Enterprise IoT security: Is the sky truly falling?
Horror stories in the consumer market have cast a shadow over the Internet of Things. Are enterprise IoT deployments even more at risk?
It's hard to find someone more passionate about the Internet of Things than Bruce Perrin.
Perrin, chief operating officer and acting CIO of Phenix Energy Group -- a company based in Palm Harbor, Fla., that is building a crude oil pipeline across Central America -- hopes to incorporate the Internet of Things into "every conceivable environment." That means, for instance, instead of employees fumbling with key cards or PIN codes to move throughout a facility, building access would be controlled by facial recognition software.
Perrin believes enterprise IoT is the key to improve operational efficiency and reduce human error. Those goals carry an even greater sense of urgency for his company, which has 18 months to lay 220 miles of terrestrial and underwater pipeline and another six months to build the oil tank farms that it supports. In addition to deadline pressures, there is little room for error. Perrin estimates the company would lose $18,000 for every minute of downtime. A full system failure would take nine hours to restore, ultimately costing $9 million in lost revenue.
"We want to take the human factor out of anything that can be done repetitiously," Perrin says. "It just automates the nonsense in my life so that I can get real work done."
But even as one of IoT's biggest champions, Perrin is acutely aware of the risks of adding hundreds of nontraditional devices to his network -- devices that run various operating systems, use any number of proprietary protocols and often don't have the resources for advanced security configurations. Those concerns have shaped his network design and procurement strategy.
"We are taking a sandbox approach, probably to an almost illogical extreme," Perrin says. "But the CEO said to me one day, ‘If people get in here and start screwing around with our system, the first thing we're gonna do is mount your head on my wall and replace you with somebody else.' And I'm not fond of that idea. He's an OK guy, but I don't want to spend the rest of my death looking at him."
Amid horror stories in the consumer market about hacked baby monitors, connected cars that can be compromised or accidental denial of service attacks on smart homes, the buzz about enterprise IoT security risks has grown louder as IT departments move these projects into their labs and production environments.
There have been "no widely known IoT device breaches" executed against an enterprise, contends Verizon's 2015 Data Breach Investigations Report, which argues that any vulnerabilities reported so far were identified by researchers. Yet the fast-moving nature of IoT and the broader threat landscape means that could change at any moment. Networking professionals say they are worried, with 60% of those responding to TechTarget's 2015 purchasing intentions survey identifying security as one of the biggest challenges in IoT.
John Becker, chief governance officer at Phenix Energy, says the severity of IoT threats has been largely overhyped. But that hasn't stopped Phenix, and others, from shoring up their security efforts.
"The stuff we read about IoT is really alarmist and sensationalized," Becker says. "I think the bottom line is we need to focus on how systems are designed."
Where is the danger?
It's tempting to look at it this way: A light bulb or HVAC system can't run antivirus software, so IoT must be risky. But that's an oversimplified perspective, says John Pescatore, director of the SANS Institute, an information security training and certification company.
"You know what else you can't run antivirus on? An iPhone -- and iPhones don't get viruses," Pescatore says. "So whenever you hear anybody say, ‘Uh oh, you can't run antivirus on that,' you should say ‘Yay!' Because that generally means viruses won't run on it either, since antiviral software is essentially a rootkit."
In some cases, IoT devices are being designed upfront with security in mind -- a far more deliberate effort than what went into the original operating systems for PCs and servers, he says.
And while it's likely that enterprise IoT devices will eventually become attractive targets to cybercriminals, it won't be because they want to flicker the lights on and off.
"I'd definitely be concerned with the HVAC or the sensors themselves being an entry point -- a backdoor for someone to come in and attack my system," says Steve Holtsclaw, vice president of IT at Del Papa Distributing, a beer distributor that has deployed IoT devices inside its warehouses and trucks. "Anything that has an IP address can be reached someway and somehow."
These threats can't be mitigated with the traditional approach to security, says Pete Lindstrom, a research director at IDC.
"We get caught up in frameworks for controls, but we're fighting the previous war. This is a different environment," Lindstrom says. "We have to get smarter about the analysis on the back end."
It means all eyes are on the network to take the lead.
"We used to say, ‘OK, everybody. You have to use this operating system. And since you're using that operating system, I dictate you have to use this security software on it.' Those days are over in the Internet of Things," Pescatore says. "It puts more of a premium on what security you can do from the network when you can't put anything on the endpoint."
Visibility and management challenges
You need to know what's on your network in order to secure it. It sounds simple enough, but for many IT departments, finding and shutting down rogue devices is an endless game of whack-a-mole. The Internet of Things dials that up a notch, as many vulnerability management systems that can identify "Bob's iPad" or "Carol's Dell laptop" can't recognize a network-connected air conditioner or door lock.
"The first problem anybody has to solve in the Internet of Things is being able to discover those devices," Pescatore says.
He recently spoke with the chief information security officer of a New England college who discovered 300 rogue devices in a building the college just moved into. His vulnerability scanning software couldn't identify the endpoints. His team tracked them down manually and discovered they were mostly Internet-connected devices like temperature sensors and video cameras left by the previous tenant.
"The unfortunate reality is most of what's being done today, sort of like the early days of Wi-Fi, is a lot of ‘don't ask, don't tell.' Like, ‘Oh, God. If I start looking, I'll find this stuff and have to do something about it,'" Pescatore says. "Enterprises that have gone the furthest in doing BYOD securely are actually in the best shape for the Internet of Things because most of them put in some form of network access control so they can detect when something connects to their network."
Compounding this lack of visibility is another problem: fragmentation among IoT device manufacturers themselves.
George Stefanick, a wireless network architect at Houston Methodist Hospital, is intrigued by the possibilities of using IoT in healthcare. His team is conducting a proof of concept with a mobile app that would use Bluetooth beacons and Wi-Fi to recognize when a patient arrives at the hospital, check him into an appointment and provide navigation within the building to his doctor's office.
Although setting up the network to support the initiative has its challenges, it's still familiar territory for Stefanick. The bigger hurdle is evaluating and managing the various IoT platforms that run on top of it.
Bruce PerrinCOO and acting CIO, Phenix Energy Group
"I can't have 10 different widgets from 10 different [IoT device] vendors, but right now that's what we're seeing," he says. "We really want to have that one pane of glass."
Unlike the market for PC and smartphone operating systems, IoT platforms are not expected to consolidate. The result: It becomes far more difficult to employ a uniform approach to security, says Phenix Energy's Perrin.
"Every vendor has a proprietary communications methodology, and in order to operate with other companies' components, they have to open up some portion of their functionality to communicate with another device," Perrin says. "That creates significant vulnerabilities because every time you open a port in something, you create a doorway through which the bad guys can walk."
Del Papa's Holtsclaw runs an enterprise IoT environment based primarily on equipment from Cisco, but he shares similar concerns about the industry at large.
"You've got all these devices and they're on multitudes of platforms -- Linux, Unix, Windows, Android, iOS -- and they're all speaking with a different type of communications [protocol]," he says. "How do you control all that? How do you manage it? How do you secure it?"
Tackling IoT security via the network
IoT introduces new challenges, but many classic best practices in network security -- segmentation, zone-based policies and shutting down stray ports -- still apply. Additional measures depend on an organization's risk tolerance and the culture of the IT department. Enterprises that are managing IoT environments today tackle the threats from various angles, ranging from a focus on authentication standards to a strategy of total lockdown to the use of third-party network appliances.
At Houston Methodist, Stefanick has found inconsistent support among IoT vendors for 802.1x, an enterprise-grade wireless authentication standard that uses the Extensible Authentication Protocol (EAP). As a wireless engineer, he struggles to find IoT devices that use 802.1x.
"When you look at these Internet of Things devices that are coming in, from what we've seen so far is they've all been using pre-shared keys," Stefanick says. "We've actually had to create test networks for a proof of concept in a manner that isn't as secure. Our feedback has been, ‘Hey, we're not likely going to purchase this until you get more secure, and we need EAP authentication in order to do that.'"
IoT device manufacturers need to be transparent with enterprises about how their products interact with the network, he says.
Perrin is taking a similarly cautious approach at Phenix Energy after seeing vendors hawk so-called enterprise devices with consumer-grade security capabilities. And, like Stefanick, Perrin also avoids anything cloud-based to maintain tighter control.
Beyond that, Phenix is at the more aggressive end of the spectrum. Its office and data center in Honduras is connected via a 10 Gbps private fiber backbone to a redundant site in Palm Harbor. There are only two ports open in the Honduras office: one for telephony and another for Internet-based business activities. Perrin also blocks all traffic originating from countries with high rates of phishing activity, such as Brazil.
"We're effectively cut off, and we've had companies come in and say, 'Well, the only way we can work with you is if you open a port for us,' and we tell them, ‘Thank you for coming by and don't bother us again,'" he says. "We won't open a port for them because we can't take that risk."
Perrin also won't use copper cabling along the pipeline where industrial equipment and IoT devices reside.
"We use fiber because you can't breach it without actually cutting it," he says. "And a cut, of course, immediately tells our system and Internet of Things devices that something's happened that's not supposed to, and it immediately shuts off data flow across that avenue and on one of our redundant fiber links."
At Del Papa, network-connected sensors monitor lighting, inventory and temperature -- lowering electricity costs and ensuring that the beer is well stocked and chilled properly. Sensors on the racks in the warehouse detect if inventory is low somewhere, which triggers an email alert to restock. Other sensors in the company's trucks can be configured to report if an employee is driving over the speed limit.
With so many of critical operations on the line, Holtsclaw says security remains a huge concern. He is currently testing an IoT gateway from Dell and Intel, which functions as a single point of access between his IoT devices and the Internet.
"It keeps external traffic from coming into those devices that sit directly on your network and talk back to that gateway," Holtsclaw says. "I really see that being a key player on the security side of IoT."