Will Knehr, Senior Manager of Information Assurance and Data Privacy at i-PRO Americas discusses the elements required to keep IoT and IIoT devices cybersecure.

The number of Internet of Things (IoT) devices worldwide is forecast¹ to nearly triple from 9.7 billion in 2020 to 29 billion in 2030. About 60% of these are smaller computing devices, sensors and software that exchange data over the internet — think smart refrigerators, home security systems and wearable fitness trackers. The rest are Industrial IoT (IIoT) devices developed for uses like manufacturing, heating and cooling commercial facilities, enabling smart farms and securing enterprise facilities.

With the explosive growth in connected devices comes an increase in vulnerability. As most IoT devices were designed for convenience and not security, they are a prime target for hackers. The technological research and consulting firm Gartner² found that in the past three years, nearly 20% of organizations have observed cyber-attacks on IoT devices in their networks.

The world has seen a significant increase in cyber-attacks aimed at critical infrastructure and security systems, with devices like surveillance cameras being hacked as a way into the network.

It’s clear that manufacturers of IoT and IIoT devices need to do more to secure them and to educate consumers and industrial customers on key tenets of cybersecurity. As a developer of professional security solutions for surveillance and public safety, i-PRO has identified four elements that should be the foundation of any IoT security program: resiliency, cyber hygiene, product security and proper configuration.

By focusing on these essentials as a team, device manufacturers and organizations who use IoT and IIoT devices can work together to improve their security.

Resiliency

Devices must be designed to withstand and recover from any potential issues — to be there when you need them most. Organizations rely on IIoT devices to control power, security, fire suppression, HVAC, manufacturing and more. We must build resiliency and redundancy into these systems and the networks that surround them.

Consider key questions when determining your resiliency. Will your security system work when the power goes out? Will your cameras survive high winds and severe storms? How quickly can you bring services back online in the event of a cyber-attack? Gather key stakeholders from your IT, HR, Sales, Finance, Engineering, Development, Customer Service and Operations departments to run through worst-case scenarios and have each describe what happens to their customers, teams, equipment, etc. in the event of a catastrophe. This will help identify gaps in resiliency.

Other actions you can take to make devices more resilient are:

• Build or procure devices with strong protection – make sure they are vulnerability-tested, use encryption to protect data and support protocols like 802.1x integration
• Build secure network topologies – the National Institute of Standards and Technologies (NIST) is a great free resource as you get started
• Procure devices made to withstand your unique conditions
• Back up device configuration data
• Consider redundant devices with secure failover
• Consider battery backups or generators

Building resiliency in IoT/IIoT requires a partnership between the device manufacturer and the physical security and cybersecurity experts at the organization.

Cyber hygiene

Just like with physical health, there are steps we need to take on a routine basis to keep things running smoothly in the cyber world and protect networks from attacks. Establish a culture of cybersecurity in your organization. Get in the habit of “grooming” your IoT devices on a regular basis. Start with passwords.

There are three considerations for determining how often to change passwords: industry requirements, organizational requirements and legal or insurance requirements. As industry requirements vary, you’ll need to check your compliance framework — HIPAA or HITRUST for the medical field, CJIS for law enforcement or PCI/DSS for processing credit cards.

NIST recommends changing passwords in the event of a system compromise, if a password is disclosed to another user or to an unauthorized user or if a user on a shared account leaves the organization. Also, consider any organizational requirements, as failure to follow these policies could result in violations of legal or insurance requirements. Cyber insurance often requires following particular practices, so read your policy and understand those requirements when setting a password policy.   

IIoT devices are often deployed with a “set it and forget it” mentality and left alone unless they malfunction. To run an effective cybersecurity program, we must apply the same principles to IIoT devices as we do to computers or any other network device. IIoT devices need their firmware and software updated regularly, their passwords changed and they need to be scanned for vulnerabilities. Here are some guidelines for good IIoT device cyber hygiene:

• Do a full inventory of all devices on your network – include manufacturer information and model numbers
• Set up vulnerability alerts for your IIoT devices – consider subscribing to CISA vulnerability alert bulletins
• Check for firmware and software updates for these devices on a routine basis
• Update or change passwords on IIoT devices on a routine basis that is manageable for your team
• Conduct vulnerability scanning that looks for critical vulnerabilities – note that the scans can cause devices to fail, so test devices for the first time before deploying them*
• Conduct vendor and device risk assessments when purchasing new IIoT devices
• Research device vendors’ reputations for updating products when vulnerabilities are found 
• Ensure device vendors analyze code to ensure they are deploying a secure product
• Pick a device that has the right settings and protocols for your network
• Conduct configuration backups of devices and make sure backups are stored offsite or in the cloud
• Ensure IIoT devices are covered in your policies and plans (incident report, business continuity, etc.)

*Special caution must be taken when scanning IIoT devices. Do so in a testing environment first and then divide your network into small chunks. Unfortunately, many IIoT devices are not made to be scanned and this can sometimes cause the devices to go offline. The last thing you want to do is cause a self-inflicted denial-of-service attack. 

Product security

As IoT devices are designed for convenience, some don’t include security features. It’s critical to procure devices from vendors with a track record for prioritizing security. Some of the security features to look for in an IoT device are encryption (protecting usernames, passwords and device traffic), authentication (ensuring it only takes instructions from an authenticated source) and support of secure network standards like 802.1x. 

Consumers and manufacturers both have responsibilities in this scenario. Individuals and organizations procuring IoT devices should do due diligence to confirm that the device vendor ensures security protocols are supported, offers the ability to encrypt data at rest or in transit, works to protect customer privacy and has a track record for updated product firmware or hardware when vulnerabilities are detected.

Manufacturers have a responsibility to do everything they can to build secure products. Driven by market demand, many offer different versions of products and charge more for more secure versions. The more consumers voice their demands for secure products, the more the market will deliver.

The procurement process on the IIoT side is more significant, in line with the impact of a security breach in an industrial environment. Here are some best practices to consider:

• Research the manufacturer – do they have a track record or reputation for producing secure products and updating their software or firmware? 
• Does the manufacturer have a way for researchers and ethical hackers to report vulnerabilities? 
• Does the product offer basic security features like encryption and passwords? 
• Does the product support secure protocols like HTTPS, MQTTS and RTSP? 
• Does the manufacturer offer hardening guides, white papers or best practices when deploying their devices? 
• Consider conducting a vendor assessment, especially if purchasing many products from a single vendor

Proper configuration

A manufacturer can deliver the most secure device in the world, but if it’s not configured properly or set up correctly, it can still be the source of a network breach. A recent IDC study³ found that nearly 70% of firewall breaches are due to security misconfigurations. Proper configuration means making sure the security features on the device are enabled and set up correctly, networks are configured properly and access control and authentication are enabled. 

How does anyone find out what the proper configuration of devices should be to enable security features? First, consider the requirements for the industry in which the device will be used (i.e., medical – HIPAA and HITRUST, law enforcement – CJIS, international companies – ISO27000, credit cards – PCI/DSS, government – NIST, etc.)

When in doubt, consider NIST the gold standard framework when it comes to best practices for securing devices. In addition, it is free of charge. Cybersecurity frameworks get very technical and complicated, so it’s a good idea to consider hiring a consultant or security expert to help assess compliance. Many manufacturers also offer guides with step-by-step directions on how to enable security settings in their products.

These four essential elements are the basis for a comprehensive program to manage and secure IoT and IIoT devices. Purchase the right devices for your environment from vendors who take security seriously. Ensure that the devices will be resilient. Update your devices and use the proper security settings. While there’s no way to guarantee you will never get attacked, if you build your IoT cybersecurity strategy around these elements, you’ll be a much harder target.

References

1. Vailshery, L.S. (2022) IOT connected devices worldwide 2019-2030, Statista. Available at: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/ (Accessed: January 24, 2023).
2. Leading the IOT – gartner (no date). Available at: https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf?x10937 (Accessed: January 24, 2023).
3. Ermetic reports nearly 80% of companies experienced a cloud data breach in past 18 months (2020) Business Wire. Available at: https://www.businesswire.com/news/home/20200603005175/en/Ermetic-Reports-80-Companies-Experienced-Cloud-Data (Accessed: January 24, 2023).

Will Knehr is Senior Manager of Information Assurance and Data Privacy at i-PRO Americas Inc. where he works to secure their products and networks. He has been working to secure networks since 2004 when he started his career in cryptologic warfare conducting cyber defense missions for the NSA, CMF, DoN, DoD and DISA. Will also worked for Northrop Grumman supporting special projects for the NSA and DISA, building virtualized environments for malware analysis, data brokering and managing their cybersecurity program. He holds master’s degrees in Cybersecurity and Business and industry certifications including CISSP, PMP, CEH, CNDA, CASP, CMMC RP and more. 

This article was originally published in the February edition of Security Journal Americas. To read your FREE digital edition, click here.