We've all heard about how IoT is part of a networking revolution that is transforming the world. Experts predict that the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020, and to 75.4 billion in 2025. That is approximately 4.3 internet-connected devices for every man, woman, and child on the planet, spanning everything from washing machines, to televisions, doorbells, connected cars, street lamps, and many, many more.
The benefits driving this growth are numerous, including generating revenue, increasing businesses' productivity, improving quality of life, and even saving lives. However, the IoT also introduces several critical challenges, not least of which are, “how do we connect and manage so many devices?” and “how do we secure so many devices and so much traffic?”
The answer to these questions becomes difficult to find when considering that nearly every new “thing” being added to the internet now has its own OS.
The IoT OS brouhaha
We can blame most of the internet security issues which have taken place over the past 20 years on vulnerable operating systems and programmes. That is because until now, there were only a handful of operating systems that ruled the world. However, with the rise of the IoT internet security engineers have to deal with securing hundreds of operating systems – all of which are susceptible to attack. This is because in order to fit into the small footprints of the devices they are providing connectivity for, many of the operating systems installed on IoT devices are cutting down on security, if it is even being considered at all. Most of these devices run on their own proprietary versions of Linux, Android, or increasingly, some other operating system cobbled together with poorly written code embedded with hardcoded backdoors.
IoT devices are being manufactured without any standards at all, except that they allow internet connectivity. Since IoT wasn't on the horizon when most wireless solutions were deployed, the growing volume of IoT and user devices is now overwhelming these access points. In addition, because most IoT devices do not have security installed, the need to apply security inspections and monitoring is creating a bottleneck. As a result the possibility of using IoT devices as a launch pad for an attack, which many in the security industry considered theoretical, is rapidly becoming a reality, especially in the wake of incidents such as the massive distributed denial-of-service (DDoS) attack against the services offered by DYN.com.
How a lack of standards impacts security
As the number of private versions of operating systems begins to proliferate in the market, things get out of hand very quickly, making it increasingly difficult for OS and security vendors to focus on and find vulnerabilities and provide patches and fixes in a reasonable manner and time. Given the volume of available devices and OSs, the proactive detection of vulnerabilities is increasingly difficult to achieve. Instead, many won't be discovered until after they have been exploited, and then vendors will have to be found and informed, and the vulnerabilities corrected. And even that may not be enough.
This has led attacks directed against IoT devices to grow exponentially over the past few months. The recent notorious IoT-based Mirai DDoS attack was caused due to the exploitation of a known vulnerability in the operating systems used by dozens of CCTV cameras and DVRs. And a newly discovered Trojan malware, dubbed Rakos, uses a brute force SSH login attack to compromise IoT devices embedded with vulnerable versions of Linux. What would happen if someone found similar vulnerabilities in smart TVs or washing machines, and then in connected doorbells or even power grids?
Regaining control through standardisation
As many IoT devices are headless – meaning that they have no capability for security built in, and therefore cannot be patched – other security measures will have to be developed. Until then, the internet will face the havoc resulting from IoT-based shadownets for hire, and major DDoS attacks and Cyber-wars will be launched by exploiting IoT vulnerabilities.
Legislative bodies in Europe and the US have already begun to look at this issue and propose new laws and standards. In addition, buyers of IoT devices also need to unite to force vendors to standardise on the operating systems they use so that this escalating situation can be brought under control. When it comes to securing IoT operating systems, here are three key steps to consider:
1. Learn: Enterprise security solutions require complete network visibility to securely authenticate and classify IoT devices. Real time discovery and classification of devices allows the network to build risk profiles and automatically assign them to IoT device groups along with appropriate policies.
2. Segment: Once armed with complete visibility and management, it is necessary to understand and control the potential IoT attack surface. Segmenting IoT devices and communications into policy-driven groups and secured network zones allows the network to automatically grant and enforce baseline privileges suitable for a specific IoT device risk profile.
3. Protect: Policy-driven IoT groups combined with internal network segmentation enables multi-layered monitoring, inspection, and enforcement of device policies based on activity anywhere across the distributed enterprise infrastructure. An integrated and automated security framework – designed to tie your distributed security devices together to increase visibility and coordinate responses to attacks – enables the correlation of intelligence between different network and security devices, as well as the automatic application of advanced security functions to IoT devices and traffic anywhere across the network, especially at access points, cross-segment network traffic locations, and in the cloud.
Securing IoT devices requires adequately protecting them from the vulnerabilities being introduced as a result of them not being designed with adequate security. Access control, distributed threat intelligence, and consistent security that can span across physical and cloud environments is essential to safeguard against today's IoT-based risks.
Contributed by Mark Weir, regional director – UK & Ireland, Fortinet
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.