The S in IoT stands for Security! (spoilers: there is no S)

By Anne Trotter

I read a recent Reddit thread stemming from a post by a System Administrator who was seeking advice on how to manage a new asset type: an oven with Internet connectivity. This was a new and baffling thing for their particular environment, even though other users mentioned having a long relationship with Internet-connected ovens for assorted business purposes.

The discussion moved along on a long stream of bad puns and great advice; well worth a read if you have some time and don’t mind a little light profanity.

Back in the old days, only bulky computers were Internet connected and addressable. These days, everything including clothing can have its own IP address, and will chatter along on the Internet about all kinds of subjects: where it’s at, what it’s doing, who’s using it, etc.  Those are the “things” in the “Internet of Things” that everyone is talking about. Because they’re usually tiny processors running very lean operating systems, there’s not usually a lot of security involved in their design, but there is an awful lot of connectivity. That’s where the title comes into play. IoT objects with connectivity often have zero security: there’s no S in IoT.

This doesn’t mean they’re not useful (or desired by engineers and CEOs). So, more and more enterprises are having to deal with questions like: what do I do with this thing, and how do I secure it?

Well, you do pretty much the same as with any other thing. You try and comply with the set of controls for the environment.

• You decide whether you really need it or not. Is it a real business need or is it a shiny new toy?
• You decide what you’re going to do with it, what level of criticality it has.
• It has to have an owner. ALL your network devices need an owner. Someone always has to be legally responsible for your assets, whether they cost a million bucks or one penny. Someone must be on the hook for patches, auditing, etc.
• You start the technical design of the security.
  • What information will it be handling?
  • Who needs access to it, and from where?
    • Don’t give anyone access to it who doesn’t have a business need for it
  • What should it be able to talk to, and how can you ensure that only the things it absolutely needs to talk to are accessible to it?
    • If you don’t need to expose it to the open Internet, don’t. If you do, don’t let it talk to anything internal. If you’re letting it talk to the outside world *and* your internal devices, understand the scope of the risk you’re taking and make sure you document that risk acceptance and show how it impacts and aligns with your enterprise risk appetite. (That’s fancy speak for duck and cover.)

For many organizations the partial answer to securing an IoT device without any security of its own is going to be to 1) never ever, ever trust it with anything critical (like privacy data), and 2) embed it within an environment that takes care of all the required security controls for it.

IoT devices aren’t known for having encryption for their data at rest or data in transit; so you might need to make sure whatever channels it’s talking over are using end-to-end encryption. Limit its access as much as you possibly can. Put it on its own subnet/vlan without access to production environments. Make communication one-way. Put it in a test environment first for a while and have someone take a close look at what communication traffic it tries to send out and where it’s sending that out to. Don’t trust the packaging, don’t trust the documentation. Assume everything stored on the device – including usernames and passwords – might as well be cleartext on a completely open hard drive.

• Have an owner for your assets
• Know your assets and their capabilities
• Know what information is flowing over your assets – where it came from and where it goes (where did it come from, Cotton Eye Joe?)
• Assume any IoT asset itself is untrustworthy and will allow compromise, crosstalk, etc.

TLDR: IoT things are fun and can be functional, but should always be treated as untrusted, insecure widgets.

As a final present, a link: IoT device hack history has some funny moments: The Worst and Weirdest IoT Hacks of All Times (finance-monthly.com)