IoT is Invaluable, but Security Remains a Challenge

Connected buildings, data centers, and warehouses are becoming as ubiquitous as connected homes and cars. At the center of this trend is a technology called the Internet of Things (IoT)—essentially, objects and devices embedded with sensors and connected to the Internet.

With Internet-connected sensors, organizations can track the location of devices and vehicles; monitor energy use and uptime of utilities and data center equipment; and track the comings and goings of personnel, cargo, and inventory through sensors embedded in a variety of devices. The data these sensors generate is invaluable for optimizing processes, ensuring uptime, flagging security anomalies and improving productivity. With these clearly demonstrable business benefits, it’s not surprising the IoT is growing exponentially. Gartner estimates there will be 11.4 billion connected devices in use worldwide by 2018, up from 6.4 billion in 2016.

IoT on the Rise

Government use of Internet-connected sensors is on the same growth path. According to research from public sector data company Govini, federal spending on IoT rose 20 percent to nearly $9 billion in FY2015. Overall, the federal government spent close to $35 billion on IoT technology between FY2011 and FY2015.

As beneficial as these sensors and the data they gather can be, they also can pose serious security risks if they aren’t fully secured with appropriate access and privacy controls, configuration, password control, and media protection. And it’s becoming more important all the time. Gartner predicts by next year, more than 25 percent of enterprise level cyberattacks will involve IoT components.

Without the appropriate controls, it’s relatively easy for hackers to compromise IoT security. According to research from Akamai, vulnerable connected devices can mount attacks against all types of Internet targets and Internet-facing services, such as HTTP, SMTP, and network scanning. They can also launch attacks against internal networks that host those connected devices. And once a malicious user accesses the web administration console of these devices, they can compromise the data, take over the machine, or even launch attacks against the internal network hosting the Internet-connected device.

The effects of recent IoT compromises have been devastating. In 2016, the Mirai botnet infected vulnerable IoT devices, effectively turning entire computer systems into remotely controlled bots. The result was a series of Distributed Denial of Service (DDoS) attacks that slowed or completely halted some of the Internet’s largest websites.

Steps Toward Better IoT Security

At the bare minimum, Akamai recommends these precautions for all IoT devices:

  • Always change factory default credentials.
  • Unless required for normal operation, completely disable the SSH service on any Internet-connected device.
  • Consider establishing inbound firewall rules preventing SSH access to IoT devices from outside of a narrowly trusted IP space, such as the internal network.
  • Consider establishing outbound firewall rules in place for IoT devices at the network boundary, preventing tunnels established from resulting in successful outbound connections.

The federal government is clearly listening. In July, a Government Accountability Office report found the Defense Department’s guidance on IoT security didn’t adequately address security risks. It recommended the Department address these shortcomings by assessing existing security policies and identifying areas where new policies may be required.

This is a critical issue to all federal agencies. Within the past several months, federal oversight agencies have put into motion several initiatives to specifically address IoT security. In August, the Senate Cybersecurity Caucus along with other senators proposed the Internet of Things Cybersecurity Improvement Act of 2017. If passed, the bill will require IoT equipment used by federal agencies be patchable and meet specific security requirements, such as not including hard-coded passwords that can’t be changed, using industry-standard protocols, and not containing known security vulnerabilities.

The National Institute of Standards and Technology also recently overhauled its Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, to specifically address IoT security. This latest version details the steps agencies should take to secure IoT devices in areas like access controls, configuration management, incident response, media protection, risk assessment, and system and information integrity.