I’m going to tell you the odd story of how refrigerators, DVRs, and thermostats took away your access to Twitter for a few hours last October.
You’ve probably heard the phrase “internet of things.” Even if you haven’t, you’ve used the IoT. Probably in the last twelve hours. Does your home have a router? Does your plant or factory have equipment with sensors that record information, then send it to a central computer?
If so, you’ve used an internet connected device—that is, a device on the IoT.
And if something’s connected, it can be hacked.
That’s exactly what happened in a massive DDoS attack last month (Halloween came early…). As cyber security site Dark Reading explained, “internet of Things (IoT) devices were compromised and used as part of the bot army that slowed access to popular websites such as Amazon, Twitter, and PayPal.”
It’s not just your computer that hackers can now attack. It could be a security camera hooked up to the internet, or a xerox machine, or even a piece of industrial machinery like a blast furnace. The IoT devices connected to your computerized maintenance management system are at risk, too.
How can you avoid a similar problem? I’ve found six internet of things security practices to protect your devices, be they hydraulic pumps or mobile devices your workers use.
1. Perform an IT Risk Evaluation
If your risk evaluation hasn’t taken IoT hacks into account, now’s the time. In an interview he granted me, Omer Schneider of CyberX recommended that this be the first step for anyone considering IoT security. Earl Perkins at Gartner (research paywall protected,) even suggests that you “incorporate risk evaluations from new and often not-well-understood technology related to the Internet of Things into existing IT risk evaluations,” even if your company doesn’t use IoT devices.
Andy Jones of Maersk corroborates that suggestion, adding that “any risk assessment should include the criminal mindset and learn from past analogies.”
So, don’t just anticipate possible attacks, anticipate how the attackers will think. You don’t want your business to end up looking like this Geico commercial:
2. Count Your Devices Before They’re Hacked
If you don’t know what’s connected, you can’t protect it. This is why “understanding which devices are connected and what they’re doing is a prerequisite for proper security,” as Michelle Drolet argued at Network World. Ken Munro, of Pentest Partners, suggests that even something as simple as “walking the floors” to find out which devices are connected to the internet is a good idea.
You want your inventory to be visible, so you know which things might be at risk of being hacked. This sort of visibility is sort of like Molly Weasley’s clock in the Harry Potter books, telling her where her kids are, and whether they’re in trouble.
There are companies who can help you achieve this visibility. Cyber-X offers XSense, a software platform that can monitor all of your connected devices, and also alert you to possible attacks in real time. Cyber Defense magazine named CyberX’s X Sense the “Best Product in ICS/SCADA Security Solution” last March, and the company was also one of Gartner’s 2015 “Cool Vendors in Security for Technology and Service Providers.” High praise, indeed.
3. Use Secure Networks and Hosting
Make sure your network is secure. Some experts go so far as to recommend creating a separate network, so potential hackers won’t be able to get “access to shared files or networked devices.”
Network segmentation is another strategy to secure your IoT devices. In network segmentation, the network over which your devices send information is cut up into different zones. If a device in one of these zones is attacked, the attack will at least be restricted to that zone. Gartner research predicts that “network segmentation and isolation solutions will account for 33% of all IoT security spend through 2020,” so the option bears looking into. This piece from Network World describes the five basic steps of network segmentation, and this paywall-protected Gartner research can take you a step further.
4. Use a Firewall
If you aren’t using a firewall, you should be. Firewalls keep hackers from communicating with your IoT devices. Alan Grau at IEEE Spectrum describes them as “gatekeeper(s), blocking traffic that should not be permitted to pass through.” Firewalls are like the TSA or Customs agents who check through luggage, and people, as they enter a country . Even the policies programmed into firewalls, called white lists, are like the TSA lists of things you can and can’t bring into a country.
One way to protect your devices, especially if you’re using older technology, is to add a “bump in the wire” by buying and using “a small, dedicated piece of hardware and software that sits between an IoT device and the Internet.” Such devices are available from companies like Grau’s, Icon Labs, whose version is called the Floodgate Defender. You can also check out similar products from Tofino Security. Look at it as hiring a contractor to do the border patrol work for you.
5. Use Data Loss Prevention
It’s not just inbound traffic from possible hackers you should watch. You’ll also want to keep track of data leaving your system. A data loss prevention system does just that. I contacted Mike Baker, founder of cyber security company Mosaic 451, who explained that DLP systems “are configured with rules to detect important data…and ensure it is being moved across a network properly and not off-loaded to an unauthorized device.” Like, say, a hacker’s laptop. There are numerous types of DLP systems (here’s a list from Wikipedia), and numerous vendors on the market (you’ll find some on Capterra’s Business Continuity Software Directory, like Spinbackup, CrashPlan, and Disaster Recovery as a Service).
6. Set Strong Passwords
Most IoT devices come with a default password from the vendor. These offer as much protection as a cardboard front door. In fact, the program used by hackers in that DDoS attack “was the kind of code that scrapes the internet for devices that are connected using factory default passwords,” according to Alina Selyukh of NPR.
In other words? Hackers, like pickpockets, look for easy marks. They’re like the thieves in Oliver Twist, though I doubt they’d translate as well to a Disney animated musical, mostly because animals lack opposable thumbs, or the logical abilities of computer programmers.
Jeremiah Grossman also stressed the importance of setting new passwords: “you have to make really really sure that you don’t leave the default password set, because that was the main issue in how these devices got hacked, was using default passwords.” Factory default passwords are to your IoT devices what leaving all the lights off in the house is when you go on vacation. If you’re interested in password best practices, Gartner has some solid (paywall-protected) advice, as usual. Looking for something quick and dirty? Ask and ye shall receive.
IoT Hacking Defenses I Missed
I mean for this article to be a resource, so if I’ve missed any (or many) ways to protect your IoT, please post them in the comments below.
Looking for CMMS software? Check out Capterra's list of the best CMMS software solutions.