Wayne Rash has been writing technical articles about computers and networking since the mid-1970s. He is a former columnist for Byte Magazine, a former Editor of InternetWeek, and currently performs technical reviews of networking, wireless, and data center products. He is the former Director of Network Integration for American Management Systems and is one of the founders of the Advanced Network Computing Laboratory at the University of Hawaii. He is based in Washington, DC, and can be reached at wayne@waynerash.com.

Introduction

Nearly every organization has network-connected devices that must be made secure to protect the organization and to protect the network. However, this protection goes beyond just keeping malware away, it also includes protecting your intellectual property, securing your operations, and preventing against risk to others.

The level of risk to others became obvious in October of 2016 with two massive distributed denial of service (DDoS) attacks that used network-connected devices, or the Internet of Things (IoT), as the delivery mechanism. One of those DDoS attacks effectively took out major providers on the Internet.

There are steps you can take to protect your organization, and steps you can take to make sure your devices are secure in the first place. But the risk from the IoT goes beyond just devices on your networks, because of the millions of unsecured devices elsewhere on the Net, you must also protect your network from attacks beyond your direct control.

The Internet of Things and what it means

By now you’ve heard of the Internet of Things, probably in several contexts. Depending on where you’ve heard about the IoT, you might think of it as anything from a connected home to a medical device. In reality, the definition of the IoT is so broad that it contains billions of devices, and according to an estimate by Cisco Systems[1], will produce nearly half of all Internet traffic by 2020.

When you consider that much of the network traffic from IoT devices in corporations never reaches the Internet, the actual volume of traffic, and the importance, from these devices is significant. But perhaps more serious, because the vast majority of IoT devices with access to the Internet are consumer devices with minimal if any security, nearly all IoT traffic is not secure in any way. An example are millions of consumer webcams and security cameras currently installed in China and Vietnam that have fixed passwords that cannot be changed, or have no passwords at all. These devices were the primary generators of traffic for the distributed denial of service attacks against DynDNS[2] that caused a number of commercial Internet sites to go offline in October, 2016.

What is a Thing, Anyway?

Before considering security on the Internet of Things, it’s important to nail down what constitutes a “Thing.” In some ways, the definition that’s most broad is also the best. A “Thing” is any device connected to your network that’s not a computer (including desktop and notebook computers, as well as mobile devices such as phones and tablets) or infrastructure (such as network switches and wireless access points).

In a corporate environment the most common network devices are probably printers. Printer exploits are very common and they’re hard to spot. Some types of newer printers are designed to connect to the Internet so they can support remote printing or even automatically order supplies. But even older printers, especially the more common models, can be exploited to support malware.

Manufacturing companies have additional vulnerabilities in the form of numerically controlled machines, as well as machines with specialized industrial controllers that are operated using an attached or networked PC. Such controllers are extremely vulnerable because they’re frequently attached to Windows computers that serve as a malware host on the way to infecting the controller itself.

To illustrate just how serious the risk is to industrial controllers, it’s worth noting that the first well-known infection of an industrial controller came when the existence of the Stuxnet malware became known. The original malware was aimed at Siemens Step 7 industrial controllers, but once that malware was found on the open internet, variants were then aimed at other controllers. In addition, Stuxnet-based and Stuxnet precursor-based malware has become sufficiently widespread that the United Nations has requested help from security researchers to combat it.[3]

But the risk to industrial devices goes far beyond machine controllers. Warehousing equipment ranging from automated forklifts and other handling devices to bar code readers are also vulnerable. Likewise, network attached security systems, HVAC systems and even smart televisions in conference rooms are an open invitation for malware attacks or data exfiltration. The challenge for companies with such vulnerabilities is that the network-attached devices weren’t designed with security in mind. In some cases, such as with numerically controlled machines, the devices themselves may not have the resources to support a malware infection. In other cases, however, the malware infection can be passed along by the control computer, which likely hasn’t seen an update since the day it was installed.

There are several reasons for these control computers to be behind on updates. In many cases it may not be obvious that they’re running Microsoft Windows or some other common operating systems. In others, the computer isn’t connected to the greater corporate network, and isn’t considered at risk. And, of course, the device may not be on the update list that’s managed by the IT department since it’s manufacturing equipment.

Other types of networked equipment may have other vulnerabilities, and other points where malware can make its way into the network. Network-attached medical equipment, which frequently uses an unsecured WiFi network is a major vulnerability, both for the equipment itself and as a pathway into the corporate network at large. Wireless security cameras frequently are protected only by a password, which in many cases remains at the default setting that came from the factory.

Fortunately, getting secure devices is possible as the companies that sell them start adding security to the overall package. This may mean doing away with default passwords, supporting encrypted WiFi, or allowing security software to be installed on the machine control computers. But for existing implementations, retrofitting security protection software on to the actual device may not be possible.

Because the security of IoT devices is only now being taken seriously, that means the vast majority of existing installations isn’t secure, and it’s going to require that the company using the equipment begin the process of determining the risk, and then finding solutions.

The Nature of the IoT Risk

There are three basic reasons for attacking a device on the Internet of Things. The first is to gather information about your company or about your business partners. This is a primary reason for printer malware, for example, so that a copy of whatever you’re printing gets sent to someone else while you’re printing it. A similar vulnerability exists for network attached fax servers. This same reason is frequently behind malware infections of warehouse and inventory equipment.

The second is to interrupt or interfere with your manufacturing or production process. This was the reason behind Stuxnet, and just because you’re not running uranium centrifuges, that doesn’t mean someone won’t try to interfere with your production. Likewise it doesn’t matter that you may not be running a manufacturing operation - a company producing music videos or some other type of intellectual property is also vulnerable to attack.

The third and fastest growing reason for attacking the Things on your network is to set up a base for further attacks. This may mean using your printers to hold the software required to launch a denial of service attack. Your devices can also be used as a harbor for spreading malware to the computers elsewhere on your network. Or, in a growing method of attack, those devices can host the software required to further a ransomware attack that will either deny you access to key data, or perhaps worse, deny access to the devices on the network that you need to run your business. Imagine the impact of suddenly not being able to use your manufacturing equipment, for example.

Recently, devices on the IoT have been leveraged in a new way, which is to conduct denial of service attacks on websites. So far the series of attacks does not appear to be part of a ransomware plot, but rather for other reasons. The attack on Krebs was reportedly retribution for exposing a group of Israeli hackers, while a later larger attack on DynDNS appears to be practice for something even worse.

IoT attacks on companies rarely come from informal hackers and hobbyists. Instead, the organizations that may attack your company are more likely members of organized crime groups. They may want your money, so they may launch a ransomware attack, but they may also want to use your company to attack a business partner. Or your company may be attacked by a nation-state looking to steal intellectual property or you may be the next step before the attackers go after another company that is the real target.

Perhaps the best examples of IoT based attacks happened in September 2016 when security researcher Brian Krebs, who writes the blog, “Krebs on Security” was attacked in the largest DDoS event ever recorded at that time.[4] That attack was carried out by a malware infected network of over one million IoT devices, most of which were network-attached video cameras. An unnamed hacker group used a type of malware that scans the Internet for unprotected IoT devices, and then infects them.

In October 2016 an even larger IoT-based attack on DynDNS prevented large commercial sites including Amazon and Twitter among others to go offline when they lost their connection to domain name services. The DynDNS attack was similar to the attack on Krebs, but it was much more widespread, and contained an estimated one million video cameras, video recorders and even baby monitors in Vietnam.[5]

As bad as these attacks were, they are only the beginning. Security researchers at Symantec and Kaspersky are reporting probes on vulnerable sites that resemble those that preceded the attacks on Krebs and DynDNS. Now that the attackers know that they can leverage those millions of devices effectively, the only question is when the next attack will take place and what site will be attacked.

Types of Protection

Network devices are at least as much of a risk to your network security as any other device, but they’re less likely to be secure. Partly that’s because such devices don’t have a screen and keyboard, which makes their security less obvious to most users. That’s made worse because many IoT devices are designed to be simply plugged into the network to operate, meaning simple security steps such as creating a user name and password aren’t necessary.

Exacerbating the situation with IoT security is the fact that security for most devices is minimal in their default configurations. In addition to having well-known default user and password settings, many such devices can’t make use of current network security standards such as strong encryption, and very few can interoperate with network security services. This means that they may not be able to issue an alert if they’re tampered with.

Making matters worse, many older network devices may have no provision for security at all. Anyone who can reach them on the network can collect information or even send them commands.

Because of the poor or non-existent security on network or IoT devices, most security needs to happen outside of the device. There are a few steps to consider.

1. Make sure that IoT devices that cannot be secured are on a network that has no connection to the Internet at large. This will help keep those devices from being compromised, but remember that this so-called “air gap” is no assurance. The Stuxnet attack was carried out against an air-gapped network through the casual distribution of USB flash drives.
2. Where the capability exists, change the user name and password on every network device on your network. If possible, also change the device name so that it’s not obvious what type of device it is, and turn on security measures such as advanced encryption.
3. For devices with computer-based controllers, make certain that you find out what underlying operating system is on the controller, and make sure it stays updated. You’ll find that most of these devices are either a version of Windows or Linux that’s unpatched and vulnerable.
4. Monitor the network activity of the IoT devices so that you can tell whether you’re seeing traffic that includes exfiltrated information, or whether your devices are taking part in a DDoS.
5. Where possible, make sure your intrusion detection or intrusion prevention systems are aware of your IoT devices and are set to monitor their activity.
6. Consider replacing any network devices that can’t be secured, or if you’re acquiring such devices, that they meet the same security standards as any other devices, such as workstations and servers, on your network.

Determining the Risk and Exposure

Very few IoT devices, except for those that are controlled through an attached computer, have any built-in malware monitoring functions. Likewise, because of their limited resources, anti-malware software is virtually non-existent.

For network devices with computer-based controllers, however, the computer can be monitored, and it can run anti-intrusion and anti-malware software in the same manner as any other computer. The problem there is more related to finding a means of installing such security measures. In many cases those computers may be running embedded versions of those operating systems, meaning that installing protective software may be difficult.

Where possible, the best choice is to contact the device manufacturer and ask for help with software updates. However, for those controllers that are simply running Windows or Linux on a dedicated workstation, the only limit to updating the machines may be the application that’s controlling your devices. In that case, request updated software from the device manufacturer, and then update Windows or Linux normally.

Unfortunately, it may be difficult to tell if your devices are infected by malware, but that doesn’t mean it’s impossible. One way to tell is to monitor the network traffic generated by the device and see what the nature of the traffic is, and where it’s going. If the destination of the network traffic is anywhere outside of your network, then you need to capture the destination address and find out where that is.

You will also need to sample the output of the device to tell what’s being sent. For example, if a video camera is sending connection requests to an outside source, your camera may be participating in a DDoS. On the other hand, if the camera is sending video traffic to somewhere outside, it may have been compromised to reveal information about your organization.

For most devices without permanent storage a simple means of eliminating malware is to power them down completely. If the malware was simply stored in memory, then it will be gone. However, once you do that, you must also change the device settings as described above.

Reducing the Risk through Network Design and Configuration

A key to protecting your network devices is appropriate network design, and proper configuration of the network infrastructure supporting those devices. Proper network design means placing otherwise vulnerable devices on internally segmented networks so that they cannot even be seen by any unauthorized end point. To accomplish that, your network will need to include internal firewalls configured to exclude any unauthorized connection.

In addition, those network or IoT devices must be configured to encrypt their network traffic and where possible to communicate using a VPN (virtual private network). Network routers can be configured so that traffic from those devices can only go to one specific destination. If your devices can make use of network directory services, then those services can also be configured to allow only specific users to connect to the devices, and to allow the devices to communicate with only specific destinations.

It's worth noting that if your network cannot be secured in some way, then consider eliminating the device from your network. This may be difficult in some cases, especially in the case of some medical equipment or some manufacturing equipment, but it may be helpful to contact the manufacturer of the device to see if updates are available. You may find that securing a device may require replacing the controllers, but considering the potential cost of being breached through your devices, it’s likely worth it.

Planning for Secure Things

The best solution to a secure IoT implantation is to design for security from the beginning. This may be possible during a major plant refurbishment or during a major network upgrade. However, if the nature of the risk encountered by your organization has changed significantly, it’s likely worth the investment to replace your IoT infrastructure.

When you’re updating your networked devices, planning for security from the beginning works best. This means specifying security standards that all devices must meet before they can be purchased or leased, designing and configuring your network so that it’s able to support appropriate levels of security through segmentation, encryption and the like. It also means eliminating devices that are vulnerable.

These vulnerabilities frequently exist in places where networked devices exist outside of the data center and factory floor. A good example of such vulnerable devices are security cameras on the outside of a building, card and biometric readers and in some cases HVAC systems. If those devices can’t be made secure, then it may be necessary to select a different technology, to harden the physical and network connections, or to implement alerts and alarms to disclose tampering.

Finally, it’s important to institute a plan for staying abreast of changes in the security landscape. Security intelligence reports are available from a variety of sources including security firms such as Symantec and Kaspersky Lab, and to stay abreast of security announcements from your network provider and from official sources including the FBI and the Department of Homeland Security.

Conclusion

Network-connected devices, which comprise the Internet of Things, are both necessary to your organization’s operations and they are perhaps its biggest security risk. Those devices are your printers, your automated manufacturing equipment, inventory equipment, even your fax machines, HVAC system and your light bulbs.

These devices are frequently insecure, sometimes unable to be made secure, and protecting them – and thus your network – requires careful design and thoughtful security. The security of those “Things” can usually be retrofitted, but a better solution is to procure secure devices in the first place, and then design your network so that it enhances that security. It is possible to provide the necessary security to your network devices, but more important, it’s economically and operationally necessary.

End Notes:

1. Cisco Press Release 6/7/2016 https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1771211
2. https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
3. IEEE Spectrum 2/26/2013 http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
4. Krebs on Security Hit With Record DDoS 9/20/2016 http://krebsonsecurity.com/
5. DDoS on Dyn Impacts Twitter, Spotify, Reddit 10/16.2016 https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/