Enable breadcrumbs token at /includes/pageheader.html.twig

How to Checkmate IoT Attacks

A multipronged strategy outsmarts hackers.

One way international military and government agencies gather information about weather and oceanographic data to enhance forecasting and environmental models is through networked buoys. The Royal Danish Air Force deployed these ice-hardened buoys from a C-130 into the Arctic Ocean in September as part of the International Arctic Buoy Program. Credit: John F. Williams

The U.S. Navy applies the Internet of Things concept to a variety of intelligence-gathering tools, such as drones, to share information in contested environments. Credit: James Travasos

No longer a curiosity, the Internet of Things has emerged as a highly sought-after technology advantage for organizations worldwide. The federal government has stepped up as an innovator within this space, generating profound advancements with seemingly unlimited promise to support national security missions. Those in doubt need look no further than research from the Center for Data Innovation, a nonprofit, nonpartisan institute, which reveals a broad range of eclectic, real-life implementations.

The U.S. Defense Department dominates the landscape, leveraging Internet of Things (IoT)-enabled cameras, infrared sensors, drones, surveillance satellites and other resources to foster a heightened state of awareness as part of what it calls network-centric warfare. The Navy dispatches connected buoys that use sonar technology to detect the presence of submarines. The Air Force combines surveillance and sensor data from fighter jets and feeds detailed real-time information about threats and targets to pilots. The Army compiles data from environmental sensors and satellite images to help soldiers more effectively navigate unfamiliar terrain.

Equally impressive, the National Oceanic and Atmospheric Administration has invested in a global network of hydrophones. These underwater acoustic sensors assist researchers studying seismic activity, which could help predict volcanoes, earthquakes, tsunamis and other crises requiring defense agency support in humanitarian and relief missions.

In an era when climate and water issues are reshaping global resources and conflicts, NASA has equipped its Earth observation satellites with imaging and thermal sensors to better forecast, detect and track droughts, wildfires and other weather patterns.

These eyes in the skies are just one way the IoT is helping to solve today’s problems. Within the IoT universe is the Industrial Internet of Things (IIoT), which includes connected machinery, robotics and facility equipment. Both the IoT and the IIoT play a pivotal role in the U.S. government’s military and homeland security agencies but also pose security risks.

As with so many technologies, what begins as Defense Department innovation quickly becomes the “new normal.” Integrating more devices and nontraditional equipment into networks supporting routine and on-demand missions is standard fare for nearly every agency today. In fact, the “Cybersecurity for the Nation” section of President Donald Trump’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure essentially combines the IoT world with traditional information technology. It states: “The term ‘information technology’ has the meaning given to that term in section 11101(6) of title 40, U.S. Code, and further includes hardware and software systems of agencies that monitor and control physical equipment and processes.”

Motivated by the possibility of untold technology-driven discoveries, agencies are emphasizing IoT expansion. Forty percent indicate that expansion is a priority, and 17 percent say it is a “high” or “critical” priority, according to Government Business Council (GBC) research.

However, innovation comes at a price—in this case, the somewhat murky and potentially devastating possibilities of cyber sabotage. Nearly 90 percent of the organizations the GBC surveyed consider the security of IoT devices essential to executing their mission. But 58 percent say they are not very, not at all or, at best, only somewhat confident in their ability to protect these devices. Respondents list several reasons they struggle to secure the IoT. Thirty-nine percent cite a lack of funding; 39 percent name slow procurement processes; and 30 percent mention a dearth of technical expertise.

Adding to these challenges, many IoT devices are not designed to receive software upgrades, leaving them vulnerable to attacks. “Security researchers evaluating automotive cybersecurity determined that attackers could gain significant control over important vehicle functions remotely, such as the engine, brakes and steering performance, by exploiting wireless communication vulnerabilities,” a Government Accountability Office report warns. “If an owner does not upgrade the vehicle’s software, the vehicle may be susceptible to an attacker gaining access to key functions.

“Further, the [U.S.] Computer Emergency Readiness Team has warned that IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service attacks. These attacks can severely disrupt an organization’s communications or cause significant financial harm,” the report states.

Two of the biggest standout IoT-related security initiatives are the federal Comply to Connect (C2C) and Continuous Diagnostics and Mitigation (CDM) programs. The Defense Department and the Department of Homeland Security, respectively, drove the creation of these measures.

C2C and CDM are not niche programs narrowly focused on the IoT in the government, which makes them useful models for any large organization that wants to account for the IoT’s wide reach within the scope of existing security missions and requirements. In fact, managing both newer IoT-enabled systems and legacy systems together is more important than ever because the older systems are still high-value assets and targets. As much as Internet-enabled vehicles, robots and wearable equipment make headlines, traditional laptops, purpose-built workstations and servers cannot be ignored because adversaries can and do persistently pursue these systems.

This is why expanding the scope of C2C- and CDM-type approaches makes sense; the goal should be securing all connected things equally. Indeed, as last year’s stunning Equifax data breach demonstrated, only one blind spot is needed to conceal an exploit and give cover to far-reaching network compromise. In the Equifax case, it was overlooked, unpatched software on a server in the credit bureau’s vast infrastructure.

Arguably, the Defense Department and other agencies have even greater visibility and vulnerability management challenges than firms such as Equifax. While software patches might have blocked the credit firm’s assailants, neither patches nor upgrades can be applied to many of the department’s oldest systems inside installations and control system environments for practical reasons. Oftentimes, original equipment manufacturers no longer produce software updates, or configuration updates would actually break the wider systems they support, in effect causing an outcome no different than a disruptive, malicious attack. Consequently, network defenders must spot and stop suspicious activity in real time rather than relying on patches or updates.

With this in mind, the CDM and C2C initiatives give defense and civilian agencies with national security roles a foundation to align enhanced security controls with legacy systems and cutting-edge IoT and IIoT investments. Agencies can look to three guidelines to improve their network defense.

First, government organizations cannot declare “mission accomplished” when they satisfy compliance requirements because this is not an adequate defense against today’s breed of cyber adversary. Traditional review tools such as the CIO Scorecard are fairly limited in responding to threats. Such tools were created at a time when the bar for information assurance was much lower and long before the evolution of the IoT.

“[Agencies] can get so overly focused on compliance and trying to get a good grade or a good score, or be green or what have you, when really what we need to be focused on is risk,” said Robert Powell, senior adviser for cybersecurity in NASA’s Office of the Chief Information Officer, at the AFCEA Energy Chapter’s Energy and Earth Science IT Symposium in July. “If we’re going through compliance exercises at the expense of focusing on risk, then that’s a broken model.”

Second, agencies must establish complete visibility into their systems. When incorporating best practices and standards from the National Institute of Standards and Technology Cybersecurity Framework and the SANS Institute, experts have constantly preached, “You cannot protect what you cannot see,” but government leaders often fear what they will find if they look closer at their IoT security. Still, they can no longer afford to bury their heads in the sand.

Once leaders have obtained total visibility, they must classify what they are seeing. They should determine what each device is—from smart thermostats to cargo containers—and its function. With this information, they can develop baselines of routine, acceptable activity to better recognize unusual and possibly threatening patterns.

Third, government organizations must separate IoT systems from the rest of their systems and implement comprehensive network segmentation architectures. Consider the example of securing a cargo container. If the container’s technology runs on a Windows operating system, then it must be separated entirely from other machines that also run on Windows, such as laptops, tablets and smartphones, because IoT devices on Windows cannot be patched like more mainstream computing products. But if properly separated, the device will be walled off from other assets, and a security manager can “stop the bleeding.”

With visibility and separation as prerequisites, organizations can field the most powerful security capabilities by introducing automated controls and processes according to specific, well-defined thresholds and contexts. Understandably, few agencies are comfortable letting any automated item run unchecked right out of the box for fear of disruptions or misfires.

This is why the phases of establishing visibility and separation within dense network traffic are crucial. The earlier steps, including CDM, C2C and other programs, are analogous to the indispensable early warning and decision-support systems that the military’s command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) systems provide in the physical world.

Overall, protecting IoT and IIoT systems is about playing the long game. If IoT-driven security risks are viewed across today’s government enterprises only in terms of connected devices—the number of which is growing daily—the challenge seems overwhelming, with uncertain outcomes. But if agencies and contractors focus on incremental, phased approaches, such as C2C- or CDM-style strategies, then security controls become far more measurable and achievable.

It is easy to view security in the IoT era as a race against time. A better metaphor might be a high-stakes chess match, where anticipating moves and keeping key pieces out of striking distance matter most. If government and critical infrastructure operators focus on principles and methodically review how they achieve visibility, separation and ultimately more automated control of connected systems, then they will checkmate the wide-scale cyber risks they can expect to face now and in the future.

Ryan Brichant is vice president and chief technology officer of global critical infrastructure, industrial control system and operational technology security at ForeScout Technologies.