Prior to the year 2010, my only experiences with viruses and malware had been limited to software affecting workstations, and at worst, an infected server. Though very serious issues from a business perspective, there was never any risk of physical damage or personal harm as a result of a malware infection in that environment, at least in my prior role in IT systems support for one of the larger health insurance companies. However, I had just accepted a role that same year as IT Service Manager for a process control and engineering company. My immediate tasks walking in the door were to 1. upgrade, consolidate and virtualize our existing internal infrastructure, 2. address all outstanding IT issues on client sites and 3. develop the junior IT engineers. No problem, I thought. Nothing I haven’t done before.
I quickly learned in this role that IT security is a much higher stakes game depending on the industry. My new clients were pharmceutical production plants, cigarette and tobacco factories, plastics and synthetics production facilities, what was commonly referred to then as the “smokestack” industry. Very different businesses, but they all had one thing in common. They all used very delicate processes and connected highly specialized and configurable machines, valves, and gadgets to their industrial networks to automate production. Even the learning curve associated with such an industry change would not have been a problem. But this particular industry had its own set of issues.
The Stuxnet worm, first discovered in 2010 and believed to have been weaponized against Iran’s nuclear program in a joint effort by the United States and Israel, was dominating the IT security headlines at the time. The worm had reportedly ruined almost 20% of Iran’s nuclear centrifuges by infecting them with malware that would cause them to burn themselves out. All of our clients understood the possible applications and implications in their own respective operations, and the race was on to deploy the Windows patches and recommended network security measures before anybody was targeted. It didn’t help that around this same time everyone was in a panic behind rumors that threat actors were able to remotely access HP printers and execute malware that would make the motor run so fast that it would catch fire right in the office. I literally walked right into the middle of this “the sky is falling” scenario, and the required simultaneous, rapid remediation for several clients was my initiation into the Internet of Things, or IoT, and more specifically, IoT security.
What Is the Internet of Things?
The Internet of Things, or IoT, could not have been better named, as it describes all the nonstandard devices now connecting to the internet and sharing data. X-Box consoles, smart refrigerators, thermostats, lighting, security systems, and even driverless vehicles are all part of the IoT. There are also more specialized subsets, like the Industrial Internet of Things (IIoT) or what is sometimes referred to as Operational Technology (OT), which uses a combination of sensors, gadgets, wireless networks, big data, AI and analytics to measure and optimize industrial processes (think “smokestack”). My first real experience with IoT security was in this industry.
Another place where the IoT has become most pervasive is the home. Tablets, mobile phones, laptops, printers, TVs, gaming systems, home security cameras, thermostats, lighting systems, refrigerators….the average smart home has more connected devices than the average small office. This has brought a world of convenience to the end consumer. Being able to remotely control the temperature in the home or access security cameras from our phones is taking convenince and control to a new level. The problem is that the average consumer is the least aware from a cyber security perspective. The average household in the U.S. has 10 connected devices, and households with four or more people average 19 devices per households. With each connection being a potential vulnerability, you can see that this quickly creates the potential for other issues. In fact, it was very recently reported that a worldwide hacking organization recently offered access to over 50,000 hacked home security cameras for a $150 subscription fee. Rarely do we stop to think that the very device in which we invest to ensure our security at home is potentially the device through which all privacy is lost.
Then there’s the Internet of Medical Things (IoMT). This IoT subset will most directly impact us all, mostly for the better. These devices collect and transmit data via the internet to healthcare providers, allowing them to monitor a patient’s health remotely and react quickly to issues when they happen. Wireless expansion and IoMT devices now allow patients to wear medical monitoring and communications devices, like smart watches that monitor heart rates and track movement or contact lenses that read glucose levels. Or in the home, recently discharged patients or those managing chronic diseases can be remotely monitored for changes in condition. This is also exploding in the commercial space, with the Apple iWatch 6 being a virtual clinic on the wrist, even boasting fall technology that automatically dials 911 in the case of a fall. Still more devices are being brought online everyday in the quest to expedite and improve the quality of healthcare service delivery. Sounds great right? But not so fast. It all comes at a cost.
Implementing an IoT Security Plan
The IoT was designed with productivity, automation and process optimization in mind. Security however, was an afterthought. This being the case, most IoT devices have no native security features. On the IIoT side this leaves those same process oriented industries and possibly the people in close proximity vulnerable to potentially dangerous interference from malicious actors.
Data security is especially important in the healthcare industry, with vital information being transferred via wearable technology and other remote monitoring and diagnostic devices. The consequences of data being compromised are one thing, but if a patient’s medical data is tampered with, the consequences could be grave. You would think that security would be top of mind for medical device manufaturers. Reportedly, 98% of IoMT devices are transmitting unencrypted personal health information across the network, and 83% of medical imaging devices are running on outdated, end-of-life systems. A security audit conducted a few years ago found over 8600 flaws in pacemaker software, some of them with potentially deadly consequences. Security teams have been left out of the design process of these and most similar devices. Couple this with an overall lack of security awareness throughout most healthcare organizations, and the healthcare industry has become a virtual duck hunt. And it shows in the amount of breaches in healthcare relevant to other industries. Not to mention the fact that today’s homes are hotbeds of high connectivity and low security awareness also makes them low hanging fruit for cyber criminals. So what can be done about it?
The following steps can and should be immediately taken to mitigate risks associated with IoT devices. They are not a complete solution, but should be a baseline from which to establish a complete security framework for your IoT devices.
- Discover all IoT devices on your network – complete discovery of all connected devices is essential to the development of any organization’s security posture. This discovery should also include scans for existing vulnerabilities and viruses.
- Patch and update firmware on all servers, peripherals, and patchable IoT devices – once patches and firmware updates are released, cybercriminals are aware of the vulnerabilities. Test and deploy updates and patches as soon as they are released to mitigate risk of exploit.
- Enforce strong password policies on all IoT devices – on many IoT devicesthis may be the only security feature you have. Use a strong password, change regularly and NEVER leave it at the default.
- Segment IoT devices from IT devices – use network segmentation (VLANs) to mitigate risk of lateral movement and network propagation from an IoT device to critical network components.
- Enable active monitoring, detection, and response – determine baselines, actively monitor devices, applications and traffic, and collect and analyze logs to quickly discover and respond to any anomalies or incidents before they impact your organization.
This is just a quick list of things to consider and account for, whether you are in the middle of a security initiative or just beginning to think about shoring up your organization’s network. Contact us if you need help working through the details and developing your IoT security plan. We’ll assess our network and take you from susceptible to secure.