Need more evidence that IoT security is a big deal? Here’s what NIST has to say
If your organization isn’t thinking about internet of things (IoT) security, it could soon face a rude awakening, according to the influential agency that sets cybersecurity standards for the federal government.
The widespread adoption of internet-connected devices will make it more difficult to patch security vulnerabilities, open new avenues for cyberattacks and muddle the visibility into security incidents when they do occur, researchers at the National Institute of Standards and Technology warn in a paper published Wednesday.
The agency recommends that organizations identify the IoT capabilities of the devices on their networks and adjust their risk management processes accordingly. NIST guidance, while expressly aimed at federal agencies, also is widely adopted throughout the private sector. The new document adds to work that the agency did in its globally popular Cybersecurity Framework.
NIST notes that some of the advantages of IoT technology are also vulnerabilities. While automatic patching, for instance, is generally considered essential for traditional IT, that strategy could “have far greater negative impacts on some IoT devices … making critical services unavailable and endangering human safety,” NIST researchers wrote.
It’s especially urgent to understand that nuance now, with the number of connected devices expected to climb to 64 billion by 2025, according to Business Insider Intelligence. “Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity,” NIST writes.
Challenges ahead
In some cases, IoT manufacturers might stop releasing patches — or may not release patches at all — for devices meant for use over an extended period of time. That could render companies and government agencies alike unable to remove even known vulnerabilities, according to NIST.
Also, remote access and strong credentialing practices are often riskier in IoT devices, which could leaving large organizations unaware of certain vulnerabilities.
“IoT network interfaces often enable remote access to physical systems that previously could only be accessed locally,” NIST warns. “This may put the physical systems accessible through the IOT devices at much greater risk of compromise.”
Cryptographic tokens or strong credentialing, such as multi-factor authentication, are not that common for IoT devices either, NIST warns.
That “increases the chances of unauthorized access and tampering through credential misuse,” the institute warns.
And in some cases, IoT devices may make it harder to track cybersecurity incidents.
“A ‘black box’ IoT device may not log its cybersecurity and privacy events or may not give organizations access to its logs,” NIST notes.
Insecure devices
This week, a malware known as Silex has wiped the firmware of thousands of IoT devices. By accessing the device with known default credentials, the malware proved able to delete network configuration and drop firewall rules, according to Akamai researcher Larry Cashdollar. The malware is reminiscent of the BrickerBot malware that attacked and took down millions of devices two years ago.
Approximately 4,000 devices were affected by the malware as of Wednesday evening, Cashdollar told CyberScoop.
Cashdollar said IoT device manufacturers’ awareness of security issues needs to improve as attacks like this continue to proliferate.
“IoT has gotten a bit better security-wise, but legacy devices remain a problem years after they’ve been deployed,” he said. “Manufacturers need to take security and firmware upgrades into account in the future. I believe some have started implementing this, but with so many insecure devices deployed, attacks like this will remain a threat in the near future.”
Charles Clancy, the incoming Vice President for Intelligence Programs at MITRE, a research nonprofit, tells CyberScoop insecurity in IoT devices is driven by market factors right now.
“A lot of the challenges we have now are that the IoT ecosystem is still viewed through the lens of consumer electronics,” said Clancy, a former National Security Agency operator. “It’s all about how quickly something can go to market and security is seen as a cost of that process.”
In government, lawmakers are currently working to get agencies’ IoT security shored up. Bipartisan congressional legislation aimed at improving vulnerability disclosure processes for IoT devices has passed committee muster. The bill is pending approval from the Senate and the House of Representatives. The proposal would push NIST to create disclosure processes, and bar agencies from acquiring devices from vendors not party to the program.