The security issues surrounding IoT and OT and how to overcome them
January 2023 by Paul Keely, Chief Cloud Officer at Open Systems
At a growing rate, organisations worldwide are taking note of the Internet of Things (IoT), deploying an ever-increasing number of these connected devices. From improving productivity and boosting employee morale to increasing the performance and reliability of manufacturing operations, enterprises are alive to the opportunities IoT can offer. In fact, businesses are projected to spend more than $400 billion globally on IoT devices by 2025.
And whilst 83% of organisations that employ IoT technology have seen a significant improvement in their business efficiency as of 2022, all that data introduces a new challenge – security. Even the most innocuously seeming connected device poses a substantial risk. For example, the smart coffee pot idling on the side in the communal kitchen could provide a determined threat actor with a critical entry point to a corporate network. These devices are smart, but without adequate protection, there’s nothing to stop cybercriminals from taking advantage of that intelligence.
Thus, for all their advantages – and there are many – the growing adoption of IoT devices has significantly expanded the corporate attack surface, providing cybercriminals with a great deal more potential entry points through which they can access a corporate network.
But it’s not just a numbers game; many IoT devices have fundamental weaknesses that can be exploited by bad actors, leading to their compromise. Just one security flaw in one connected device can create devastating consequences for an entire organisation. After gaining initial access, a cybercriminal can move laterally through a network in search of sensitive data and other valuable assets.
Given what’s at stake, securing these devices should be a priority. However, organisations need to afford IoT devices the same level of protection, urgency and attention as traditional ones, such as laptops, servers and other assets. But before we attempt to untangle why this is, we must first split out the two broad categories of connected devices and get to grips with their unique security issues: IoT security and OT security.
When we talk about IoT in business, we’re typically referring to the devices used in offices to make the workplace more comfortable, convenient, and productive for employees. These devices cover a tonne of ground in terms of functionality, from conference room sensors that detect whether they’re in use to drinks machines that monitor the temperature and stock levels of the beverages they offer.
While undoubtedly lovely to have, these kinds of devices are optional to the function of the organisation. This fact, in combination with how easy they are to install, often means their deployment is handled by facilities teams and individual staff instead of IT. And it’s here where things start to get tricky from a security perspective – understanding the risk and urgency around securing IoT devices is one of the most significant challenges faced by organisations deploying them.
Unsurprisingly, facilities staff rarely know the threats an unsecured IoT device can present. They are unlikely to replace the default password on a juice maker with one that’s strong and unique when installing it. Similarly, they are unlikely to keep on top of installing patches or updating the juice maker’s firmware. These actions – and the lack of involvement from IT – make devices like the juice maker increasingly less secure as time goes on. Many of these IoT devices may no longer be supported, and many vendors may have gone out of business. Despite this, the devices often remain active and connected and become increasingly vulnerable points of entry for bad actors.
The next major factor is the devices themselves. The level of the security features implemented can vary widely between manufacturers, especially with startups that are more focused on perfecting the application (e.g., brew coffee, detect when the hopper is running low on beans, text a service provider to deliver more beans, etc.) and pay less attention to security.
It’s also common for organisations to neglect segmenting their wireless networks during an IoT deployment. This can be a major issue, giving bad actors who have compromised an IoT device unfettered network access. Creating a sub-network for smart coffee makers, for example, allows all the coffee makers in a building to communicate with the manufacturer’s management platform, but walls them off from everything else. This prevents bad actors from using a compromised coffee maker or other IoT device from further penetrating an organisation.
And going back to patch management, most IT organisations need to learn the number or types of IoT devices deployed throughout their business. This lack of visibility makes proper patch management extremely difficult and means that patches and firmware updates are rarely implemented.
The IoT threat landscape is also increasingly dire now that Trickbot, a malware targeting computers and IT systems, directly affects IoT devices. Trickbot has compromised IoT devices in command-and-control (C2) attacks, using them to attempt lateral movement to access a network with more critical data.
The other category of connected devices is Operational Technology (OT), also known as Industrial IoT (IIoT). Here, organisations use OT to monitor and control the equipment and processes that are key to their operations. Indeed, unlike IoT, OT applications are often mission critical.
One common application of OT is predictive maintenance, which is used to identify signs of failure in critical equipment so that maintenance can be performed to prevent a breakdown. A good example is a connected sensor that detects increased vibrations indicating the imminent failure of turbines or other high-speed rotating parts in a critical piece of machinery.
Due to their importance and high cost, IT teams generally manage the deployment and maintenance of OT systems. Whilst this sidesteps some of the risk involved with IoT, frequently handled by facilities staff and individual employees – it doesn’t mean OT isn’t vulnerable to threats.
In addition to the possibility of bad actors compromising OT devices to breach a network and exfiltrate valuable data, the threat of cyber-kinetic attacks that physically damage mission-critical equipment is genuine. For example, a cybercriminal could cause a CNC milling machine to overheat by preventing its cooling system from operating.
Overcoming the Challenges
Though the challenges around both types of connected devices are considerable, a lot can still be done to ensure IoT and OT devices are better protected. Some key considerations include:
• Identify all IoT and OT devices – a crucial first step in securing an organisation’s IoT and OT devices is to gain visibility of them all. This will require an updated inventory of all the devices across the company, including all relevant data about each machine.
• Segment your network – having individual sub-networks for IoT and OT devices ensures they have the connectivity required for operation, but no ability to access anything else. Implementing these air gapped sub-networks is a simple task for IT staff and a vital way to prevent breaches from expanding.
• Exercise proper cyber hygiene – several elements are involved in establishing good cyber hygiene across connected devices. Firstly, ensure you are diligent and install patches and firmware updates promptly. Next, change all default passwords to ones that are strong, secure and highly personalised. Third, admins must ensure that they guard their login credentials with zeal.
• Ensure effective monitoring – IoT and OT devices can be daunting since each poses unique monitoring challenges. IoT and OT tend to be very noisy, often generating huge volumes of alerts, which makes it exceedingly difficult to identify the true threats amongst many more false positives. And the criticality of maintaining uptime of OT devices means that acting against a false positive can significantly impact the bottom line. That said, it’s worth the effort, and fortunately, there are security service providers who can help with this. Partnering with a security services provider is also a good option for many organisations, particularly those without a security operations centre (SOC).
Organisations that need help should look closely at Managed Detection and Response (MDR) providers. Their combination of 24/7 monitoring, experienced security experts and focused early detection and response to threats make them an ideal security partner for many organisations.
Though all MDR providers can monitor their customers’ servers, desktops, laptops and other traditional IT assets, organisations should carefully evaluate MDR providers to ensure they engage one that can watch IoT and OT devices. This requires MDR providers to be experts in using the latest agentless network sensors, such as Microsoft Defender for IoT. These sensors are critical to an MDR provider’s ability to discover customers’ IoT and OT assets, ingest telemetry from these devices and continuously monitor them without impacting their performance.