Bring Your Own Threat: Securing IT in the Age of IoT

Maintaining a firm’s digital defenses is the top priority for information security officers, but that job becomes difficult when the walls can, quite literally, have ears. Today, it isn’t an employee’s smart phone that cybersecurity experts are worried about—it’s the Wi-Fi-connected refrigerator in the kitchen, the digital cappuccino maker and the smart photo frame on an employee’s desk. Any of these could be compromised if left unsecured, and anyone could be listening in.

The Internet of Things (IoT) is the new bring-your-own-device (BYOD), and the lessons learned from that debate are laying the groundwork for securing these new internet-enabled devices. But experts warn that IoT requires a higher level of surveillance and employee awareness to ensure it doesn’t compromise the firm.

“IoT is different from smart phones, because smart phones are made for communication,” says Sheldon Cuffie, chief information security officer (CISO) at life insurance firm Northwestern Mutual. “The BYOD debate doesn’t really compare to IoT because that was more software-based, where I can secure it from within—this is mostly embedded in the system.”

Most people associate IoT with popular consumer products like Amazon Echo, Tile, Nest or Google Home, but it has an infrastructural flavor, too. Industrial IoT is less well known, but it can be everywhere—heating, ventilation and air conditioning systems that connect to networks, security cameras and automated fire detection systems are all IoT-enabled. Both the industrial and consumer versions can be infiltrated and used to seek out important data, or to plant code designed to operate within a bank or buy-side firm’s own systems.

“One of our clients installed vending machines that let employees swipe their IDs to pay for snacks and this can be dangerous because if it’s hacked, information about the employees can be released,” says Nicole Eagan, CEO of cybersecurity specialist, Darktrace. “Visibility is really important because IoT attracts all kinds of unknown attacks, and clients often don’t know how many devices are connected to their networks.”

Battle Hardened 

In general, industrial IoT tends to be much easier to manage than consumer devices, because these systems are crucial for the business to function, and as such, tend to be hardened against attack with robust, built-in security. They also tend to run on different networks because of the volume and importance of data that flows through them, and there is also no reliance on a manufacturer to secure the device—an organization can usually put its own security programs into industrial IoT devices. “Industrial IoT has higher stakes for safety so the security there is more straightforward. But the trouble with IoT is that it’s still vulnerable,” says Tyson Macaulay, CTO of cyber at BAE Systems Applied Intelligence. 

Consumer devices that staff bring into the building are the ones that keep CISOs awake at night, particularly given the fact that the security pedigree of these technologies often leaves much to be desired.

With BYOD, smart phones and tablets had the advantage of offering third-party app development. Security experts could therefore build apps around encryption into these devices, such as two-factor authentication platforms that require verification in order to access email on phones. But because IoT devices are often self-contained and don’t have an application platform to write security programs, the reliance on a manufacturer to update security increases. Consumer IoT products are also released with a frequency that is difficult to match in terms of developing security protocols. “The majority of IoT manufacturers are small firms or companies that don’t really need to think about security. These are not just the Amazons or Googles of the world but appliance companies that have to hire a third party to put in the internet capability,” Macaulay continues. “We need to ask manufacturers questions around the security of their devices and maybe even set certifications so that these firms follow them. But until then, we have to manage the risks these devices carry.”

Threat Vectors

Put simply, once a device is connected to the internet, it creates an opening for a would-be attacker to enter an organization’s system. The stakes involved in such intrusions can be extremely high—in some cases, life and death. IoT devices can provide a ready-made network of devices slaved to malicious tasks, such as launching distributed denial-of-service attacks that shut down public or private infrastructure. Security researchers have posited that the recent WannaCry ransomware attacks on the UK’s National Health Service and other medical facilities around the world were able to spread so quickly, in part, by infecting IoT-enabled devices connected to hospital networks. In January 2017, the New York City Department of Health issued a warning that even IoT devices such as baby monitors were being hacked.

These and other events underscore the vulnerability of IoT devices as machines mainly made for utility and convenience, with only basic—if any—protections against cyber threats. In financial services companies, these defense gaps could have severe consequences. Yet organizations have been slow to react, and worse, often ignore the problem until it directly affects them. “Until a law exists requiring standards or even certification for network safety, companies won’t do it because it rarely offers a competitive advantage,” says BAE’s Macaulay. “Regulators have a role in IoT and certification bodies like the International Standardization Organization are looking at it, and studying how they can participate. I’d say we might be two to five years away from getting standards around IoT safety.”

Focus

Until that point, the focus at many firms is on keeping the business as safe as possible from these threat vectors. That involves protections that sound simple when taken at face value, but can be difficult to implement in practice. One of these solutions is establishing a guest network, which employee-owned devices are forced to connect to and on which IoT devices can be segregated. Josh Stabiner, CISO and head of technology infrastructure for asset manager Pine River Capital, says the key to this strategy is understanding which IT assets within the company can be effectively managed by security professionals. “You have to separate what you can control versus what the vendor can control, and what I can control is the network. I can set up a separate network from my corporate one that allows these devices to connect to the internet,” he says. “As long as I’m smart about it, keep it air-gapped and not let it flow from one to the other, I can have some relative comfort that these devices can connect to the internet safely.”

But the problems don’t simply stop with where these devices are connected. Stabiner adds that even if IoT devices are on separate, hardwired networks, they still must be monitored so that they don’t “talk” to other products with wireless chips, which may not be on the segregated lines. Even then, if security upgrades are not up to date, these protections could be circumvented. “Separate networks, working with vendors for patches and educating your users are good practices,” he continues. “I also want my users to keep their devices up to date—it’s better for me when all my employees are safe at home so we include that in our security training twice a year.”

This strategy might not be for everyone, of course. Smaller firms with over-burdened servers may have a harder time designating different networks for smart devices and IoT. John Popolizio, chief security officer at advisory firm Riverdale Group, and a former enterprise chief security officer at New York Life, says companies need to understand whether their infrastructure can handle further segmentation. “Ideally, you would be able to segment out IoT devices, but some infrastructure might prohibit that or the design precludes firms from doing that,” he says. “That’s when other techniques need to come in.”

People Power

The best defense comes from what is arguably the biggest weakness in a firm’s security—its employees. Pine River’s Stabiner says education is important, so users know at least the basics of protecting their data, and perhaps more importantly, understand the implications of not protecting it. “I think there’s education that needs to be done, so that people know what security features are available to them,” he says. “There are some organizations that say it’s the consumer’s responsibility to protect themselves, especially if they have these devices in their homes. But that’s absurd because you can’t expect the average consumer to implement firewalls at home if they’re not aware of the danger.”

However, employees have to take some responsibility for what they bring into their work environments. For example, while new phones and tablets generally have to be registered with technology staff before they’re allowed access to internal systems, it’s fairly easy for an employee to bring in an IoT device like a fitness tracker without the cybersecurity team noticing for a while, unless that firm is diligent about monitoring its networks. A good cybersecurity program includes culture change, in terms of getting employees to proactively protect their data and their devices and understanding the dangers of connecting unsecured devices onto sensitive networks. Most firms have had these policies in place since the emergence of BYOD arrangements, and it has become ever more important as the range of outside devices entering the business increases.

Secure

But if all else fails, IoT devices can be made secure if they’re just not allowed to be connected to company networks in the first place. Northwestern Mutual’s Cuffie says he takes the no-nonsense approach of simply not allowing unknown devices to connect to his company’s wireless network, and takes great pains in identifying which ones are on the guest server. “In my organization, we don’t allow non-corporate-sanctioned devices to connect to our network. We monitor that network, as well as our guest network, for personal devices,” he says. “It’s just too risky to allow these kinds of devices on the corporate network.”

Or, as one chief information security officer at a New York-based asset management firm says, just don’t allow them to access anything at all. That might involve uncomfortable conversations, such as telling the CEO that bringing in an IoT device is too risky. “If you let employees bring their devices in, you have much bigger problems,” he says. “As the security guys, you can just say no.”