IAM for IoT: Taming the internet of threats

I want you to imagine this scene: in the back room of a flashy casino, a cybersecurity quick response team is on alert after discovering that a hacker is at work somewhere on the casino floor.  A couple of genius tech team members realize that the hack is actually happening right now, and they’ve found the source. The call goes out to the security guards, “Sector 20 Zulu… Go! Go! Go!” Now teams Alpha, Bravo, and Charlie enter simultaneously from various points around the floor and rush to the scene where they meet at the source of the breach…a fish tank.

While you may certainly agree that the above scene is seriously lacking in a climax, you might be amazed to know that it’s a true story. In 2017, a hacker had scanned casino IP addresses searching for a device they could control. The scan revealed a smart thermometer attached to a large aquarium that shared temperature data with the employees responsible for the aquarium’s upkeep. The thermometer needed a network to connect to in order to share its data, and which one did it use? You guessed it, the casino’s private network.

After the device was hacked, the attacker gained access to the casino network and stole private data on casino customers, uploading the data to their server overseas. If you wonder why I call IoT ‘the internet of threats,’ I hope the above story gave you a good enough reason.

There are more threats than you think

The threats are truly all around us.  We’ve got digital assistants that are constantly listening to us in our kitchens, video game consoles with cameras, digital locks on our doors, and more. You don’t have these types of items in your office though, so nothing to worry about, right? Well, do you have networked printers that also have wifi capability?  Security systems linked to external vendors?  A thermometer on the fish tank in the lobby? Many aren’t aware of all the IoT devices that are actually connected to their network, and this can lead to very dangerous situations.  IoT is broadly considered to be anything in your domain that could possibly connect to the internet, or even just your network.  To say it’s time to pay attention to this threat is an understatement.

Why is this happening?

The first step we need to take is grasping how and why these devices are a threat to begin with.  With all we’ve learned about security, why are devices that seem so easy to hack into getting deployed?  The simple fact is, for many manufacturers the notion of security might come as an afterthought to innovation.  For example, if a company is producing hundreds of thousands of network-connected thermometers, the notion of installing and managing unique encryption keys between those devices might seem ridiculous and expensive.  Sometimes the security is there, but when mismanaged, it’s like leaving the front door not only unlocked but wide open.  A great example of this is when you install your new networked printer in your house and totally ignore the fact that the printer itself has a wifi router installed that you both neglected to disable and forgot to change the default access password to.  The chance that the printer doesn’t have a vulnerability allowing an attacker to bridge those connections and access your personal file shares is a very high risk to completely ignore.

In a world of best intentions, your corporate brand and the private data of your users is simply too valuable to play games with. We must go the extra mile and do everything we can to make sure all devices are secure.  Let’s take a look at a couple of approaches that will certainly help close the gap.

How to address the internet of threats

When I was young, the G.I. Joe cartoons always ended in a short PSA from one of the characters who would shout, “knowing is half the battle!” That same PSA could also be applied here.  Just having a basic awareness of possible threats can change your interaction with teams, third-party partners, or strange devices potentially connecting to your network. I recommend asking as many questions around security as possible to those who connect to your network, like printer vendors, to see if they can disable certain network features you know your company won’t need. Or ask about the possibility of enhanced security on these devices where a user must own a signed certificate that proves their ability to connect.  Most printers these days actually support certificate-based authentication and that might not be a bad idea to embrace.

Have a thermometer in the lobby collecting temperature data for your maintenance vendor?  Consider setting up a public network specifically designed for guests or devices that have no access to your company’s internal assets.  As a warning, it is very difficult to tell if these IoT devices are creating a vulnerability on your network, so why would you allow such an unknown and unpredictable threat onto the corporate network?

Finally, and most interestingly, many have begun to realize that there are some very significant similarities between networked devices and users.  In fact, an entire boutique industry has sprung around the notion of IAM for IoT. (Full disclosure: While my employer One Identity doesn’t fit in this category, it does offer a feature to manage IoT devices through its IAM platform.)

Think of it this way, a device’s lifetime in your domain follows many common principles of IAM:

• An individual device can be provisioned and recorded into the IAM system
• A device is often associated with a specific account or credential for obtaining access
• The device’s credential should be restricted in what it can and cannot have access to on the network
• Adevice’s account should be closely monitored and observed via analytics for unusual behavior
• It should be possible to remotely kill a device’s access without unplugging it from the network

The list could go on for sure, but one highlight in the list above is that we don’t simply give users credentials and allow unfettered access to the network, so why wouldn’t we apply the same controls to a networked device?  If you have absolutely no visibility into what the device does or how it does it, you might want to choose another vendor, or as mentioned, at least isolate the device on a whitelisted network.

To put it simply, knowing is half the battle. For too long users have blindly plugged devices into any network available without ever even dreaming of the consequences. (I mean, honestly, who would have ever dreamed an aquarium thermometer could be the source of a breach.)  But those days are long gone.  I’m willing to bet you have networked printers, monitored security cameras, and possibly even more network-connected devices.  It’s time to do a review and get those devices secured and managed.