When the FBI Speaks the IoT ListensBy Cynthia S. Artin August 10, 2018
The US Federal Bureau of Investigation (FBI) has been busy lately, given the overwhelming volume of cybersecurity threats, including attacks on the American democracy.
Most recently, the Feds issued a periodic “Public Service Announcements” (PSA) with an unusual twist: a dire warning stating that cybercriminals are using the IoT for pivot attacks into full systems from vulnerable devices.
The "Cyber actors use Internet of Things devices as proxies for anonymity and pursuit of malicious cyber activities" PSA reinforces what many in the IoT industry have been working very hard to solve for, the challenge to secure the millions and billions of edge devices, leaving not just those devices but the systems they are connected to vulnerable to even more cyberattacks on what could be our most critical infrastructure.
The PSA also says, "Cyber actors actively search for and compromise vulnerable Internet of Things devices for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and computer network exploitation. IoT devices, sometimes referred to as “smart” devices, are devices that communicate with the Internet to send or receive data. Examples of targeted IoT devices include: routers, wireless radios links, time clocks, audio/video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices."
To be more specific, the warning reads, "IoT proxy servers are attractive to malicious cyber actors because they provide a layer of anonymity by transmitting all Internet requests through the victim device’s IP address. Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic."
With this new FBI-issued PSA, will consumers, businesses, enterprises and government organizations start to pay more attention to security? How will this impact the solutions in place today, and those being developed? What innovations can be harnessed to harden the attack surface by ensuring not only devices, but data are secured before we witness a major meltdown following an attack, in the US and around the world?
Here are what a few experts have to say, companies who are solving for the security of the IoT in different ways:
“The challenge with IoT security is the fact that machines, like users require identities. They both require permissions to access to cloud and edge services. In addition, they have unique and complex access security requirements of their own to enable access to their own controls and parameters. These challenges cannot be addressed with a blanket “IoT security solution” nor can they be addressed individually in the over 400 IoT frameworks that enterprises must choose from.
Enterprises must be put back in charge of administering their own security policies, whether in the Cloud or in the enterprise.
The primary value of IoT is the information IoT devices offer to enterprises. Windmill Enterprise’s approach is to utilize blockchain technology as a back-end database that can be used to authenticate machine and user identities and administer the enforcement of security policies across Cloud and edge IoT platforms in a uniform and consistent manner. We believe this is the starting point to get IoT data incorporated into the enterprise landscape. Information provided by IoT, not the devices themselves, represents the disruptive value of the technology to businesses.
Michael Hathaway, CEO, Founder, Windmill Enterprise, Developer of Cognida Platform
SMART CITY WORKS
"The efficiencies, cost saving and situational awareness provided by IoT connected manufacturing equipment, utility grids, building systems, etc. are incentivizing businesses, government and industry to connect their facilities and devices. Unfortunately, with this connectivity comes the risk of cyberattack. These attacks could disable our utilities, inject ransomware, steal customer information and destroy our manufacturing equipment.
We no longer can ignore this threat. We must identify our vulnerabilities now and find means to lower risk and provide confidence to businesses and individuals that allows all of us to share in the huge benefits offered by IoT.”
Bob Mazer, Co-Founder, Smart City Works
“The notion of security is not new, of course. What has changed is the intent of breaches. It is no longer a lone hacker looking to take down sites to gain notoriety in the cyber security underground. Today’s attacks include a larger attack surface which includes both IT and OT (operational technology) infrastructures.
They are being carried out by nation states and cyber terrorist entities that are looking to sabotage infrastructures and operations. In many ways, a cyberattack can create as much damage as physical warfare. The FBI issued PSA is needed affirmation and guidance of this change of intent, the urgency of the issue, and the need to address it.”
Michael Rothschild, Director of Product Marketing, Indegy
“IoT devices are known attack vectors for a range of cyberattacks that include DoS, DDoS, and replay attacks. In addition, if you’re providing access to your industrial control networks from your enterprise network or enterprise VPN, you may inadvertently be providing unauthorized access to the entire network – even when access to a specific service is all that is required.
This can lead to the infiltration/exfiltration of data and malware. For these reasons, I think we should all follow the rule we were taught as children: Don’t talk to strangers. Set up a zero-trust network. Authenticate and authorize devices before they access the network. Only allow devices to communicate to other devices that are also authenticated and authorized.
And, if you are concerned about the security of data transiting a public network, don't rely on legacy VPN technology. Look for cutting edge techniques like Dispersive's that do a much better job of securing your in-transit data.”
Rick Conklin, CTO, Dispersive Networks, Inc.
“Common sense needs to apply here. You don’t want someone to take a wireless router and plug it into your corporate network, thus opening access. These small devices replicate that type of vulnerability by attaching gateways and routers to otherwise secure networks.
Our current state of the art tools are still largely based on a more static world, where these devices don't move around and can be tied to a specific IP address. So, we are talking about a much bigger magnification of the problem. Now we must shift focus from securing the networks to extending that down to the devices connecting into the networks and the communications channels used into the enterprise assets.
We encountered the same issues when going from classically controlled IT infrastructures to cloud based services, only this is multiplied a thousand times over.”
Don DeLoach, President and COO of Centri Technology, and Founder and Co-Chair of the Midwest IoT Council and Author of “The Future of IoT”
EDGEX FOUNDRY AND ZEDEDA
“These threats are known to the industry and through open collaboration and interoperability frameworks like those being established by EdgeX Foundry, security standards are rapidly evolving to address these threats. Unlike a datacenter, the edge will be a diverse, multivendor environment which makes it a necessity to collaborate on interoperable security standards and best practices.
Security is a process not a product. Without a definable “perimeter” to protect it, IoT will rely on edge computing architectures to monitor device behavior, intelligently identify anomalous behavior, automate problem remediation, and provide large scale, automated software lifecycle management to patch and upgrade vulnerabilities over this multi-vendor edge environment.
This is why companies from every corner of the IoT ecosystem will need to partner with organizations like EdgeX Foundry to evolve security to enable IoT to meet its full potential and unify the marketplace."
BSQUARE (News - Alert)
“IoT has the potential to unlock significant benefits for enterprises, especially those in the industrial space. However, with that benefit comes responsibility. Each endpoint has the potential to be exploited in a cybersecurity attack.
The good news is that strategies do exist to deploy IoT devices in a secure manner. And, it’s a multi-layered approach. While it is important to institute measures to ward off an attack, it is equally important to monitor activity to identify behavioral anomalies. For example, if you were able to detect a change in data flow or volume of data, it would signal a compromise of the device.
This is where edge computing can help. Bsquare is a leader in building software for edge devices and understanding how to define and operationalize logic that improves business outcomes. Profiling normal behavior (whether performance or security oriented) and taking action on real-time conditions can enable businesses to make quicker, more accurate decisions.”
Dave McCarthy, Vice President, Marketing for BSquare
The entire FBI warning can be found here.