In part 1 of this series, we covered why distributed Internet of Things (IoT) devices are attractive and vulnerable targets for cyber criminals and hackers. By their nature, they are relatively easy to compromise and are often connected to networks with high-value content. Moreover, IoT devices rarely have direct user interaction, so many types of device compromise are likely to go unnoticed and undetected.

In part 2, we turned our attention to strategies for protecting these devices, which in turn, helps to protect your entire network. Protecting an IoT device involves reducing the device’s attack surface by eliminating or hardening points of attack, so we covered proactive strategies for protecting three particular areas of vulnerability where compromises can result in class breaks.

Here in part 3 we will present a framework for full IoT device defensibility in real world deployments at scale.

Device Defensibility at Scale

For large device-count IoT deployments, manual processes are not sufficient to ensure that all the applicable policies are implemented in an accurate, effective, and timely fashion. It is simply not possible for any such processes to maintain an accurate accounting of every device attached to a large network, along with the current firmware status, login credentials, and applicable security certificates at all times without errors, omissions, and other mistakes. And unfortunately, such status inaccuracies can leave open doors for hackers to compromise the network.

Instead, maintaining an up-to-date device security profile for large deployments and responding quickly to device attacks requires an automated system for device management at scale. To be effective, the system must include automated management of logon credentials, automated firmware updates, and automated certificate rotation.

The reasoning behind this specific focus, and security hygiene in general, is that there are a relatively small number of root causes for many data breaches, malware infections, and other security incidents. Implementing this small number of specific, relatively simple practices can address those root causes to not only prevent many incidents from occurring, but also to lower the potential impact of incidents that still do occur. In other words, good security hygiene practices make it harder for attackers to succeed, while also reducing the damage they can cause.

Key Steps to Full Device Defensibility

To help you and your organization plan and implement an improved cyber hygiene program, we now present a framework for full IoT device defensibility in real world deployments at scale. This framework represents current state-of-the-art best practices for protecting IoT devices, and can form the backbone of your assessment, evaluation, and improvement plans. Follow the steps below to strengthen your network defenses.

As an additional reference point for research and confirmation, each step shown below is referenced to the CIS Controls^® listed in the Version 7.1 CIS Controls Internet of Things Companion Guide (CIS, 2019). The CIS Controls are internationally-recognized cybersecurity best practices for defense against common cybersecurity threats, and are freely available online at www.cisecurity.org. (Note that the step numbering is independent of the CIS control numbers.)

Framework for Full IoT Device Defensibility

1. Hardware Inventory. Update (or create) your inventory of IoT devices and the applications that that utilize them. Also include the servers on the network to which the device connects. (CIS Control 1)

Documentation. Identify each device and document:

1. Device Information. MAC address, IP address, make and model, current firmware version, latest available firmware version.
2. Dependencies. List the applications and other devices having data interface compatibility dependencies on the firmware version of the device being inventoried and documented. Inventory the software application in step 2.
3. Security Information. Is 802.1x network access control supported and if so, in use? Are the device/server client certificates self-signed or CA-issued, and what is the certificate expiration date?
4. Product Life Cycle. Purchase date, warranty expiration date, end-of-sales and end-of-support dates; organization’s asset owner; other organization-relevant life cycle information.
5. Monitoring. Is SNMP or other device monitoring in use? If so, note or reference details.

2. Software Inventory. Update (or create) your inventory of software applications that interface with or are dependent on data from one or more IoT devices. (CIS Control 2)

Documentation. For each application:

1. Software Information. Software vendor, current software version, latest available software version.
2. Dependencies. Cross reference the hardware inventory to identify the devices with which the application has data interface compatibility dependencies on the firmware version of the device, and software version details specific versions require specific device firmware.
3. Security Information. Does the application vendor provide deployment hardening advice? Has it been applied? Have the server and operating system been hardened per manufacturer’s advice?
4. Product Life Cycle. Purchase date, warranty expiration date, end-of-sales and end-of-support dates; organization’s asset owner; other organization-relevant life cycle information.

3. Continuous Vulnerability Management. If continuous vulnerability management is not yet in place for the IoT devices and applications, for each type of device and application, determine how to continuously acquire, assess, and act on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. (CIS Control 3)

Tools. For each type of IoT device:

1. Qualify. Identify the automated tools that are most suitable for managing at scale device passwords, firmware updates, and certificate management. Remember that the tool must update the logon credentials not only in the devices, but also in the software and other devices that use the logon credentials to authenticate themselves. Automated credential management must use the dual-certificate or another approach to minimize offline time required for certificate rotation in devices and applications.
   1. Cost. Determine the tool costs and cost options.
   2. Select. Identify the tools that most closely fit the IoT deployments security needs.
2. Implementation Approach. If the organization has another vulnerability management program or process exists, align with, or enroll in that program or process as appropriate.
3. Remediation. Outline a risk-rating process to prioritize the remediation of discovered vulnerabilities.
4. Roles and Responsibilities. Determine the roles required for vulnerability management and identify candidate in-house or service-provider personnel for them.
5. Levels of Effort. Determine the internal level of effort required to implement full IoT device defensibility. If outside resources are needed, determine their level of service required and its cost.

4. Incident Response. Consult with any existing technology infrastructure response team to understand the incident response coordination required regarding updates to IoT device logon credentials, firmware and certificates if that will be part of a larger response effort. If not required, then outline a simple incident response plan. (CIS Control 19)
5. Planning and Approval. Develop an outline plan for implementation. Collaborate with resource approval (funding and collaborative resources) and other organization stakeholders to finalize the plan for approval.
   1. Outline Plan. Develop a budgeting approach and an outline plan for implementing the device defensibility capabilities once the budget is approved.
   2. Stakeholders. Consult with internal stakeholders who have an interest in the benefits of the improved IoT security profile that will result. Obtain their support as appropriate.
   3. Approval. Request and obtain approval for the IoT device security profile improvements.

Conclusion

In this series, we described why high-device-count distributed IoT systems are now valued cyber targets because most of them currently have poor, or possibly no, cyber hygiene and are relatively easy to secretly compromise at scale. Compromising these systems usually leads hackers to other valuable connected network content, or at the least provides resources that can be leveraged to launch additional attacks.

We also described strategies for protecting vulnerable IoT devices, which in turn, helps to protect your entire network, by reducing the devices’ attack surfaces. Fortunately, some leading device manufacturers are starting to improve device cybersecurity features, and a few have even begun to facilitate device management at scale.

In this final part of the series, we presented a framework for full IoT device defensibility that consisted of five key steps. By taking these five steps, organizations will harden their IoT attack surfaces and achieve a highly defensible deployment.

Don’t wait for a damaging network breach to trigger defensive action – take proactive steps now and know that not only are you making it harder for hackers to succeed, but you are also limiting the damage they can cause to your organization.