Does securing IoT sensors make you WannaCry?
Mention IoT security to most people in the industry these days and they’re sure to make reference to the recent WannaCry ransomware attack which hit major industrial enterprises and public bodies worldwide. The malware exploited vulnerabilities in instances of Windows operating systems which were either no longer supported or unpatched, and while such weaknesses are potential threats to IoT they represent only a small proportion of the potential ways in which IoT can be attacked, writes Peter Dykes.
The problem with IoT security, particularly in the industrial sector, is that the so-called attack surface – the potentially hackable entry points – is vastly greater than in conventional IT systems given the potentially vast numbers of sensors and endpoint devices involved. Indeed, there are areas of the attack surface, such as sensors, which are unique to Industrial IoT (IIoT) which must be recognised if networks are to be secured.
Apart from the obvious threats such as employees opening loaded emails or accessing suspect websites, IIoT opens up the possibility of hundreds of thousands of potentially hackable devices connected to the internet. Of course in some industrial applications, these devices don’t actually need to be connected directly to the web, but it’s highly likely they will be connected to other systems that will be vulnerable to more conventional threats.
Henrik Kiertzer a principal cybersecurity consultant at analytics firm SAS says: “Many of these devices will be produced in jurisdictions where there is a relaxed attitude to permitting – or embedding – access to locally-produced devices, intended for export, to local security and intelligence services.”
Kiertzer, a former intelligence officer with the British Army and member of the Institute of Engineering and Technlogy (IET), explains that these inexpensive nodes have configurations and operating parameters largely held in firmware and, necessarily, are remotely configurable and controllable. While this allows the operator inexpensive and pervasive enhancement and optimisation of their network, it creates an everexpanding attack surface – and access, if necessary through consumer purchase of an appropriate device. Essentially, because sensors are shipped with firmware already installed by the manufacturer, it is possible therefore that the manufacturer’s development process could be hacked and the sensor will be deployed with a built-in security risk.
A similar risk was engineered and exploited by the makers of NotPetya, the ransomware which caused global disruption on a similar scale to WannaCry, however the attack methodology was very different. Larry LeBlanc, chief engineer at Sierra Wireless says: “In the case of NotPetya, the attackers infiltrated the vendor’s software development environment and got their malware embedded in a legitimate-appearing software release. If you’re manufacturing a sensor and you are developing firmware for it, if you’ve protected the device itself and the communications channel, attackers may try to penetrate your development environment to get their malware injected.”
LeBlanc adds that this is where DevOps comes into play. It is necessary to ensure a secure environment, that the code base is properly audited and that there is no anomalous behaviour beyond that which the sensor is expected to exhibit.
So far as risks of a malware attack in the rest of the network go, some solutions such as those outlined earlier, are obvious. These include: rigidly enforcing staff procedures regarding opening emails, attachments and restricting access to websites. However, both newly-implemented IIoT networks and those connected to conventional IT networks require far more stringent precautions than most enterprises and organisations have hitherto needed or had experience with deploying and managing.
As LeBlanc says: “With IIoT, we’re not just looking for viruses. Ultimately, it’s about ensuring your endpoints are running authentic code deployed from authorised entities, with features like secure boot and secure firmware update. The particular difficulty with IoT devices is that they are somewhat defenceless, they’re not within a typical security perimeter, they are scattered all over.”
“There are thermostats on office or hotel walls or sensors in remote, unmanned locations. Since the devices are physically accessible, local attacks are a concern so make it as hard as possible for anyone to get in to the device,” LeBlanc explains.
He adds that so far attacks like Wannacry have relied on implicit trust between devices to propagate after initial penetration, but IoT devices can’t afford to trust anyone, all the connections need to be mutually authenticated, therefore strong cryptography is vital. “Devices talk to our AirVantage cloud platform using DTLS1.2 but we still recommend having a firewall on the device,” he says. “We also recommend having a private APN to force attackers to penetrate multiple layers of defence to reach your devices.”
There are some in the industry however, who believe that while deploying next-gen firewalls, VPNs, using high levels of encryption and defining access control are valid methods of securing devices, these methods will ultimately fail to provide the levels of security necessary for IIoT. One such is Erik Giesa, vice president of product management at Tempered Networks, which has developed a solution based around Host Identity Protocol (HIP).
Giesa says, “Identity is the future. The fundamental problem with IIoT security today is that it is completely based on IP addresses alone. The basis of Tempered Networks’ solution is that before any session can be established between two or more machines, it must first be authenticated and authorised using a unique cryptographic identity rather than just an IP address.”
Using a central controller, the Tempered solution allows users to define which machines can communicate with one another, meaning that hackers will not be able to discover elements on the network because those elements will not be authorised to communicate with the hacker’s machine. Additionally, if a hacker does manage to compromise a machine or endpoint, the malware will only be able to infiltrate those machines with which the hacked machine has permission to communicate for end-to-end security, thus limiting the spread of the malware. On initial inspection, and if Giesa is right, HIP could be the solution to IIoT security that everyone is looking for.