As connected devices pose real-world threats, a see-all strategy is taking hold.
Soon after lights and heat suddenly cut off for thousands of Ukrainian homes on a December day in 2015, cybersecurity experts gleaned an illuminating lesson: Connected devices can do untold damage—and not just in the virtual world where devices communicate. Armed with malicious firmware, criminals had seized control of serial-to-Ethernet converters in the grid. Panicked controllers were suddenly frozen out.
Fast forward to 2017, when Triton malware targeted the control systems of an industrial plant with the apparent goal of manipulating the plant’s shutdown protocols. Upon analysis, researchers from the target company revealed that hackers were able to introduce malware into their plant by exploiting several vulnerabilities, including flaws in security procedures, enabling access to some of the plant’s stations and its control network.
These incidents illustrate in spectacular fashion the havoc that can be wreaked when internet-connected devices, or the Internet of Things (IoT), fall into the wrong hands.
“The definition of IoT has grown enormously as connected ‘things’ are now pervasive in power plants, dams, and emergency services,” says Pedro Abreu, chief strategy officer at Forescout, a leading cybersecurity provider focused on device visibility and control. And as billions of connected devices are becoming prevalent in companies’ physical infrastructure and business operations, the risks are becoming more impactful. Example: the NotPetya ransomware worm attacks of 2017 reportedly inflicted $10 billion in damages. Ransomware typically attacks the IT infrastructure, but in this case, it affected the systems that operate the physical systems that companies depend on. Much of that toll came in the form of crippled supply chains for the likes of global shipping giant Maersk, FedEx subsidiary TNT Express, and food producer Mondelēz International, among others.
But experts worry some executives still haven’t gotten the message and consequently underestimate what could happen if their IoT devices were to be compromised.
“When people don’t consider IoT a big risk, it’s because they think, ‘If somebody takes over my security camera, what’s the worst I can lose?’” says Abreu. “But the high value is that adversaries use these devices as easy entry points. We’ve seen attacks like this ranging from data theft to disruption of operations or even data extortion.”
At issue is device invisibility, which allows devices to fly under cybersecurity radars. As previously unseen devices come online daily, organizations don’t always detect new ones or keep adequate tabs on old ones. According to Abreu, “to properly secure these environments, operators need accurate and real-time visibility to all devices, as well as the ability to segment these based on the risk they pose to their infrastructure. Forescout consistently finds organizations miss up to 60 percent of the devices on their networks.”
Creating visibility into an entire network of connected devices is fast becoming a best-practice strategy for companies and governments as they vie to protect their data, infrastructure, and business operations. However, knowing that a device exists is not enough. When a device is detected, its proper functions need to be identified and it needs to be circumscribed to perform only approved behaviors.
But while IoT is overwhelming security teams due to the explosion of new connected devices, they have one advantage when compared to traditional devices like PCs, servers, or mobiles: IoT devices, for the most part, tend to have predictable behaviors that can be monitored and controlled.
Abreu gives the example of a new connected television in the boardroom. It doesn’t need full network access. It just needs to allow for two activities: watching TV and showing presentations.
“If that TV is suddenly connecting to your data center, that’s bad behavior,” Abreu says. “Why even allow it to be able to connect outside of the two things that we designated?” Keeping a device on a short leash means it can deliver everything it’s designed to do without risking manipulation by malicious actors.
The IoT brings a new generation of security challenges to enterprises and governments alike, ones that can materialize in both virtual and physical consequences. But by prioritizing visibility, organizations are laying strategic foundations that will leave nothing to chance.