How to monitor IoT for cyberattacks
28 November 2019
There is a lot of talk around the impact of the Internet of Things (IoT) in 2020 and beyond. On the same note, CIOs and CISOs are becoming more concern with how IoT devices are going to become a source of cyberattacks. After all, no one wants their organization attacked because of a connected kettle or toaster.
This blog post attempts to shed some light on what organizations should consider when monitoring IoT for cybersecurity attacks.
I am also critically aware this post could be read by two types of audiences:
Audience #1: Manufacturers/developers of IoT. These are organizations that create/manufacture/design/make IoT that are sold to other organizations. For this audience, we will focus on the IoT creation process, and ongoing tasks needed to ensure these IoT devices continue to work.
Audience #2: Users of IoT. These are organizations that have purchased IoT devices, implemented them, and are using them to enrich the business process.
For manufacturers/developers of IoT
As an IoT manufacturer, there should be two primary focus areas:
Focus #1 - Building an IoT device or system that is relatively secured against common security attacks.
The main challenge faced is with the small form factor of the IoT. Most times, the IoT does not run on the standard Windows or Linux Operating Systems (OS). Traditional IT security technologies are built to secure data centers or endpoints that run standard OS like Windows / Linux / Mac.
To secure IoT during the manufacturing process, manufacturers can analyse and test the IoT firmware for vulnerabilities. This allows you to identify the vulnerability within the code, software library used, weak password and so on.
Focus #2: Ongoing duty of care for the IoT functions (e.g. keeping it patched and secured after it has been sold).
The main challenge faced is that you cannot monitor the IoT network that is installed in your customer network. Traditional IT security approaches and technologies assume that you have control of the physical device and network.
To secure IoT after it has been sold, you can consider:
- Embedding a detection and alerting function. This function should send an alert, for example, when:
- Continuously analyse and identify the IoT firmware for new vulnerabilities. Once a vulnerability has been discovered, a relevant patch can be rolled out.
- Host IoT as a honeypot to identify targeted attacks.
For users of IoT
As IoT users, your main focus is to ensure that IoT continues to behave and function within the expected parameters. However, traditional IT security technology is not applicable because no traditional software (e.g. anti-virus and endpoint protections) can be installed on the IoT. Sometimes, the IoT network can be so sensitive that you cannot run a vulnerability scanning to discover the IoT.
To secure IoT as a user, you can consider:
- Creating a baseline for IoT. This includes:
- Passively discovering, categorizing and profile the IoT device. Specialized technology is needed to identify IoT accurately.
- Validating IoT that has been discovered versus what is expected. This will ensure the completeness of the discovery. Sometimes a physical site-walk may even be required.
- Identifying the criticality of the IoT. This can be done by identifying the purpose of the IoT and analyse the number of connected assets
- Monitor and identify baseline deviation and cybersecurity attacks. This includes:
- Monitoring your IoT device for anomaly in network connection and behaviour.
- Integrating the monitoring with threat intelligence to identify potential attacks.
- Monitoring IoT network outbound points for signs of security attacks. We have found that these types of monitoring to be very accurate - especially when monitoring proxy and NGFW logs.
At NTT, we have developed several services and processes to baseline the IoT network and monitor for security attacks as well as partnered with disruptive vendors to secure IoT in innovative ways. Find out more about us here.