Security concerns over the Internet of Things (IoT) are growing, and federal and state lawmakers are taking action. First, the U.S. Senate introduced the Internet of Things Cybersecurity Improvement Act of 2017, which sought to “establish minimum security requirements for federal procurements of connected devices.” More recently, legislators in the state of California introduced Senate Bill No. 327, which stipulated that manufacturers of IoT devices include “a reasonable security feature” within their products.
While these laws are good starting points, they don’t go far enough in addressing IoT security concerns. It remains incumbent upon government security managers to take IoT security into their own hands to protect their devices and networks.
IoT Devices: A Hacker’s Best Friend?
Connected devices can take many shapes and forms—a thermostat, a refrigerator, a smartphone. They’re all different, but they share a few common connective threads. All have the potential to connect to the Internet and local networks and, for the most part, they were designed for convenience and speed—not security. And since they’re connected to the network, they offer a backdoor through which other solutions can be easily compromised.
As such, IoT devices offer tantalizing targets for hackers. A single exploit from one connected device can lead to a larger, more damaging breach. Remember the Target hack from a few years ago? Malicious attackers gained a foothold into the retail giant’s infrastructure by stealing credentials from a heating and air condition company, whose units were connected to Target’s network. It’s easy to imagine something just as insidious—and even more damaging to national security—taking place within the Department of Defense or other agency, which has been an early adopter of connected devices.
Steps for Securing IoT Devices
When security managers initiate IoT security measures, they’re not just protecting their devices, they’re safeguarding everything connected to those devices. Therefore, it’s important to go beyond the government’s baseline security recommendations and embrace measures that are more robust. Here are some proactive steps government IT managers can take to lock down their devices and networks.
- Make patching and updating a part of the daily routine. IoT devices should be subject to a regular cadence of patches and updates to help ensure the protection of those devices against new and evolving vulnerabilities. This is essential to the long-term security of connected devices.
The Internet of Things Cybersecurity Improvement Act of 2017 specifically requires vendors to make their IoT devices patchable, but it’s all too easy for managers to go out and download what appears to be a legitimate update—only to find it’s full of malware. It’s important to be vigilant and verify security packages before applying them to their devices. After updates are applied, managers should take precautions to ensure that those updates are genuine.
- Apply basic credential management to interaction with IoT devices. Managers must think differently when it comes to IoT device user authentication and credential management. They should ask, “How does someone interact with this device?”, “What do we have to do to ensure that only the right people, with the right authorization, are able to access the device?”, “What measures do we need to take to verify this access and understand what users are doing once they begin using the device?”
These questions are relevant because IoT devices are unlike other types of systems. Some IoT devices, like voice assistants, do not even require a person to enter a password. It can be difficult to know who’s using the devices, and what they’re doing once they gain access.
Being able to monitor these user sessions is key. IoT devices may not have the same capabilities as modern information systems, such as the ability to maintain or view log trails or delete a log after someone stops using the device. Managers may need to proactively ensure that their IoT devices have these capabilities.
- Employ continuous threat monitoring to protect against attacks. There are several common threat vectors that hackers can use to tap into IoT devices. SQL injection and cross-site scripting are favorite weapons that malicious actors use to target web-based applications and could be used to compromise connected devices.
Managers should employ IoT device threat monitoring to help protect against these and other types of intrusions. Continuous threat monitoring can be used to alert, report, and automatically address any potentially harmful anomalies. It can monitor traffic that passes to and from a device to detect whether or not the device is communicating with a known bad entity. A device that is in communication with a command and control system outside of the agency’s infrastructure is a certain red flag that the device—and the network it’s connected to—may have been compromised.
The IoT is here to stay, and it’s important for federal IT managers to proactively tackle the security challenges that it poses. Bills passed by federal and state legislators are a start, but they’re not enough to protect government networks against devices that weren’t designed with security top-of-mind. IoT security is something that agencies will need to take into their own hands. Managers must understand the risks and put in place processes, strategies, and tools to proactively mitigate threats caused by the IoT.
Jim Hansen is vice president of products, security and application management, at SolarWinds.