Just like any internet-connected device, IoT devices can be targeted, hacked, and exploited for nefarious purposes. The industrial internet of things (IIoT) represents a target-rich hunting ground for bad actors with malicious intent, which means attacks on IIoT devices will escalate. That’s why IoT device security should be a priority for every business, and why SASE should be at the center of your IoT security discussions.
Film buffs may recall one of the first times an IoT hack was used as a plot device: the 1969 British original of The Italian Job, where thieves subvert Turin’s traffic-management system to create a gigantic traffic jam that facilitates the heist of gold bullion. This Kaspersky article cleverly analyzes these (and other) genius hackers in several films. One chilling conclusion: “the cinematic stereotype of the genius hacker harms the security of real companies. People are so sure that bad actors can do anything that they don’t bother with maximum protection, leaving unnecessary loopholes.”
A November 2020 report from ABI Research illustrates just how many devices might be at risk:
At the end of 2020, 6.6 billion Internet of Things (IoT) devices will be connected and active worldwide; 840 million of them will use cellular networks, which is just under 8% of the total. At the end of 2014, there were 180 million cellular IoT devices active worldwide, and that number increased by over 4.5X in the six intervening years. In another six years’ time, we will witness a further near-7X growth in cellular IoT devices, bringing the global total to 5.7 billion. More smart devices are being deployed, and more types of device are becoming smart.
These devices are increasingly smart, but they are not necessarily secure, with a 2020 Palo Alto Networksstudy having reported that 98 percent of all IoT traffic is currently unencrypted. IIoT devices represent attractive attack surfaces: any point or part of the system through which an unauthorized user or attacker can try to get into the system. For any IoT devices connected to the network over cellular, there are several key attack surfaces: the device, the wireless module, the data transmission from the device to an application, the application infrastructure, and the application itself. Any of these surfaces can be used to impact access, misuse or abuse the system, and to access or modify confidential information.
Strong IoT Security is an Must
These potentially devastating security breaches make exceptionally strong IoT security an imperative for any business that depends on data from devices communicating over a cellular connection. The latest technologies, such as communications platform as a service (CPaaS) and secure access service edge (SASE) can help manufacturers keep their connected devices secure, but to counter the evolving range of cybersecurity threats, security experts should conduct regular audits and implement a three-pronged approach:
Understand how and why their IoT applications and devices are vulnerable to hacking attempts;
Learn from the IoT security failures of others;
Apply modern technologies and strategies to harden the security of their devices and applications.
One reason why cellular IoT devices are so vulnerable to hacking attempts is the network to which they are connected is not secure. Smart businesses avoid the public internet for IoT device communications, but private networks are equally susceptible to substandard security standards. Even if your network traffic is encrypted, malicious actors can compromise IoT devices with these five techniques:
Eavesdropping and traffic sniffing: Poor encryption settings for data transmission make your communication vulnerable to hackers who want to read, steal, or otherwise tamper with your data. This is an especially significant security threat for IoT networks as regular transmissions between and among devices are usually not encrypted. While encryption may not be needed for devices that do not store sensitive data, such as for example thermostats, an unsecured device and its unencrypted transmissions can still provide a hacker with an entry point into your wider network.
DNS poisoning: Another common threat stems from compromised public domain name systems (DNS). DNS poisoning is a tactic employed by malicious actors to divert and re-route communication between devices away from a legitimate application server to a spoofed one.
Distributed denial of service: A distributed denial of service (DDoS) attack is a technique by which a server is inundated with redundant requests, effectively overloading its capacity and taking it completely offline. A DDoS is usually carried out from a botnet into which a large number of previously breached servers and computers have been subsumed.
Unprotected SIM: Remote cellular IoT devices may be located in publicly accessible locations, such as sensors and meters, where a bad actor can easily snatch them, breach them, and steal the SIM card held inside the device and use it to tap into the company’s data.
Redefining home base: Once malware has successfully taken control of a IoT device, it can re-program it to ‘call home’ to the hacker’s base, thereby sending sensitive data to malicious actors without the owner’s knowledge and consent.
Humans in the loop
It’s an obvious attack surface but worth restating. Hackers are skilled at exploiting one of the weakest links in the security chain: humans. People—even seasoned security professionals—may opt for convenient over bullet-proof. This may be intentional; they don’t want the hassle of complex passwords and the need to frequently change them. Effective ‘password hygiene’ is crucial, meaning effective policies that require human operators to use hard-to-crack passwords (or multi-factor authentication) that are beyond the scope of a brute force attack.
Past security breaches teach valuable lessons
While the technology used by hackers continues to evolve and new zero-day exploits are discovered daily, security professionals can still learn valuable lessons by analyzing past security breaches and applying lessons learned to their network and security policies.
Here, it pays to understand (or try to understand) the motivations of malicious actors for intruding into your network. While the recent hack of the Colonial Pipeline was aimed at extorting ransom payments, other attacks like the 2016 Mirai botnet case were solely about wreaking havoc. In 2016, a type of malware was being disseminated across the internet. It eventually subsumed over 145,000 IP cameras into a botnet, and then instigated DDoS attacks against the servers of the computer game Minecraft and the websites of companies such as Netflix, Twitter, and Reddit. What damage could this sort of attack wreak on your critical assets?
Deficient network topologies and security protocols
A surprisingly large number of IoT network connectivity models rely on an approach that routes traffic first through the central local area network (LAN — a company’s internal network) and then to the WAN (the public internet) to the individual device’s location. This is especially true for IoT networks that extend across vast (often continental or global) distances.
To keep communications secure, traditional networks make use of a complex setup of dedicated endpoint clients that are needed to establish a VPN connection or use SSL/TLS encryption between the various IoT endpoints and the application that processes their data.
Unfortunately, this topography is no longer up to the task of securing communications due to the exploding number of new devices that are being added to the IoT, enabled by new connectivity models such as WiFi and Zigbee, and the evolving miniaturization and low cost of these devices.
Another factor at play is the emergence of SaaS applications and the need to efficiently (and securely) transport large volumes of device traffic directly into the cloud. Clearly, cellular-enabled IoT applications require a new approach to both network topology and security technology.
CPaaS adds communications to your cloud
The shortcomings of the prevalent approach have led to the design of a new model: the communications platform as a service (CPaaS). To efficiently manage and process thousands of connected IoT devices, companies need a dedicated cloud that is optimized for the task; in this regard, CPaaS offers unique advantages.
IT research firm Gartner defines the CPaaS model as offering “a cloud-based, multilayered middleware on which (companies) can develop, run and distribute communications software.” A CPaaS provides developers with application programming interfaces (APIs) so they can easily integrate different communication channels into their applications.
While the model was originally designed for a person-to-person context (such as voice or video messaging), CPaaS has evolved to cater to the various technical requirements of IoT applications. With CPaaS providing the stack architecture for IoT applications, it became clear that a better approach for security was needed.
SASE maximizes protection for IoT devices
The term SASE (short for Secure Access Service Edge and pronounced like the English word ‘sassy’) was coined by Gartner in its 2019 Networking Hype Cycle and Market Trends report. The term popularized a new cloud architecture concept, in which the networking and security functions are bundled together and delivered as a single service via the cloud.
The SASE concept is characterized by a global cloud-native architecture, identity-driven services, central policy control, and distributed security enforcement. Using SASE, organizations can integrate their network and security tools into a single management console. This gives them greater visibility of all their traffic and communications.
Originally developed to suit the changing requirements of an increasingly remote and globally distributed workforce that required access to enterprise IT infrastructure, SASE has emerged as the best way to manage IoT devices.
In essence, multiple virtualized networking and security applications are converged through SASE into a single, unified cloud service offering. A centralized policy control system helps to deliver secure access to clients by offering optimized data routing and the protection of communications traffic to the various individual applications. This is independent of where the device, network, and IoT application are located.
SASE is optimized for IIoT
The SASE model differs markedly from traditional networking models in several ways. First, it locates security checkpoints closer to the original data source. Next, the various policies (such as access protocols) are administered at distributed points of presence (PoP). These PoPs can be a company’s data centers or cloud regions, if located in relatively close proximity to the device in question. Access is granted upon verification of the identity of the IoT device. A device can be identified based on specific attributes or its location. Furthermore, the policies themselves are programmable and can be tailored to the needs of individual applications.
As SASE combines a cloud-based and centralized system for policy management as well as the local enforcement of identity-driven services, this model gives users the best of both worlds. Utilizing the cloud clarifies cost and complexity, because all network security services can be consolidated using a single vendor, which allows users to have a comprehensive overview of all communications amongst managed devices.
SASE differs from traditional network security models in other important ways:
Remote access to on-premises resources: Whereas traditional models depend largely on VPN technology and SSL encryption or make use of a dedicated endpoint client, SASE acts as a VPN replacement. As part of this, you can connect IoT devices to a SASE to access on-premises or cloud services and the relevant policies are defined and applied through the SASE API.
Access to cloud resources: In a traditional network setting, cellular access of IoT devices to cloud resources are treated like any other online asset, using traditional firewalls, proxies, and normal access to the public internet. A SASE, on the other hand, provides IoT devices with optimized, streamlined, cloud-aware network access.
Networks and internet access: It is complicated to access a cellular network through a traditional software-defined wide area network (SD-WAN) enterprise architecture. A SASE service integrates cellular access and traffic optimization capabilities into a cloud service. This greatly facilitates connectivity between devices.
Backend application security: In the traditional model, firewalls, or web application firewalls (WAF), and backend services are usually separate and distinct applications or platforms, which makes integration cumbersome. A SASE, however, provides policing and identity-based access control from a central location, giving users a comprehensive view of network topology and activity.
Network access control: Standalone IoT devices rely on local configuration settings and software components to control network activity. Instead, SASE services aggregate a number of network security and access control—including firewalls as a service—into one unified fabric.
A modern SASE architecture can deliver a whole gamut of different network and security features. However, these may vary across different vendors’ offerings. The following considerations may be relevant for some manufacturers:
Dynamic Data Routing with SD-WAN: Using SASE, network access and traffic optimization are integrated in an infrastructure setup that is distributed across the globe and makes use of multi-regional PoPs. Having access control and security policy enforcement as a cloud-based service, eliminates the need for users to divert communications traffic through a vendor’s own network. Routing data instead to a SASE PoP located in proximity to the device greatly reduces the latency of the IoT application in question.
Firewall as a Service (FaaS): Using a cloud-based FaaS is an effective solution to filtering out unwanted and potentially malicious internet traffic and thereby protecting services delivered on the edge.
Cloud Access Security Broker (CASB): A CASB secures transmissions into multiple cloud environmentsagainst eavesdropping, traffic sniffing and data theft by thoroughly encrypting them.
DNS Security: By enabling users to configure trusted DNS services, a SASE solution helps them to protect the integrity and availability of their DNS.
Threat Detection: Lastly, SASE services provide users with a complete visibility of the network and drilled-down event metrics to help them do a root cause analysis on any anomalies that may have arisen in their IoT solution.
Getting started with CPaaS and SASE
First, undertake an audit of where your company stands regarding connected devices. What network topography do you use? Do you already make use of cellular connectivity for your IoT devices? Next, see which of your devices are at the greatest risk, and assess what these risks are. Lastly, perform a gap analysis to see how your current infrastructure compares with a CPaaS and SASE environment.
If your findings show that a CPaaS and SASE environment is superior to your current model, you should consider upgrading to this better option. Using the CPaaS deployment model and the SASE security architecture is an effective way to guard against the threats that confront IoT devices. A SASE enables users to effectively control all IoT data connections to the public internet, an intranet, a SaaS cloud, and to a distributed workforce.
The looming threat of security breaches and the increasing prevalence of actual intrusions into company networks make it imperative for any business that depends on IIoT devices to harden its defenses. A successful security breach can have devastating consequences for any company. The selection of state-of-the-art security technologies such as CPaaS and SASE can give your business much great confidence in your shield against IoT device hackers.
CTO and Co-Founder EMnify
Martin Giess is CTO and co-founder of EMnify, the global cellular IoT communication platform provider, where he oversees the technical execution of EMnify’s product vision. He has 15 years’ experience as a technology expert in agile development of innovative telecom services. Before founding EMnify, he held technical VP positions at Syniverse and MACH.