Recently, the National Institute of Standards and Technology (NIST) released a draft publication, NIST Internal Report (NISTIR) 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. It is intended to serve as the foundation for a series of publications on how to manage cybersecurity and privacy risks associated with IoT devices.
NISTIR 8228 is targeted to both federal agencies and private organizations, and identifies three serious security vulnerabilities of IoT devices. NISTIR 8228 also defines three goals for risk mitigation.
NISTIR 8228―Detailing Security Vulnerabilities of IoT Devices
IoT devices interact with the physical world in ways that traditional IT devices do not. Unlike computers, tablets, or smartphones, IoT devices do not run on Windows or Mac OS operating systems. Yet many of these devices are connected to the internet, allowing points of entry to otherwise secure computer networks.
IoT devices usually operate on customized, proprietary operating systems which are difficult or impossible for IT personnel to monitor and patch, so the only way to mitigate risk is to put them on the company network behind VLAN firewalls, to prevent the devices from accessing the more sensitive parts of the network. If hackers gain access to an IoT device on the network—typically because they’ve located a vulnerability in the operating system designed and installed by the device manufacturer—they can launch an attack on any computer connected to that network. The most common type of attack is a simple SSH password brute force attack, which usually just uses default credentials.
In addition, IoT devices can be recruited as botnets to use in distributed denial-of-service (DDoS) attacks. In October of 2016, the internet domain service Dyn suffered the largest DDoS attack in history. The attackers recruited millions of unsecured IoT devices into a botnet army to direct massive traffic to Dyn sites, causing traffic to slow to a crawl and eventually crash the sites. Hackers gained access to the IoT devices by exploiting vulnerabilities in the devices’ proprietary operating system software.
The risks don’t end there. Some IoT devices have the ability to make changes to physical systems such as HVAC, elevators, sprinkler systems, and others that, if commandeered, could pose physical damage or safety risks.
NIST IoT Framework Recommendations
To address cybersecurity and privacy risks, the NIST IoT framework recommends actions organizations can take throughout the IoT device lifecycle. These include:
- Understanding the risk challenges.
- Adjusting organizational policies and processes to address those challenges.
- Implementing updated risk mitigation practices for IoT devices.
According to NIST, there has been a great deal of interest in establishing security and privacy baselines to aid risk mitigation. Much of the focus has been on manufacturers building security and privacy capabilities into their devices. While that may be the solution moving forward, there are currently millions of IoT devices in use that lack these capabilities. It will take time for manufacturers to improve pre-market security and privacy capacity and build it into their devices; there will also be additional challenges around adding these capabilities without making IoT devices too costly.
There are other considerations outlined in the NIST IoT framework concerning the type and level of security needed by different IoT devices. For some, only the device itself may need protection. Other devices may need data security in addition to device security, and some may need privacy protection as well as device and data security. To date, those discrete requirements have not been differentiated, leaving organizations to decide which ones apply to any particular IoT device and use.
The NIST IoT framework provides a useful starting point for addressing the risks associated with unsecured IoT devices, but it is only the first step. Still to come are the challenges of designing and building cost-effective secure devices and addressing the risks posed by the millions of IoT devices already in use.
Two years have passed since the Dyn attack demonstrated the vulnerabilities of many IoT devices currently in use, and it’s likely several more will pass before manufacturers of these devices find pre-market solutions for security risks. How can companies mitigate the risks posed by the IoT devices they use for automated tracking and monitoring of assets and materials in the meantime?
One simple approach that can greatly increase the security of off-the-shelf IoT devices is to simply change the default passwords programmed into the devices by manufacturers. This is a straightforward solution for consumers, who may only have a few IoT devices. But for businesses that have hundreds of devices―or more―in use for asset tracking and monitoring, it is an unsatisfactory one, due to the time and labor required to reprogram hundreds of tags.
If your business is looking for a secure way to implement IoT technology, talk to Link Labs. Our AirFinder system isolates IoT devices on dedicated networks separate from company computer networks and does not use standard IP protocols, making them difficult to compromise. For wide-area networks, our Symphony Link system incorporates public key infrastructure (PKI), considered secure by NSA standards, firmware-over-the-air to quickly and easily patch vulnerabilities without physical access to devices, real-time Advanced Encryption Standard (AES) key exchange, and bank-grade Transport Level Security (TLS) for network traffic. For secure tracking systems that are easy to deploy and avoid the common IoT security risks outlined in NISTIR 8228, contact Link Labs today.