How to Provide IoT Security in the ‘Connected Everything’ Era: NIST Guidelines
Do you remember the name Mirai? Sure, you do. Back in 2016, Mirai became the first IoT botnet to make headlines by hitting global DNS provider Dyn and taking down almost half of the Internet. Now, Mirai is back with a new target. Last week, researchers from IBM X-Force found that variants of the infamous botnet are increasingly targeting enterprise IoT devices – as opposed to simpler devices like home routers and CCTV cameras.
Are organizations prepared?
It’s no secret that IoT-based attacks are already a problem. Businesses face serious risks from IoT devices and almost 20% of organizations have detected an IoT-based attack in the past three years, according to a 2018 Gartner IoT Security Survey Report. Yet, most organizations are just starting to think about how to manage IoT risks and who they can turn to for help. With a call for governments to provide more robust IoT security guidelines, the newly published guide by NIST (National Institute of Standards and Technology) is a fantastic step forward.
The 44-page document, NISTIR 8228 “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” aims to help federal agencies and other large organizations better understand and manage the cybersecurity and privacy risks associated with their IoT-based services. NIST is a non-regulatory federal agency within the U.S. Department of Commerce and its publications serve as industry guidelines, not as legal requirements.
This informational report outlines the risks and lays out three high-level goals for mitigating them: device security, data security, and individual privacy. The document is the first asset in a planned series of publications on more specific aspects of this topic, which are planned for release soon. It’s great to see that the IoT security ecosystem is developing and government agencies are finally taking action in this field.
Organizations should work on adopting emerging IoT security best practices and keep an eye on new helpful resources out there.
IoT devices are “Not Secure by Design”
By the end of 2020, IoT devices will grow to 50 billion units installed globally. The rollout of 5G networks will provide another boost to the IoT ecosystem. Smart cities, smart buildings, Industrial IoT, smart manufacturing – all the devices surrounding us at home, in cities, and at work are becoming smart and connected.
IoT devices are easy targets for hackers as they often couple traditionally poor vendor support, and sparse patching with a lack of ‘security by design standardization and regulatory compliance. With billions of devices already connected, many manufactured up to 7-10 years ago, the existing installed base is quite old and vulnerable. Each of these devices represents a potential point of vulnerability to be exploited by hackers. The bottom line is that you cannot expect IoT devices to take care of their own security.
Why are IoT security threats on the rise?
IoT devices are quickly proliferating inside business environments, creating new network security challenges and amplifying the shadow IT problem. IoT devices typically take the form of sensors, smart devices, printers, cameras, thermostats, voice-activated personal digital assistants — anything containing electronics that’s able to connect to a corporate network. Most companies aren’t aware of every insecure device or application on their premises, many of which are personal equipment introduced into the network by employees.
This massive IoT deployment creates a huge attack base and huge opportunities for hackers. The new attacks are alarming for their scope, impact, and the ease with which attackers can employ them. Large-scale IoT DDoS botnets can overwhelm the entire network and shut down physical operations in a smart city by paralyzing smart grid operations, power plants, transportation, and hospitals and the list goes on.
What should CSPs be doing?
These threats are creating opportunities for CSPs. They are best positioned to address the first mitigation goal NIST mentions in their report; to protect device security and prevent a device from being used to conduct cyberattacks. How do you do that? One option is implementing security at the endpoint. The challenge is that IoT devices are diverse and generally have low power and performance, making it almost impossible to install anything on the devices themselves.
Although security by design is a must-have, personal devices, and the existing vulnerable installed base, must be protected from the network for both remote and on-premise devices. The network is a real asset for providing IoT security services. it’s like stopping the bad guys at the entrance to your city instead of at the front door of your house.
If you want to learn more about protecting your customers using network-based solutions, contact us today.