When IoT Devices Go Rogue, Automation Saves the Day
Continuous monitoring reduces risks and ensures data integrity.
By 2025, an estimated 75 billion or more devices will be connected via the Internet. While the ability to access data on any device from any device multiplies productivity exponentially, it also creates unforeseeable vulnerabilities that organizations are only beginning to understand.
Last year’s Mirai botnet distributed denial-of-service attack, which infected millions of devices, demonstrates the multifaceted challenges federal agencies and private-sector companies face when securing their devices and networks. These challenges will only continue to grow both inside and outside of these domains.
At DEF CON 25, a hacking conference held earlier this year in Las Vegas, researchers from Arbor Networks presented a startling fact: Just 5 percent of the Internet of Things (IoT) devices infected by a new variant of the Mirai botnet discovered in January were from outside their organization’s firewalls, and the remainder were internal. This means potentially millions of infected IoT devices are still inside networks.
The variant spread through systems running Microsoft’s Windows operating systems. Although malware commonly spreads this way, the Mirai Windows variant scans for networked IoT devices that it then attempts to infect. In a successful attack, the compromised device searches for other IoT devices to strike and begins to spread the malware, creating a snowball effect.
What may not be obvious is that compromised devices searching for hosts inside networks produce a flood of address resolution protocol requests and other small packets traffic, which can quickly overwhelm and crash the networks. Even today’s enterprise-class switches and routers cannot easily handle these types of requests. This malicious activity is reminiscent of the Code Red and Nimda computer worm days and is only the infection phase.
Once hackers launch an attack against a target from a command and control server, the IoT devices will flood the internal network with attack traffic. This traffic will quickly consume bandwidth and severely degrade or bring down secure devices and next-generation firewalls.
The most effective solution to reduce the threat is to isolate IoT devices from any valuable cyber terrain. To mitigate risks, organizations must use security best practices, implement full network segmentation, move all IoT devices to an isolated part of the network, and ensure that the network and segmentation comply with policy.
The National Defense Authorization Act (NDAA), which requires systems to comply with Defense Department network configurations as a condition of connecting to department networks, highlights the need for information security, continuous monitoring capability and comply-to-connect policy. Organizations must implement an automated way to continually verify their security controls—including network segmentation—and ensure that they are up-to-date. In addition, they must quarantine devices that do not comply with policy and block their network connections.
Manually assessing network policy and segmentation compliance on a continuous basis is impossible. Automated monitoring is the only way to verify compliance and ensure that potentially compromised IoT devices do not pose unacceptable risks to crucial cyber terrain. Automated solutions are needed to evaluate network configurations and identify all possible pathways through legacy and hybrid networks.
Regardless of what standards or regulations are put in place, designing, deploying or rebuilding a network is inefficient and impractical if inevitable network changes do not adhere to segmentation policy. Organizations must continuously monitor network security architecture, as called for in the NDAA, to protect the keys to their kingdom.
Technology is one tool that can help provide this protection, but it is no panacea for finding and fixing compromised IoT devices. Companies can only protect their networks by mandating that if IoT devices cannot be updated, then they must be segmented and monitored.
For government systems, legislation is necessary because of the scope and uniqueness of system functions. Unlike a rogue refrigerator or a snooping Echo device, a comprised nuclear power plant sensor has dire consequences.
Compounding the problem for government organizations is that neither they nor technology developers can predict all potential uses for a device or every vulnerability. Consider the U.S. Department of Agriculture’s (USDA’s) adoption of sensor technology in water systems to take soil measurements of heat and humidity to help farmers save time and obtain more accurate readings. This data drives better fertilizer and seed decisions in the short term and allows the USDA to make better forecasts in the long term. However, in the wrong hands, the consequences could be devastating. If adversaries attack the sensor network, they could provide false data that causes farmers to underfertilize and underwater crops, leading to declining harvests and disrupting the food supply. And it is not possible to know whether the data is false when it is created at the sensor level.
In the future, many life-changing decisions will be made based on the data that billions of IoT devices will collect. But few are thinking about how to verify the veracity of this data and what to do if the data is changed. A good start is to implement continuous verification of security controls, including network segmentation, maintain up-to-date controls, and block network connections for devices that do not comply with policy.
Wayne Lloyd is the federal chief technology officer for RedSeal Inc.