As the world becomes reliant on 5G and on the IoT devices that help make up the network, organizations using this promising infrastructure will be largely dependent on the manufacturers of the infrastructure to provide security. Even the most sophisticated cybersecurity teams will struggle to manage risk in a 5G and IoT world.
There are practical steps you can start taking now.
1. Implement a True Supply Chain Security Program
Know Your Vendors
The first step in supply chain security is simply understanding your organization’s supply chain. Generate an inventory of all the devices you have, and work with procurement to understand more about each device and its own unique supply chain.
Leverage Your Buying Power
Insist on adding language to contracts that allows you to conduct independent security testing of every device and corresponding security updates. In addition, establish channels with vendors to report your findings.
Especially in critical infrastructure environments, every device should be thoroughly tested before deployment, and more importantly, the firmware should be analyzed using automated analysis software. Vulnerability testing of most devices will report back a list of possible defects. Firmware testing will go far beyond that and provide a deep understanding of how secure the software and firmware is. While comprehensive firmware analysis was infeasible a few years ago, the technology now exists.
Because of the unique nature of IoT devices, an inordinate amount of the work required to provide security is focused on visibility – that is, understanding exactly what devices are on your network and how they are configured.
With traditional IT devices, this visibility task is accomplished primarily by deploying agents inside all of your IT assets. With this inside view of the endpoints, the agents can accurately report back about OS information, installed software, patch levels, running services, etc.
Due to the black box nature of IoT devices, this approach simply doesn’t translate. While security teams can easily monitor the behaviors of all the devices through their network traffic, they don’t have the luxury of looking inside.
Practice Continuous, Passive Scanning
Find a way to passively monitor your network in real-time rather than running periodic scans. Endeavor to see every device that joins your network and know exactly where they are without the risk of dangerous disruptions by performing passive network traffic analytics.
IoT devices complicate IT security and risk management. Organizations often lack a clear understanding of the actual numbers – and types – of IoT devices within their enterprise, and their vulnerabilities as a vector into the network for cyber attacks. Even once IoT is accounted for, they may have already been compromised by an attacker.
As with other areas of cybersecurity, organizations should be using a risk management-based approach toward IoT security, and apply layers of controls that includes proper cybersecurity protocols. But, if you don’t know what is on your network, or the vulnerabilities inside of those network nodes, securing your enterprise becomes a significant challenge.
Proper IoT security needs to incorporate both digital and physical characteristics of each device, including:
- Data collected by each device
- Network interfaces (Ethernet, WiFi, Bluetooth, Zigbee, Z-Wave, etc.)
- Exposure to the internet
- Physical location in your facility (i.e. in the boardroom vs. in a closet)
- Physical interfaces and actuators
- Software vulnerabilities
- Library vulnerabilities
- Configuration vulnerabilities
- Default credentials
Ascertaining all this information is daunting and resource draining without the proper solution. Look for a partner with a robust model for IoT risk that leverages firmware analytics to map IoT device details into your risk models.
One effective approach to detecting attacks is to conduct behavioral analysis of as many of the IoT devices on your network as possible. For example, our approach is to continuously monitor the devices on our customer networks and use advanced machine learning algorithms to compare them to baseline models for that device, its firmware, and its category. Because of the unprecedented visibility into networks and the accurate inventory (something we call “device intelligence”), we can then quickly detect behaviors that are indicative of an attack, and it can do it without overwhelming security teams with false positives.
The following example illustrates the utility of this device intelligence approach….
SSH traffic is prevalent on most enterprise networks. It is used to manage servers and enable remote login capabilities for numerous products. There is nothing inherently malicious about SSH. However, if we know that SSH traffic is originating from an IoT device (such as a security camera) and terminating at another device on your network, there is a major problem. IoT devices should never be ‘logging in’ to other endpoints on your network. It’s crucial to be able to immediately identify these behaviors and be alerted in time to respond to the ongoing attack.
One of the biggest advantages attackers have when it comes to IoT is that, even in the rare cases that they or their IoT malware is detected, there is no way to conduct a forensic analysis of the device.
Since organizations can’t install forensics software on an embedded IoT device – and lacking the tools to collect and analyze IoT files, look at running processes, or capture memory – there is no understanding that can be gained on the threat.You should consider performing threat hunting operations within your networks that include the ability to:
- Leverage some form of device intelligence to understand what the devices on your network should be doing and track historical network activity for every device to enable post-incident network forensics;
- Monitor for indicators of compromise using traffic analysis;
- Find a solution that allows you to look inside IoT firmware the same way you would look at other endpoints on your network;
- Leverage a firmware database to detect deviations from baseline firmware images – allowing identification of installed malware; and
- Make sure your solution integrates with a NAC that enables per-device control and isolation while investigating compromise.
We’d love to talk to you about your supply chain security concerns, and how you can consider and mitigate risks both before and after device deployment. Contact us for more information.