In the minute it takes to read this paragraph, hundreds of smart devices will connect to the internet for the first time. In 2017, McKinsey estimated that 127 Internet of Things (IoT) devices came online every second, and GSMA expects a total of 23.3 billion IoT devices by 2025.
Last year, hackers tried to change the concentration of sodium hydroxide in Oldsmar, Florida’s drinking water. The Colonial Pipeline ransomware attack resulted in "panic buying." Any cyberweapons initially targeting Ukraine "may impact organizations both within and beyond the region," per CISA. In 2015, hackers remotely disabled a jeep’s brakes; that year, a Ford GT had more lines of code than a F-22 Raptor fighter jet or a Boeing 787.
More devices are coming online every second, and many control or connect to vital infrastructure. World governments saw a 1,885% increase in ransomware attacks in 2021.
Given these trends and the ongoing crisis in Ukraine, it’s more important than ever that security experts take a holistic view of security, which means revisiting and reinforcing something that has tended to be forgotten or missed altogether – IoT security.
Managing identity and access control
Security professionals have a lot of catching up to do. In the past, security experts tracked three main types of users: (1) physical users, or real-world, carbon-based humans; (2) silicon users, which include physical hardware like a smartphone, printer, laptop or any other tangible device; and (3) digital users, which include the service accounts that link all three.
Good security practice says that an account is an account, no matter who or what is using it. Organizations need authentication to verify an account is what it claims to be and attestation to control what it can do.
The reality is that, while security professionals have long been aware of these three categories, to date they’ve focused most of their attention on physical users. If Paula is joining an organization’s finance team on Monday, then the security team needed to make sure that she had the resources she needed to do her job. They also ran attestation on Paula’s account: what did she have access to? Why did she need it? And what was she using it for?
Prioritizing human users was an understandable choice when information technology (IT) teams were charged with protecting LaserJets and employee laptops — why bother running attestation on service or machine accounts? What’s the worst that could happen?
The answer is plenty. Security leaders must evolve our thinking now that machines can change the chemical composition of drinking water.
The rise of machine identities
Our choice to focus on human users has led to far too many ungoverned accounts, significant blind spots in silicon and digital account security, and major vulnerabilities for cybercriminals to exploit.
The growth of 5G internet is creating an explosion of IoT devices accessing the network. Security leaders don’t spend nearly enough time thinking about what those devices are tracking, who they’re sharing that information with, or how that information can be used.
Security professionals have also tended to overlook service accounts. If a machine was talking to another machine, then they tended to trust them to run as admin profiles with limited oversight. Security teams even maintained static, hard-coded passwords for service accounts that tended to be easily accessible (and sometimes even stored in an unencrypted text file).
Service accounts were already over-provisioned before smart devices changed the nature of tech stacks; today, they remain vulnerable to cyberattacks. Like poisonous mushrooms, service accounts have been growing in the dark. One report indicates that organizations have five times as many service accounts as they have employees.
Machine or service accounts can’t skate by anymore. An account is an account — and it needs to be secured accordingly. Security leaders should move to least privilege with every account and ensure they only have the necessary entitlements to perform their role. Cybersecurity teams must also perform regular attestation on service and machine accounts so they know what machines are doing with their access and why they need it.
Securing IoT infrastructure also means moving toward zero trust with every account — service and machine users can’t get a free pass any longer. Organizations can move closer to zero trust by implementing smarter security infrastructure that can learn from context, baseline what "normal" looks like for a machine or service account, and flag significant deviations, like when a municipal machine based in Florida begins interacting with accounts in a foreign country and outside of normal business hours.
Cybersecurity teams already have the framework they need to secure IoT. Security leaders just need to implement it at scale and as quickly as possible.