Some of us remember the industry buzz just before Windows 2000 came out. Microsoft was driving a framework with Windows 2000 that really predicted the massive increase in devices that would ultimately connect back to the Internet. I still remember my boss at the time, enthusiastically explaining that this was the future: a world where “even refrigerators and coffee pots would have IP addresses”. I was a teenager, and simply couldn’t imagine a world like that. It seemed like it would be just a bunch of buzz that would inevitably pass. Well, it didn’t.
“Internet of Things” (IoT) defines networks of physical devices that ultimately need to inter operate with something on the Internet. Things like building sensors, badge sensors, vehicles, TV’s, and yes, even the refrigerator and the coffee pot. The main traffic flow for these devices is probably 95+% “north and south”, mainly reporting home to some sort of command and control.
Let’s take a refrigerator as an example: The refrigerator has a “computer” in it for lack of a better term. This computer collects data such as current temperature of the refrigerator and freezer, how often the condenser needs to run to keep it cool, efficiency ratings, diagnostic information, etc. It sends that information back to command and control somewhere out on the Internet. Command and control then stores this data. We, as the owner of the refrigerator, may have an app on our phones where we can pull that data up and maybe change the mean temperature of our refrigerator. We might even check and see what food items we need to buy at the store, whether the refrigerator door was left ajar, and things like that. This type of thing is beautifully convenient and is feasible from wherever we have cellular data coverage…anywhere in the world. The refrigerator can report back information on its status – and can also be controlled remotely.
Now let us take that same general communication framework and change the endpoint profile a little. Instead of a refrigerator, let’s instead use the example of a motor that operates the opening and closing of a dam based on lake levels. Or maybe a master sensor that controls all of the locks for a skyscraper? Driver-less cars? How about a centralized master power switch that controls 1,500 square miles of power grid? Or a robot that performs surgical procedures? The stakes just got raised exponentially, didn’t they? They actually got fairly ominous.
The point of this article isn’t to question whether or not we should have “smart devices” and other IoT nodes on our networks. I concede that this is not just the future – it’s the here and now. It’s unavoidable. And trying to slow down the evolution of this technology in our own networks by way of cyber red-tape is not going to stop the train. At the end of the day, the top-level framework doesn’t change when working with IoT. Our job, as network security professionals, is still to identify, authenticate, authorize, secure the transport, and monitor the traffic.
The real danger that I wish to point out is that we have a tendency to ‘set and forget’ networks that house such things as are covered in the IoT and Industrial Networks concepts. These networks often house devices that run operating systems that are foreign to what we’re used to. Meaning, they don’t run Windows, MacOS, or a flavor of Linux. They normally require custom profiling on the network. They require us to make a concerted effort to learn the flows, because they’re so different than what we are accustomed to. It is also due to that stark difference in network behavior that we end up having to make exceptions to our corporate cyber security policies in order to get it up and running.
For those reasons alone we end up having to pull our best engineers from network and cyber and place them on the project. And as we know, engaging network and cyber was normally a last minute afterthought – given that the IoT/Industrial Device didn’t somehow magically “work” when it was plugged in. Unfortunately, our best and brightest get pulled into fire drill after fire drill. What happens after they work miracles and make it work? They get pulled into another (completely unrelated) fire drill … and the project gets handed over to someone less skilled to maintain the environment. Set and forget.
Let’s face it, this is how most of our projects end up working. The travesty of that fact is a topic for a far different article. The takeaway here is that our overarching goals of cyber security still need to apply to IoT/Industrial network solutions. As stated before, we need to identify, authenticate, authorize, secure the transport, and monitor the traffic. In order to do that for these one-off types of situations, we need to do work up front to keep these networks from inevitably fitting into the “set and forget” category. The following list isn’t exhaustive, but it’s a strong start:
- Budget and Project Timeline needs to include time for senior level network and cyber engineers to profile the IoT/Industrial devices
- Budget and Project Timeline needs to include time for said-engineers to learn and document traffic behaviors of these devices – so as to know what to expect versus what is an anomaly
- Ensure that proper Network Profilers and Identity Services are active on these networks
- Ensure that proper IDS/IPS appliances have the appropriate custom signatures in place and are actively monitoring all traffic on the network
- Be very diligent when designing the gateways that control traffic flowing to and from these networks. These gateways/transfer-nodes will inevitably be where compromised flows traverse when data infiltrates/exfiltrates these networks
- Ensure that the finished state of the network (post-implementation) is thoroughly documented and socialized
IoT is an area of the technology sector that has seen exponential growth over the past few years. We need to adopt this new way of doing business into our steady-state way of doing business – both from the network and cyber security sides of the house. These organizational challenges are daunting, but not insurmountable. Thankfully, we are seeing groups popping up that are helping start this conversation. Groups such as the “Internet of Things Security Foundation”, companies like RSA, and the FTC have all been pushing this conversation into the mainstream. We all need to follow suit, and build processes that put these types of networks thoroughly on our radars.