At a recent FutureIoT roundtable, one of the delegates pointed to security as a recurring concern even as organizations push forward the digitalization of the business. At a panel discussion, a CIO queried the extent to which the business is mandating the introduction of emerging technologies such as wearables despite the lack of prevailing standards and best practices in deploying and managing such solutions.
Chester Wisniewski, Principal Research Scientist at Sophos, spoke to FutureIoT editor to share his views on how IoT deployments need to be further evaluated in light of growing awareness around vulnerabilities arising from the use of such technologies.
How is IoT faring in the industrial and enterprise space, especially with regards to security?
Chester Wisniewski: Security teams and IT teams are often unaware of a lot of the enterprise IoT they already have because it may have been introduced by third parties. And great examples of that are… some work I was doing at a university a few months ago where when they were renovating a part of their campus, they discovered that the company that had installed the lift, had put the lifts on their network, so that they could remotely monitor the lifts for maintenance purposes and to collect statistics from them to determine when they needed to do repairs.
They also discovered things like the vending machines in the cafeterias were connected to their network – a lot of these things were introduced under their network that they didn’t really know were there, right?
On the enterprise side, I think at this point most the organisations I am talking to are just struggling with identification because it is too easy to connect these things and they get connected without the security team being aware or notified.
On the industrial side, it’s a much more complicated thing.
Obviously, IoT is driving efficiency and possibility the ability to not have to send people to locations to monitor sensors and temperatures and pressures, and all these types of things are driving a whole lot of efficiency. The problem is that the vendors supplying most of the gear have largely ignored security and they bolted on internet capabilities for the things that were designed 25 years ago; that wasn’t designed with the idea that somebody could tamper with them. And now that they are on the internet, of course, they can be tampered with and they are being tampered with. There is a huge amount of risk being introduced there.
What makes IOT devices exploitable at this stage?
Chester Wisniewski: On the enterprise side, it’s usually because they are using commodity - off the shelf components from a software perspective, right?
Most of these devices are running some sort of Linux Operating System (OS). Many of them even run some IoT versions of things like Android. And they are not being updated, so the risk is simply just being out of date and not being patched and maintained. They are built to be deployed once and once they are in the field, there is kind of an expectation that the only time you might ever update them would be for features, not for security.
On the industrial side, the problem is much more complicated because things are placed in buckets when we talk about security and things based on their capabilities. At the bottom of the pile, we have things that just monitor temperatures of something in the pipeline or pressures or these types of very simple sensors that are now internet enabled.
In the middle, you have things that might be a little more intelligent, for example, enterprise IoT, where they have some capabilities. They have an operating system, they’ve got some memory, they’ve got a small processor but because they are deployed in the field and need to run on batteries or a small solar panel because they are not connected to the grid or they are in a remote location. They need to be able to run on extremely low power for a long time, so they have very limited processors and capabilities like that.
On the higher end of full-fledged computers that are controlling things that we would also consider to be IoT in the industrial side and those have a lot more capabilities to be managed, patched and fixed and maintained over a period of time because they are more capable computers.
Should we at this point in time really be worried about IoT security? How much of it is well-placed and where are the greatest areas of vulnerabilities for us?
Chester Wisniewski: The truth of the matter is that there are compromised devices all over most enterprises and it doesn’t cause them to fail every day and it is unlikely that your hacked Coca Cola machine is going to result in a GDPR violation, right?
I mean, the truth of the matter is the risk is somewhat contained already on the enterprise side and the benefits of embracing this kind of stuff outweigh the risks. It’s just more of an issue of, can you do things that are cheap and easy that help you minimize that risk?
If you know that the lifts and the Coke machine are on your network, you start to isolate them with your firewalls, so they can’t talk to everything else on that network. Maybe you just let them talk to the internet because that is the whole purpose of them being there. And if they start talking to your laptops, servers, and databases, you know something is wrong and that is a very bad thing. You just block them, once you are aware of them you can sense them in a little bit and let them do their thing.
I don’t think that we need to get too concerned with updating and patching IoT devices the way we think about fixing our laptops every month, right? It should be a pretty one-time kind of a thing, to identify what you have, contain it and put off to the side and just let it go. It’s fine.
More of the concern is on the industrial side because obviously, depending on the sector you are in, blowing up pipelines or messing with chemical plants or disabling things in water filtration systems is obviously a huge public safety concern. Most of these devices have literally almost zero security built into them and they trust any commandment.
Sadly, the control software also trusts that anything it’s getting from these devices must be valid, like there is no authentication to say that a sensor is actually a sensor. Any hacker can get on the network and start sending messages saying that they are that sensor and in most of the systems there is no way to tell that in fact, it is not the sensor and it is somebody else impersonating it and sending data in. That is where, I think, the most work needs to be done.
Are current generation security solutions designed to support IoT from a security standpoint?
Chester Wisniewski: Security and IoT are still kind of two separate areas, it’s a complex thing. Traditional IT security teams really have no tools or capability to assist with IoT stuff today. The existing tools just are completely separate- I’ll address them separately as you asked me.
So, on the industrial side, usually, the protection and maintenance of the IoT rely on the engineers who actually manufacture and manage it day to day, not the computer people. The computer people don’t have tools to do it and the engineering people who are responsible for it don’t understand the risks because they are not computer people. The current generation stuff that is being sold has gotten a heck of a whole lot better in the past few years. There is way more capability to identify, protect and authenticate communication to industrial IoT devices.
So, I think, to some degree we need to start having traditional IT security people embedded in those industrial management teams. They need to have a seat at the table when decisions are being made about how to deploy things and they need to be part of testing and securing that system in an ongoing basis hand-in-hand with the traditional engineers because they are such different skillsets that we really cannot expect the physical engineers to comprehend the hacker mindset, or vice versa. The hacker mindset people are not people that understand pipes and pressures and sensors and managing a refinery. We need some sort of a cross-trained hybrid team to start dealing with that.
On the enterprise side, since most of the stuff is commodity based, there’s a lot of opportunities for the traditional IT team to actually investigate and potentially identify risks from these devices because most of them are running things like Linux and Android that the IT team already has experience identifying, managing and testing. So, while the manufacturers may not be responsive to a lot of security reports, which is a bit of an issue. If I am an IT person on the enterprise side, I’m just worried about identifying and isolating these devices so if they are compromised, they cause no harm
On the enterprise side, it’s not getting any better. All the stuff has all sorts of security problems, but the staff are prepared for it and understand it better. We kind of have opposites in the two spaces.
What is your advice to organisations?
Chester Wisniewski: On the enterprise side, I would go back to what I was saying earlier. I would be investing my time into identification and isolation. Allow the devices, embrace them and let them make you more efficient but put them in their own little playpen off to the side so that they cannot hurt anyone else. That is cheap and easy, it’s really not that difficult. It’s just a matter of putting a little bit of time in and it will pay off for a long time.
On the industrial side, I’d say you need to hire your own hacker. You really need your own in-house hacker. If you are big enough to have industrial IoT and you have got enough cash flow that is a real concern for your business, you need to have your own internal hacker. You need somebody who is trying to break your stuff to understand how to break it.
Work hand in hand with the team that is building it so that over time you continuously improve. You are never going to fix your 25-year-old stuff – that stuff is going to be out there. You need somebody that is helping you figure out where all those risks lie and explaining it to the people who control it so that you are managing that risk appropriately and having your own internal hacker is the answer.