Network Segmentation - a Key Measure for IOT Security
Network Segmentation - a Key Measure for IOT Security
The proliferation of Internet of Things (IoT) devices is increasing the chances of unauthorized access to network resources and critical data. Enabling policies such as "zero trust" and network segmentation can minimize the risks of data breaches. Not only do users need to have the right credentials to access the network, as well as specific data related to their task, their devices -- smartphones, tablets, PCs -- need to be paired with them to ensure no one else can use the credentials to log in.
One day, the number of connected devices within the Internet of Things (IoT) will easily eclipse the worldwide installed base of PCs and smartphones combined. IT research firm Gartner estimated this could happen as soon as 2020, when there could be approximately 21 billion IoT devices.
There are several reasons why IoT is expanding so rapidly. At its core, it offers virtually endless options for extending IP network connectivity to domains that have traditionally lacked it. Every sector from health care to manufacturing will be able to leverage IoT to connect disparate systems and achieve new operational efficiencies. For example, hospitals could use non-invasive IoT sensors to monitor patients and send key information to the cloud for delivery to other systems.
However, the IoT also creates many new security-related complications. IT administrators must now manage an increasing variety of IoT devices – some without traditional interfaces for receiving patches. Small and medium enterprises (SMEs), in particular, face challenges in ensuring their IoT initiatives are safe enough to use. What are their options?
A Smart IoT Security Practice for SMEs - We’ll dive further into a number of these challenges in my upcoming articles, which will be focused on endpoint protection through controlled access and privileges. As a prelude to those articles, let’s examine one of the most effective countermeasures to the vast spectrum of IoT threats:
Network Segmentation.
The basics of Network Segmentation - Network segmentation refers to the division of a network into subnets, typically for purposes of improved performance and enhanced security. With a segmented network, you can separate the traffic of internal users from that of guests and external contacts. Moreover, you can further fine-tune the segmentation so that there are individual segments for your web servers and databases, as well as employee devices.
Physical segmentation is even mandated under specific regulations such as PCI DSS. In addition to standardized compliance, segmentation also makes it more difficult for outsiders to penetrate your network via an unsecured IoT device, while shielding sensitive data from overly curious insiders.
Why segmenting your network mitigates IoT risks? - How does network segmentation work? Consider a guest Wi-Fi network, which is the IT equivalent of a visitors’ parking lot. It has a limited, self-contained scope, as well as key restrictions on its use. Visitors log on to this guest Wi-Fi, while employees use a restricted access network.
The separation is critical, since outsiders inevitably use unmanaged hosts and endpoints not provisioned by IT. This issue will only become more pronounced as IoT expands the overall number and variety of possible devices. To keep all untrusted devices in the guest network, it’s important to:
Create a unique SSID for the network, leading to an isolated VLAN that connects to the internet separately from the internal network. A dedicated circuit for the guest network may also be installed.
Require passwords be entered through a captive portal. This not only prevents network overuse, but also enables logging of every visitor and the enhanced access controls – including session termination – that comes with it.
Monitor all traffic on the guest network. It may be segmented and have its own circuit, but you don’t want it to become a blind spot in your IoT defense. Managed detection and response (MDR) via a security information and event monitoring (SIEM) solution can ensure you keep tabs on network activity and spot anomalies quickly.
These measures and others help reduce the total attack surface, even as your IoT infrastructure expands. Your internal network structure remains invisible to guest users. Plus, if there is a security incident involving a guest, it’s relatively easy to contain and won’t spread to more important assets.
Ultimately, network segmentation works by restricting the flow of traffic between zones. Your security team gains granular control over who has access to what, allowing them to head off common IoT threats such as botnet-enabling malware that thrive on easy proliferation across devices.
For example, IoT endpoints like IP cams and “smart” home security devices are notorious for their security vulnerabilities. The Persirai botnet alone, discovered in 2017, exposed 120,000 such cameras according to Dark Reading.
Implementing network segmentation and MDR and SIEM within a security operations centre (SOC) is your best defense against these types of cyber-attacks.
New security measures also need to be implemented to stop potential damage from the inside. Threats inside the network are often left uninspected as they are invisible, letting them move wherever they choose to extract sensitive, valuable business data or cause substantial damage.
Never trust, always verify - The central principle of a zero-trust approach is: "Never trust, always verify." To have an effective zero-trust policy it is necessary to implement several criteria:
Use user location and device ID to grant access: It is not only necessary to securely identify users: To enable access to all data and resources IT needs to verify the device used and the location of that device.
Inspect and log all traffic: Inspecting all traffic is part of the "always verify" approach. A detailed log of all devices connecting to the network should be kept, and further analyzed by looking for changes such as time of access, location, IP addresses, type of data requested, etc. This way if a user or device shows unusual behavior accessing data or resources, it can be singled out for further inspection.
Have a least-privileged access strategy: As mentioned above, many organizations are trusting all users to access everything in the network. Businesses need to strictly enforce access control only to the resources every individual user needs. Additionally, limiting access to critical resources reduces the risk of spreading malware. Although sometimes this policy can create more work -- when needed to add additional resources to a user, for example -- the benefits are more significant in the long term.
Add additional authentication systems: User two-factor authentication should be a must right now. Additional security should be authenticating the hardware used, and the other devices connected to it.
Zero trust and IoT - The proliferation of IoT devices, both in the home and the office, adds a significant layer of potential threats to every organization's IT resources. For example, a valid user accessing the corporate network with a smartphone, which in turn is connected through Bluetooth to a smartwatch, could enable an app running on the watch access to the company's network.
The same goes for code running on IoT devices running within the organization, such as thermostats, sensors and IoT gateways. That's why it is as important to limit access to IoT devices only to the resources of the network they need to connect to conduct their service.
IoT security requires Network Segmentation -
When connecting IoT devices, either consumer or corporate, one of the most important policies to implement is robust network segmentation. Improper network segmentation can significantly increase your exposure to data theft or system outages.
Virtual LANs (VLANs) and firewalls can help isolate sections of the network and ensure only authorized users and resources can access certain types of data.
Additionally, software-defined networking (SDN), a technology that in recent years has gained significant adoption, helps to realize the concept of "micro-segmentation," where traffic between any two endpoints can be analyzed and filtered based on a set policy.
Information security is probably the most critical challenge for IT today. Doing something about it before it is too late is crucial to stay in business.
Implementing zero trust and network segmentation policies are especially necessary when connecting mobile and IoT devices that are not wired into the network.
A small data breach that can happen to any organization can cost thousands of dollars to clean up. This can quickly put a company out of business.
5 IOT Insights from Industry Research - We are currently witnessing a growing number of IoT deployments and solutions around the world. IoT security is emerging as a key component of these deployments and companies are recognizing they need to get it right from the beginning – By 2022, the IoT security market is forecast to reach $4.4 billion. Various industry surveys, as well as our own research, indicate cybersecurity is the #1 concern for industrial IoT users today.
IoT Security is key for the secure development and secure operation of scalable IoT applications and services that connect the real and virtual worlds between objects, systems and people. However, IoT security is complex and the market landscape is largely fragmented with a host of vendors competing to address the opportunity. Let’s expand on 5 IoT Security insights gathered from ongoing industry research: -
1. IoT Security spending is rapidly increasing - Global spending end-users of 3rd party security solutions is currently estimated at $703M for 2017 and is forecast to grow at a CAGR of 44% to become a $4.4B market by 2022, driven by new regulation and increasing IoT adoption.
In addition to the security tools provided by IoT platforms the IoT security market is an aggregation of innovative start-ups and established firms such as global chip manufacturers, infrastructure providers, as well as cloud and enterprise software companies. There are at least 150 independent IoT security vendors addressing the challenges across all industries – of which Industrial/Manufacturing is the biggest segment for IoT security.
Example: A large auto OEM we talked to recently performed an assessment of factory vulnerabilities and concluded that there were significant gaps in today’s infrastructure. They expect to increase related spending significantly.
2. IoT introduces an increased number of security threats - (Cyber-security= Threat*Attack Possibility*Exposure/cybersecurity measures implemented) - One of the big differences between the Internet of Things and previous internet technology is that the amount of possible threats is much larger, due to the following:
More points of exposure: the growing number of connected devices, applications, systems and end users mean more points of exposure.
IoT devices themselves become new attack vectors: every compromised device becomes a new possible attack point, which by definition means a higher probability of attacks.
Increased impact of attacks: With much more connected devices in many applications (i.e., hundreds of different use cases which all build on different standards, interact with different systems and have different goals sss, especially critical infrastructure applications where there is an increased impact of attacks (i.e., damage to the physical world and possible loss-of-life), the stakes are much higher for hackers which increases the threat level.
New threats from across the stack: In addition, a more complex technology stack means new threats are possible from across the stack which must be counteracted by the implemented cybersecurity measures and by experienced security professionals.
Example: A large industrial components manufacturer we recently talked to is now connecting legacy equipment on the shop floor to the internet to enable condition monitoring and predictive maintenance solutions. They concluded that by connecting the operational technology (OT) system and the information technology (IT) system – which were previously operating on two separate WiFi networks within the same building – it creates new points of exposure that can be attacked. In particular, they noted that compromised 3rd party applications (i.e., from maintenance/service providers) could act as an entry point to the network and be taken advantage of to access other connected systems and bring production to a standstill.
3. IoT security happens on 4 different layers - IoT solution architectures require multi-layered security approaches that seamlessly work together to provide complete end-to-end security from device to cloud and everything in between throughout the lifecycle of the solution. The 4 layers consist of:
Device: The device layer refers to the hardware level of the IoT solution i.e., the physical “thing” or product. ODMs and OEMs (who design and produce devices) are increasingly integrating more security features in both their hardware and software (that is running on the device) to enhance the level of security on the device layer. Security components include: physical security, data at rest, chip security, secure boot, device authentication and device identity.
Communication: The communication layer refers to the connectivity networks of the IoT solution i.e., mediums over which the data is securely transmitted/received. Whether sensitive data is in transit over the physical layer (e.g., WiFi, 802.15.4 or Ethernet), networking layer (e.g, IPv6, Modbus or OPC-UA), or application layer (e.g., MQTT, CoAP or web-sockets) unsecure communication channels can be susceptible to intrusions such as man-in-the-middle attacks. Security components include: access control, firewall, IPS, IDS, and end-to-end encryption.
Cloud: The cloud layer refers to the software backend of the IoT solution i.e., where data from devices is ingested, analysed and interpreted at scale to generate insights and perform actions. IoT cloud providers are expected to deliver secure and efficient cloud services by default to protect from major data breaches or solution downtime issues. Security components include: data at rest, platform and application integrity verification.
Lifecycle management: Secure Lifecycle Management refers to an overarching layer with continuous processes required to keep the security of an IoT solution up-to-date i.e., ensuring sufficient security levels are in place from device manufacture, initial installation to the disposal of things. Security components include: risk assessment, policies & auditing, activity monitoring, updates & patches, vendor control, user awareness assessment, and secure decommissioning.
4. Increasing automation of IoT security tasks - With forecasted growth to billions of IoT devices, manually handling security tasks (e.g., revoking certificates, isolating compromised devices), as is still the case in many solutions today, will not be feasible. Security automation techniques that merge security solutions and artificial intelligence are becoming more and more prevalent.
For example, next-generation activity monitoring enables advanced anomaly detection, building on sophisticated machine learning algorithms. One case includes objectively classifying ‘good’ files from ‘bad’ files based on mathematical risk factors, which means it becomes possible to teach a machine to make the appropriate decisions on these files in real time. This method drives autonomous decision making and changes the way an IoT device understands, categorizes, and controls execution of every file.
Example: Their approach begins with the collection of a massive amount of data, from which they identify a broad possible set of attributes for a file. Converting these attributes to numerical values means they can be used in mathematical models. Vectorization and machine learning are applied to these models to eliminate the human impurities and speed up analytical processing. Mathematicians then develop statistical models that accurately predict whether a file is valid or malicious enabling them to discover and quarantine threats at the endpoint.
5. Cyber-espionage groups and petty criminals are the most common IoT attackers - The 5 main types of IoT attackers today are:
Amateur hackers: e.g., script kiddies, hobbyists.
Petty criminals: e.g., low-level cyber criminals.
Cyber-espionage groups: e.g., organized syndicates or crime groups such as Armada Collective, Black Vine, GreenBug.
Terrorists / hacktivists: e.g., professional, non-state actors such as Oxblood Ruffin or political hacktivists.
State sponsored attackers: e.g., foreign espionage via state-sponsored sabotage and traditional adversarial nation-states e.g., Russia, China.
Each class of attacker may have different abilities, capabilities, and goals – whether on an individual or group basis (i.e., aggregating resources to work together). Given the same tool different classes of attackers may achieve different outcomes e.g., experienced cyber criminals can evade deep packet inspection tools or IDS signature detection tools whereas new hobbyists may not.
However, cyber-espionage groups with vast resources and highly skilled petty criminals are the most common type of IoT attacker. In many cases, they have developed advanced malware with the ability to mutate and evade detection for longer on IoT networks or they leverage DDoS attacks as a means for blackmail.
Example: Armada Collective is an example of a traditional cyber-espionage group that has recently demanded that businesses pay thousands of dollars (predominantly in Bitcoins or via PayPal) or run the risk of having their services brought down by crippling cyber-attacks. Although, the actual members of the original Armada Collective appear to be locked up in a European jail, some enterprising individuals that are financially motivated are continuing to use the group’s name for extortion.
What to Do Next to Secure your IoT Initiatives - Segmentation is just one of many actions you can take to better protect your organization from IoT vulnerabilities. Having a diverse set of cyber-security protections is ideal, in light of today’s abundance of attack vectors, which are always evolving.
References:
https://arcticwolf.com/blog/network-segmentation-key-measure-for-iot-security/https://www.securitynow.com/author.asp?section_id=61&doc_id=746264&f_src=securitynow_sitedefaulthttps://iotanalytics.com/5-things-to-know-about-iot-security/
#iot #internetofthings #smartgrids #infosec #linkedin #riskassessment #informationsecurity #auditmanagement #informationprotection #securityaudit #cyberrisks #cybersecurity #security #cloudsecurity #trends #grc #leadership #socialmedia #networking #branding #linkedinlocal #digitization #cyberrisk #education #india #leadership #socialmedia #BigData #Hacking #CyberIntrusion #Articles #cybercrime #hacking #databreach #hackers #networking #privacy #datasecurity #passwordmanagement #identitytheft #AI #technology #Anil_Lamba