As digitisation ramps up, industry leaders are utilising IoT technology more frequently. Paul Keely, Chief Cloud Officer at Open Systems, discusses this in further detail; explaining what IoT and OT is, as well as drawing our attention to the importance of understanding the most significant issues that put IoT and OT systems at risk.
Corporate deployments of Internet of Things (IoT) devices are growing briskly as more and more connected devices are deployed by businesses worldwide both big and small. From smart refrigerators in breakrooms, to copiers that order their own toner, to sensors for the early identification of breakdowns in mission-critical equipment, IoT enables companies to monitor, automate, control and manage many aspects of their business operations.
However, these devices and their network connections represent a potential increase in corporate attack surfaces and offer more weaknesses for attackers to exploit. A major reason for this is that these devices often have in-built weaknesses that are often overlooked, or even unknown to IT staff, as smart devices are seldom managed as carefully as their traditional IT counterparts.
IoT explained
Simply put, the IoT is a system in which devices and sensors are interconnected for the collection and exchanging of important data. IoT devices connect to the Internet through a variety of networks, such as Wi-Fi, cellular, Bluetooth and Zigbee. Additionally, these devices can also use Google Home, Amazon Echo and other such gateways for Internet connectivity.
The wide variety of IoT devices includes simple sensors for detecting and monitoring temperature, motion, sound, light, gasses and other factors, as well as complex devices including smart thermostats and even cars. The data collected by IoT devices can be used to monitor and control the devices, as well as to track and manage the data collected by the devices.
Turning our focus to the industrial uses of IoT; we enter a category of these devices called Operational Technology (OT). This more business-focused category of IoT, refers to the hardware and software used to identify, monitor and control physical devices, processes and events in an organisation.
An early adopter of OT is the agricultural industry, which has enthusiastically embraced it. Connected devices are widely used for the real-time monitoring of sunlight levels, soil moisture, humidity, temperature and other factors affecting crop health. This data is then used to automate irrigation along with other farming operations. Similarly, both local and national governments employ a wide variety of smart devices in monitoring energy usage and water and air quality.
What are the security issues for IoT and OT?
One of the main issues with IoT devices is the lack of awareness that IT organisations have over their estate – this primarily applies to IoT and not so much to OT devices. The reason for this is that OT devices usually cost a lot of money and actually control the business functions that a company uses to do business; such as the CNC machine tools used by an industrial manufacturer. IoT devices on the other hand suffer from ‘device sprawl’, whereby it’s easy for relatively cheap devices to be deployed to office buildings, the majority of which just use Wi-Fi for connections.
This lack of awareness means that these devices are not part of the corporate patching and firmware updating processes. In particular, this failure to routinely update firmware has thus far been quite an issue.
Data breaches, cyberattacks and privacy issues are often the result of IoT devices being compromised. Once a vulnerable IoT device has been breached, bad actors can often move laterally within a company’s network, depending on the network’s architecture and the device’s type of connection.
More worryingly, we’re now seeing IoT devices falling victim to command-and-control (C2) attacks. It was recently determined that Trickbot, a malware that previously targeted computers and IT systems, is now affecting IoT devices. Trickbot has compromised IoT devices and then used those devices to attempt lateral movement and gaining access to the target network with more critical data.
As if this wasn’t enough, the growing adoption of OT in many industries – and manufacturing in particular – presents bad actors with a potential opportunity to conduct cyber-kinetic attacks in which their attack in cyberspace impacts the physical word. For instance, by preventing a centrifuge from automatically slowing down at a set point, an attacker could cause the centrifuge to continue spinning until it breaks down which could injure nearby workers.
The potential for such attacks to disrupt or even shut down business operations is real. To ensure adequate protections against these attacks, it is important to first understand the most significant issues that put IoT and OT systems at risk:
- Lack of visibility
The old saying; ‘you can’t protect what you can’t see’ is just as applicable to IoT and OT as it is to other IT environments. Unfortunately, many companies lack the necessary instrumentation to discover all of their IoT assets and gain visibility into their entire IoT estates.
- Poor patch management
Most of the standard device management toolsets like Microsoft’s Configuration Manager are not capable of patching IoT devices. Even when organisations account for the IoT devices in their environment, they don’t always manage them appropriately.
- Insecure software and firmware
It is an unfortunate truth that IoT and OT devices often have inherent software and firmware vulnerabilities, despite the hard work of the staff administering the systems. There are frequent reports online showing insecure devices being sold with known vulnerabilities years after they are detected.
- Account and password mismanagement
The failure to properly manage accounts and passwords remains a critical issue. Thousands of security cameras used by numerous organisations were breached after an administrator’s account credentials were posted on the Internet.
- Weak and inconsistent monitoring
Effectively using SIEM and other cybersecurity tools to properly monitor IoT and OT devices and reliably detect threats has been extremely hard. This often results in these devices being monitored by a secondary system, or manually checked, or sometimes not monitored at all.
Though the threats are real and the issues limiting effective security challenging, the value of IoT and OT are too great to ignore.
Fortunately, properly securing IoT and OT devices is fairly straightforward. It starts at deployment when devices should be correctly configured. Promptly installing patches is also key as is practicing good cyber hygiene at all times. Additionally, maintaining an up-to-date inventory of all IoT and OT devices is essential. Without such an inventory – which should include relevant information about all these assets – companies won’t have the visibility to protect these devices.