiple IoT sensors working together to operate a large domain.
“The identity of things or identity of IoT refers to how we authenticate, verify and trust a device on the network, whether it is doing what it is designed to do, for example controlling a process in a manufacturing environment,” he elaborated.
He added that having that validation or the trust in that device is critical. It that sensor is compromised, for example, then it becomes difficult for that system to operate.”
He cited the Colonial Pipeline incident in 2021 where the billing system infrastructure was crippled by a ransomware attack. While the company could continue to pump gas, it was unable to bill customers forcing the company to shut down the operation until the ransom was paid.
How and where threat actors hijack IoT
According to Brar, there are three areas where an IoT-focused attack can occur.
One, the IoT device are forcibly encrypted and therefore the company is unable to control these devices.
The second is along the communication channel. A compromise can occur if the communication channels and/or protocols that the IoT device uses to communicate are hijacked, for example, a denial of service or spoofing of the network, then the company again loses access to the infrastructure.
The third is the hijacking of the data that the IoT captures. “If you're using credentials to connect between the sensors and a central, for example, a database, then you're potentially compromising the application security layer,” he explained.
Can zero-trust be applied to IoT?
At the core of the zero-trust principle is trust no one, always verify. This means that even if someone’s identity has been verified already, that credential is ignored when the user accesses the same application or data in the future. Zero-trust requires identity verification each time a request to access the network, data or application.
IDC acknowledges that IoT can very easily become the weak link or entry point for attacks in any organization – just ask the people at Colonial Pipeline, meatpacker JBS, even Verkade, a Silicon Valley-based security as a service provider.
IDC says extending a zero-trust framework to IoT deployments can enhance security and reduce risk, but it is an enterprise-wide strategy that requires a complete understanding of all IoT systems on the network.
Brar concurred adding that with zero trust, you are always in the process of reconfirming (validating identity and rights) – always!
He however cautioned that contextual information is necessary to ascertain the authenticity of identity.
“For example, if you're in multiple zones on how those IoT devices operate together, to provide an operational outcome, you want to understand the contextual information on what those devices are doing, to being able to have that outcome,” he explained.
He goes on to elaborate that: “If I'm having a three-phase deployment across my power generation, I want to understand exactly which parts or which zones of those devices are actually functional to do, what parts of that delivery of three phases, so I can really understand the blast radius, or the impact, potential impact that ought to have if I was compromised.”
The third element is around automation – specifically, how quickly to recover from a potential threat or exploit.
“If you think about the IoT devices, because the configuration management is large, and it's complex across the general environment, depending on how big it is. That's an area where many customers get it wrong,” laments Brar.
Applying behaviour analysis to IoT
Brar acknowledges that the approach to security varies from company to company. Some focus on the perimeter, others on application hardening data security.
He posits that from the behaviour standpoint, what you want to look at is end-to-end. Is there a way to capture how this device or how this potential workload or payload behaves from point of entry to potentially how it interacts with the application or how that information flows between all the systems and relevant network interfaces?
Click on the PodChat player to listen to the full dialogue with Brar and his recommendations for better securing IoT in the enterprise.
- What makes IoT devices a valuable target for threat actors?
- How does the Identity of Things play a role in protecting IoT devices?
- How do threat actors exploit IoT devices through the Identity of Things?
- What makes zero trust crucial for protecting IoT devices?
- How can behaviour analysis detect threats in IoT networks?
- What makes Rubrik an expert on IoT security?
