IoT Security: Understanding the Growing Attack Surface

Safeguarding the Internet of Things (IoT) devices and networks have become the subject of scrutiny after many high-profile hacks have emerged in the media. In all cases, common IoT devices were used to infiltrate and attack the larger network.

A massive botnet attack lasting 13 days in duration occurred in April of 2019 – the attack featured firepower from over 400,000 IoT devices going after a targeted company in the entertainment industry. At one point, the botnet produced more than 292,000 requests per minute and was an application-layer attack because it targeted the company's web services. This was a costly endeavor to clean up and is more proof of the vulnerabilities of endpoints in networks.

Allowing devices to connect to the Internet opens them up to a wide variety of security risks that need to be managed accordingly. Implementing security measures on endpoints such as IoT devices is critical to ensuring the overall security of the underlying network and the organization as a whole.

“The security protecting IoT devices has lagged behind the hackers’ ability to penetrate them. Criminals can remotely control smart devices, disrupt the power grid, or interrupt industrial controls, for example. A compromised IoT device can serve as a springboard for an attacker to enter the network and steal or destroy sensitive information,” according to Larry Lunetta, Vice President of Security and Wireless LAN Marketing, Aruba.

There are several challenges to overcome when securing enterprise-connected IoT devices.

The first challenge is that having visibility into the flood of devices that have come aboard the network. This can include the connection of legacy assets that are not formally designed for IoT connectivity, such as building control systems addressing HVAC. Replacing all the legacy technology is far too expensive, and thus many assets are retrofitted with smart sensors, but without updates and security against modern threats, the attack surface is often broadened. 

The second challenge is having the ability to put proper security controls in place. This means discovering devices and then enforcing access control policies that treat devices in a way that enables them to function within the rules and keeps their productivity high. Device classification at the network edge is a key component of control, and having the capability to assess and reach all connected devices is another. Because devices are constantly changing, an organization must be able to adapt IT access policies when new conditions, threats, and vulnerabilities are presented.

A final challenge is scaling security to meet the growth of IoT devices through automation and orchestration. No IT staffer has the time to watch alerts on a network or manually check each device that connects. Having control through the automated application of wired and wireless policy enforcement ensures devices have the appropriate level of access based on their function and business need. At the same time, real-time attack response and enforcement are critical in the event a device is compromised or acting in an anomalous fashion.

This expanded IT attack surface and a constantly evolving network supporting the IoT means organizations not only need a secure network foundation, but also the right tools for additional visibility and control. Aruba’s ClearPass is designed for better device visibility through discovery and profiling with ClearPass Device Insight and manage an entire set of access control use cases that includes wired, wireless, guest and BYOD connectivity, to policy-based remediation and attack response.

Examining the IoT Security Gap
To better understand the perceived challenges of securing IoT and how IT security professionals expect to deal with those challenges, Aruba partnered with the Ponemon Institute who surveyed 3,866 IT and IT security practitioners in Asia-Pacific, EMEA, and North America, and found that:

• Less than 25 percent of Ponemon survey respondents believe IoT devices are secure
• 66 percent say they have little or no ability to secure IoT devices
• 60 percent believe even simple “things” pose a threat

“IoT devices are unique in that they cannot be secured like traditional endpoints. They have little to no security built-in, and many perform sensitive, business-critical functions within the organization.  This makes applying the right level of security controls critical,” said Paul Kaspian, Senior Solutions Marketing Manager for Aruba.

The Ponemon study also explored IT professionals’ preferred approaches to secure IoT devices, and the multiple approaches the respondents identified were:

• continuous monitoring of network traffic
• network access control
• closed-loop detection and response
• peer group/anomaly detection

The business responsibility for IoT applications and devices itself may often lie with manufacturing, operations, or another business group and not within the IT department. In fact, the study shows that responsibility for IoT security has not been centralized. The CIO, CISO and CTO and the line of business were all named as responsible for IoT security. Thirty-three percent said the CIO, but interestingly, none of the other functional roles registered above 20 percent and “no function” came in third at 15 percent. This demonstrates that a major gap exists when it comes to security ownership within organizations; with an area as important as security, organizations cannot afford to let these gaps widen.