#Infosec17: Forget What You Think You Know About IoT Security

In his talk, “Hacking the IoT: Driving Security When Everything is Connected,” he noted that everything from Fitbits and Amazon Echo to sensors embedded at retail stores to improve the shopping experience represent a startlingly insecure window into the enterprise-and the sooner this is considered a given, the better.

“All IoT devices, be they consumer or industrial, have one thing in common: Very weak security,” he said. “Most are built on unmodified open-source systems with very little hardening, they usually rely on default passwords and user accounts, there is typically absolutely no attempt to patch devices even when vulnerabilities are out there for two or three years-and yet we blindly turn them on in our homes, offices and factory floors.”

A Tale of 3 Ineffective CISOs

Against this backdrop, CISOs typically take three main approaches, he noted-all of which head straight towards a data breach. He talked of one persona who “has a unique gift-whenever anything goes wrong she knows the solution-after the problem happens and bad results are realized.”

If a play goes wrong in a Patriots game, she can tell you exactly what Tom Brady should have done, and she would be right,” said Miller. “But she’s no head coach because she’s not predictive and can’t see a path to the future. She has a lot of growing to do as a CISO.”

Another typical “type” has great IoT awareness and knows the things that enterprises should watch out for, but in practice doesn’t (or can’t) mandate that the company holds itself to the right standard. Often, this CISO bows to pressure to bring in IoT devices that have never been vetted, because they help business processes along.

And the third type believes that he or she has it all figured out.

“It’s the equivalent of a macho guy who knows what he would do if someone jumped him on the street, even if he’s never taken a self-defense class,” Miller explained. “He’s never been in that situation, and when something bad happens, he realizes that he missed some preparations. Too many CISOs look at IoT and say, I’ve done all the prep I need to do. And ultimately they miss things and have not actually been organized around discrete methods and practices and deep plans for success.”

Rather than fall into any of these pitfalls, Miller counselled audience members to assume that they haven’t met the bar for IoT security best practices.

“Unless your organization has a fully rock-solid method for IDing every device and user, along with certificate-based authorization and the technology necessary to authenticate devices to connect wirelessly or by Blutooth, you should be concerned that you haven’t met the bar,” Miller said. “If you don’t know how or where the data from IoT devices and sensors is collected, transmitted, stored and archived, you must assume that it’s at risk and that you can’t guarantee that the data on the back end is authoritative with what you collected from the front systems.”

Advice for Securing an Uncertain IoT

One thing’s for certain: The genie is out of the bottle, and most businesses are not able to hold up their hand and say no to IoT. So it’s time to change the conversation to discussing its implementation with the understanding that security must be part of the plan from the beginning.

At Brooks Brothers, Miller said that the retailer is using IoT technology to speed up the movement of goods and improve the accuracy of inventory. He also pointed out that some retailers combat shrinkage by embedding IoT with surveillance, RFID and data from the smartphones of customers to spot patterns of theft–there is, in short, no lack of ways the IoT can help enterprises do things better.

For its part, Brooks Brothers has implemented several steps to help lock down its IoT footprint. One tactic involves taking a page from the other insecure element found in most enterprise environments: guests.

“You stick them on an isolated Wi-Fi network,” Miller explained. “By the same token, you can isolate IoT.”

Brooks Brothers employs micro-segmentation in its retail stores-all IoT devices have a separate VLAN with a firewall. In its industrial spaces, devices are run on a private intranet.

“We will have to open up this network eventually to bidirectional data flow, but we’re working with our partners to make sure those authentications for communication will be certificate-based,” he said.

Other methods for isolation include using firewall policies to monitor the flow of traffic-a laborious approach-or, by placing sensor data aggregators in various places across the network and only allowing IoT devices to communicate with those hubs. IoT network traffic could also be handled by a private LTE network that connects to a private cloud system-a cloud that features strong authentication and a mechanism for making sure the people that can manipulate the IoT systems are fully authorized.

Above all, companies should also ensure that every negotiation with an IoT vendor or supplier takes security into account.

“You have to ask, how are they going to take the data they collect and utilize it?” Miller said. “If you’re going to put devices on my network and hold me accountable for ensuring the data makes it to its destination, then we have talking to do.”

If an organization doesn’t have a written policy in place around IoT, they need to start writing one.

“Keep it simple, with basic information around tracking who’s allowed to make decisions as to how IoT devices are used and record-keeping,” he added. “You should also classify your IoT devices-is it the consumer-grade Echo in the conference room or an industrial application that we’re talking about? If it’s the former, you must do everything you can to isolate them from the network layer. And you also need to implement a roadmap for security skills, including building a talelt pipeline for your team that includes training on things like certificate-based authentication.”