Does securing IoT sensors make you WannaCry?

Mention IoT security to most people in the industry these days and they’re sure to make reference to the recent WannaCry ransomware attack which hit major industrial enterprises and public bodies worldwide. The malware exploited vulnerabilities in instances of Windows operating systems which were either no longer supported or unpatched, and while such weaknesses are potential threats to IoT they represent only a small proportion of the potential ways in which IoT can be attacked, writes Peter Dykes.

The problem with IoT security, particularly in the industrial sector, is that the so-called attack surface – the potentially hackable entry points – is vastly greater than in conventional IT systems given the potentially vast numbers of sensors and endpoint devices involved. Indeed, there are areas of the attack surface, such as sensors, which are unique to Industrial IoT (IIoT) which must be recognised if networks are to be secured.

The threats

Apart from the obvious threats such as employees opening loaded emails or accessing suspect websites, IIoT opens up the possibility of hundreds of thousands of potentially hackable devices connected to the internet. Of course in some industrial applications, these devices don’t actually need to be connected directly to the web, but it’s highly likely they will be connected to other systems that will be vulnerable to more conventional threats.

Henrik Kiertzer: principal cybersecurity consultant at SAS

Henrik Kiertzer a principal cybersecurity consultant at analytics firm SAS says: “Many of these devices will be produced in jurisdictions where there is a relaxed attitude to permitting – or embedding – access to locally-produced devices, intended for export, to local security and intelligence services.”

Kiertzer, a former intelligence officer with the British Army and member of the Institute of Engineering and Technlogy (IET), explains that these inexpensive nodes have configurations and operating parameters largely held in firmware and, necessarily, are remotely configurable and controllable. While this allows the operator inexpensive and pervasive enhancement and optimisation of their network, it creates an everexpanding attack surface – and access, if necessary through consumer purchase of an appropriate device. Essentially, because sensors are shipped with firmware already installed by the manufacturer, it is possible therefore that the manufacturer’s development process could be hacked and the sensor will be deployed with a built-in security risk.

A similar risk was engineered and exploited by the makers of NotPetya, the ransomware which caused global disruption on a similar scale to WannaCry, however the attack methodology was very different. Larry LeBlanc, chief engineer at Sierra Wireless says: “In the case of NotPetya, the attackers infiltrated the vendor’s software development environment and got their malware embedded in a legitimate-appearing software release. If you’re manufacturing a sensor and you are developing firmware for it, if you’ve protected the device itself and the communications channel, attackers may try to penetrate your development environment to get their malware injected.”

LeBlanc adds that this is where DevOps comes into play. It is necessary to ensure a secure environment, that the code base is properly audited and that there is no anomalous behaviour beyond that which the sensor is expected to exhibit.

The solutions

So far as risks of a malware attack in the rest of the network go, some solutions such as those outlined earlier, are obvious. These include: rigidly enforcing staff procedures regarding opening emails, attachments and restricting access to websites. However, both newly-implemented IIoT networks and those connected to conventional IT networks require far more stringent precautions than most enterprises and organisations have hitherto needed or had experience with deploying and managing.

As LeBlanc says: “With IIoT, we’re not just looking for viruses. Ultimately, it’s about ensuring your endpoints are running authentic code deployed from authorised entities, with features like secure boot and secure firmware update. The particular difficulty with IoT devices is that they are somewhat defenceless, they’re not within a typical security perimeter, they are scattered all over.”

“There are thermostats on office or hotel walls or sensors in remote, unmanned locations. Since the devices are physically accessible, local attacks are a concern so make it as hard as possible for anyone to get in to the device,” LeBlanc explains.

Larry LeBlanc: chief engineer at Sierra Wireless

He adds that so far attacks like Wannacry have relied on implicit trust between devices to propagate after initial penetration, but IoT devices can’t afford to trust anyone, all the connections need to be mutually authenticated, therefore strong cryptography is vital. “Devices talk to our AirVantage cloud platform using DTLS1.2 but we still recommend having a firewall on the device,” he says. “We also recommend having a private APN to force attackers to penetrate multiple layers of defence to reach your devices.”

There are some in the industry however, who believe that while deploying next-gen firewalls, VPNs, using high levels of encryption and defining access control are valid methods of securing devices, these methods will ultimately fail to provide the levels of security necessary for IIoT. One such is Erik Giesa, vice president of product management at Tempered Networks, which has developed a solution based around Host Identity Protocol (HIP).

Giesa says, “Identity is the future. The fundamental problem with IIoT security today is that it is completely based on IP addresses alone. The basis of Tempered Networks’ solution is that before any session can be established between two or more machines, it must first be authenticated and authorised using a unique cryptographic identity rather than just an IP address.”

Using a central controller, the Tempered solution allows users to define which machines can communicate with one another, meaning that hackers will not be able to discover elements on the network because those elements will not be authorised to communicate with the hacker’s machine. Additionally, if a hacker does manage to compromise a machine or endpoint, the malware will only be able to infiltrate those machines with which the hacked machine has permission to communicate for end-to-end security, thus limiting the spread of the malware. On initial inspection, and if Giesa is right, HIP could be the solution to IIoT security that everyone is looking for.

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Vertiv Research defines standard models for deploying edge infrastructure

Posted on: October 19, 2021

Vertiv, a global provider of critical digital infrastructure and continuity solutions, released the results of an in-depth research project to identify edge infrastructure models to help organisations move toward a more standardised approach to edge computing deployments, with the intent to improve costs and deployment times.

Read more

Nuuday infuses AI into customer experience with the Avaya OneCloud experience platform

Posted on: October 19, 2021

Nuuday, Denmark’s provider of broadband, communication and entertainment services, has launched “Josefine,” an AI-powered voicebot capable of delivering dynamic, immediate and personalised experiences for customers interacting through its Avaya OneCloud communications and collaboration platform.

Read more