The recent Distributed Denial of Service (DDoS) attack that took down a number of well-known websites was another in a string of wake up calls that are becoming more and more alarming. The October 21 attack was a follow up to a September attack, and both took advantage of vulnerabilities in home-connected IoT devices.
These attacks are making home users and operational technology (OT) users fearful as IoT devices become more prevalent on all types of networks. According to a security panel at a KMC conference in early October, the code written for these attacks is not advanced, but it does pose a threat due to its widespread availability. The hackers released the malware code online for the public, so anyone with bad intentions has a fast start to launching their own DDoS attack.
Home networks and OT networks share some attributes that make them easy targets for hackers, especially around security. Typically, the general attitude is that what happens on these networks is so mundane that no one would put resources into launching an attack. That cavalier thinking poses a real threat.
“The malware community is waiting for unprotected devices and openings,” says Jennifer Gilburg, director of strategy at Intel’s IOT Security Group. “Applying a few best practices from IT is a good start toward preventing these types of attacks.”
Adding Layers of Protection for IoT
Smart DVD players, Internet-enabled cameras and IP security systems are among the home devices that are easy prey for hackers. When home owners add this equipment to their networks they rarely change the manufacturers’ default password, or they choose a password that is much too easy to guess, such as their address, last name or 1234.
Home owners aren’t the only ones ignoring password-protection best practices. BMW took the easy path for security in its connected car and regretted it. The automaker assigned the vehicle identity number as its identification code, making it vulnerable to hacks during session management.
“Simply changing the password can push the security posture up 90 percent,” said Gilburg.
As more devices join the OT network, managers can learn from what’s happening to home owners and make their networks safer with these extra precautions.
- Change passwords (using a combination of a phrase, upper case and lower case letters, numbers and symbols is more secure than a word)
- Schedule port scans
- Create staging environments
- Conduct reliability and remote PIN testing
- Close all open ports
- Allow hot code patching
- Threat model every device
- Create an access governance strategy
- Consider PKI for authentication
Security Is a Safe IoT Entry Point for Solution Providers
This list is far from comprehensive, but it’s a good place to start. For longtime IT personnel, these practices are well known and common starting points when testing new network infrastructure. They are much less known within OT. Among OT providers at the conference, the gap between IT and OT is achingly wide. Many expressed the difficulty of finding someone in IT to help them with their IoT projects and a lack of understanding about IT security requirements.
Intel has developed an IoT reference architecture to bring intelligence to endpoint things by enabling edge analytics, standards compliance, and direct-connect cloud control. The vertical security layer (right) secures all layers, which is critical for satisfying the security tenet.
Photo credit: Intel® IoT Platform Reference Architecture white paper
OT expects that manufacturers will build the necessary security into their solutions. But the OT manager often doesn’t have the expertise to test every integrated solution and may miss some security requirements that IT expects. The risk for managers—and the business—is real, as IoT projects are in danger of becoming delayed or possibly shut down if IoT devices do not meet IT security requirements.
Solution providers who understand IT security can find a strong foothold in IoT deployments for industrial, smart building, manufacturing and other operational environments. Security is awash with acronyms and technologies that are unfamiliar to the managers leading these projects. Resources, such as the guidelines currently in development from the Department of Homeland Security, the Industrial Internet Consortium, OpenFog Consortium and others can help organizations begin to understand the layered approach that IT expects from IoT devices, architectures and deployments.
Reviewing IoT devices, designing secure IoT architectures, testing device security and educating the OT team on security are premium, high-margin services for solution providers in IoT deployments. In most cases, the decision makers (building and facility managers, line managers, quality control managers and operations managers) have no IT or security expertise and are looking for support, so they can move their IoT projects forward.
Learn more about security on the Intel® IoT platform.