Security Hygiene in the Internet of Things

October 2, 2015
|
co-authored by Ed Moyle
|
5 min read

Times are changing when it comes to keeping an organization’s digital assets secure. For decades, a significant part of accomplishing that goal has involved security hygiene activities — tasks like patching, system and activity monitoring, remaining vigilant about new vulnerabilities and malware, etc. Completing these activities in an efficient, reliable and timely fashion was the hallmark of a robust security posture — at least at the technical level.

The IoT Affects Security

Recently, an influx of new devices with computing and networking capabilities built in complicates what enterprises need to do in this arena. What some call the Internet of Things (IoT) is leading to expanding complexity when it comes to the routine security tasks that keep our organizations secured. For example, researchers are already discovering security issues in a range of devices not normally covered by traditional IT or OT security and risk mitigation activities. These include keyless entry mechanisms, automobiles, televisions, thermostats, appliances and any number of other devices that could, under the wrong circumstances, represent an area of potential risk to the organization.

Just like a PC, laptop or mobile device could represent a potential attack channel for an adversary, so, too, could any other device with computing capability and network connectivity. In other words, a misconfigured or vulnerable thermostat or smart TV could just as easily represent a pathway into an organization as a server or workstation.

From a practical standpoint, this means that, just like ensuring routine security-relevant activities are accomplished for the tried-and-true systems and components that have been in our technology ecosystem for years, new devices we might be less familiar with need to be accounted for, as well. As the technology matures and enterprises become used to dealing with these new devices, they will have processes in place to ensure they stay protected — and manufacturers will employ sophisticated methods to ensure the integrity and authenticity of updates. In the interim period, staff vigilance and forethought are required to make sure these things are done right.

Watch the on-demand webinar to learn more about securing the internet of things

Updates, Patches and Vulnerabilities

It’s important to recognize that pretty much any device can have vulnerabilities or security issues. Everyone knows from experience that general-purpose operating systems (OSs) and applications can periodically require updates and patching to mitigate security vulnerabilities that might arise, but it’s important to recognize that smart devices need this, too. If a vulnerability is found in a smart device that puts data or, in some cases, human health and safety at risk, action needs to be taken. However, actually taking that action can be significantly more complex with smart devices than with an OS or application. There are a few reasons why.

First, many times, management of smart devices isn’t owned by the same team that owns management tasks for IT and operations technologies. For example, if you have a vehicle fleet, is IT involved in vehicle purchases? Probably not, right? But in that case, who’s monitoring for vulnerabilities in the firmware of those automobiles? Who’s responsible for installing firmware updates to mitigate those vulnerabilities?

The same is likely equally true of other smart devices, whether they be televisions in conference rooms, thermostats, smoke detectors, etc. Oftentimes, less technically savvy teams bring in a smart device and, because they don’t realize that monitoring or updating may be required, there’s no one assigned to secure it.

Another area of complexity lies in the fact that there is relatively little standardization in the current mechanisms used to deliver firmware and other updates. The lack of standardization means that it’s hard for enterprises to know which devices have measures to ensure the integrity and authenticity of an update and which do not. Consider, for example, the recent case of a large auto manufacturer that issued a software update in response to a security vulnerability. This automaker employed a USB stick containing the update as the mechanism to install the update.

A methodology like this raises questions. How is integrity ensured? How does the organization know the USB stick it received contains the approved update and hasn’t been tampered with? Installing the approved update is obviously critical, but it’s also important to have assurance that it’s the correct update and not something that will further compromise the vehicle.

Building New Strategies

The point is, when it comes to keeping an organization’s digital assets protected, we’re in a transitional period: The processes that we have in place to ensure traditional IT assets (e.g., servers, workstations, etc.) stay protected don’t always address new devices. And since manufacturers are still figuring out the best models for the delivery of updates when required to assure integrity, it’ll probably take time before we can have full peace of mind with respect to manufacturer-issued updates. These things together mean that it may be useful for organizations to investigate specific security strategies for these devices.

1. Hold Someone Accountable

One strategy is to assign an owner for the upkeep of specific devices. This owner would be an individual or team tasked with monitoring for potential security weaknesses in one or more devices. If one was found, the owner would take point to ensure that patches get implemented. This accountable party could potentially be someone in IT, or someone outside of it so long as he or she has the ability and knowledge to flag potential issues and the internal connections or technical acumen to make sure those issues get addressed. Having a specific, assigned individual or group establishes accountability and ensures that everyone is clear about whose role it is to perform these tasks.

2. Maintain an Inventory

Of course, assigning an owner presupposes that the organization knows about specific devices in the first place. This is where another strategy — discovery and inventory-keeping — comes into play. The goal of this strategy is to locate, identify and retain information about smart devices in your organization. In addition to technical mechanisms that can help you accomplish this (i.e., vulnerability scanning, network monitoring, network access control and other technologies), you can consider procedural or manual methods, as well. For example, partnering with other areas of the organization can provide you with additional eyes and ears, potentially leading to further information about what devices are out there.

Organizations that have visibility into new purchases could be good candidates for this strategy, as could those who complete internal audits over large swaths of the organization. Likewise, educating business units directly about goals, challenges and needs can help inform them as to why they should let you know about these devices when they’re purchased. As you learn about them, keep a record in an asset management database. You’ll also be able to record who is the accountable owner for the device, where it is and what it’s used for.

3. Build Toward Integrity

Lastly, the issue of the integrity and authenticity of manufacturer updates is an important one, but one that you as the customer might have less control over if those goals are not directly facilitated by the manufacturer. That said, recognition of the possible issues in this area can provide some value in and of itself.

For example, it may help folks remain aware and vigilant when applying firmware or other updates, potentially leading them to notice if there’s something off during an update. Likewise, awareness of potential issues by customers may cause increased pressure on manufacturers to utilize update channels that leverage integrity protection features.

In short, keeping abreast of vulnerabilities in and updates for smart devices is vital. But it won’t just magically happen; it takes planning and forethought to make sure that important security tasks are performed to keep all organizational assets secured.

Diana Kelley
Executive Security Advisor, IBM Security

Diana Kelley is an internationally recognized information security expert, speaker, strategic advisor, market analyst and writer. She has over 20 years of IT...
read more