Read Time: 4 Minutes
The Internet of Things is everywhere. Unfortunately, security does not come with it.
The way the IoT is mostly set up currently makes security very hard to achieve. The lack of attention to security is actually mindboggling. However, it would be easy to secure the current infrastructure much better. Isolating systems is pretty easy, but proper monitoring to catch system misbehavior is called for. Everyone should learn from telecoms and other industries that usually have things under control for the most part. To do that, security should be part of the basic requirements when building new systems.
Why is it then so hard to achieve security in IoT?
Jarno Niemelä from F-Secure Labs explains:
One of the fundamental reasons is that building IoT devices is so cheap. And it is largely done by start-ups who need to get the product out to the market fast and have no competence in security.
Even with bigger companies, security is not really a core competence or priority when designing new products. This is apparent for example in the case of the Wi-Fi Barbie that can be hacked.
When it comes to industrial IoT, the picture gets even more complicated. IoT is a rising trend in industrial automation, and one that is mostly driven by the desire to cut costs – after all, PCs are cheaper than dedicated controllers and IoT controllers are cheaper still than PCs. Communication via the Internet is also a cost-effective solution. There are already several real-life examples of industrial IoT security nightmares.
Why is the critical infrastructure in such bad shape? Jarno continues:
It all boils down to money – security is expensive. Often, the customer does not include security requirements in their RFP, and, in order to win the deal, the supplier will ignore all security.
Another point is the way control systems are built. Uptime is the main criteria, and anything, such as security, that could compromise uptime, is seen as an inhibitor. Security people also do not always understand the critical infrastructure as these are often custom-built and complex.
Here is a list from Jarno on what IoT manufacturers should do:
- Secure updates of OTA updates
- Sign and verify the update packets
- Use TLS for all communications
- Pin to root certificate
- Set random default passwords
- Preferably use two-factor authentication with phone or PC software
- Use certificates and public key cryptography
- Close all services that are not needed
- SSH may be needed for development, not in release build
- Follow the security status of every 3rd party library
- It does not matter whether the vulnerability is in your code or library
In addition, it is important to isolate each component from each other.
What about the IoT customer then? Is there something you should do in case you are using IoT purchased from IoT suppliers?
- Audit all devices that you have in use
- At least run an nmap over all interfaces
- If a device is a client, it should not have open ports
- Pressure the manufacturer into improving security
- If you find something, report it
- If someone else reports something, contact the vendor
- If the vendor issues updates, install them
- What is common with a PC, router, and copier?
- All of them must have patches installed
Even for the customer, isolating IoT devices is good practice in protecting the IoT and industrial automation, as most manufacturing cyber-attacks are done over corporate IT. For example, an explosion in a German steel mill started as an email attack, and continued as lateral movement to the furnace. The infamous attack on Ukrainian power grid also started from an attack on the office network and continued further to the critical infrastructure.
Even today, the most likely vector for an attack is a compromised corporate network. Therefore, make sure the corporate network is attack-resistant. You can find instructions on securing your network from our cyber security webinar “Defending networks”.
The blog post is based on a presentation Jarno gave at Security 2016 conference in the Czech Republic.