IoT Security: Sorting Through the Noise to Take Action

This post originally appeared on Iron Bow Technologies' Techsource page.

Editor’s Note: In honor of National Cyber Security Awareness Month (NCSAM) we are focusing our content on tips and best practices in the area of cyber security. This week, we are emphasizing the importance of protecting critical infrastructure and properly securing all devices that are connected to the Internet. We asked our partners at Palo Alto Networks to provide their thoughts on the topic. Isabelle Dumont, Director of Financial Services and Healthcare Initiatives, weighs in with her thoughts below: 

Many businesses are aggressively pursuing Internet of Things (IoT) initiatives with the goal of creating revenue-generating opportunities or turning today’s businesses into more profitable ones. From every corner of the economy you see connected devices disrupting the way we conduct business. In parallel, disturbing stories emerge on the lack of security around connected “things.” Here are a few in various sectors:

• Transportation/connected ships: “Shipping fleet exposed to hacking threats” [Chicago Tribune, April 2014]
• Healthcare/connected medical equipment: “It’s Insanely Easy to Hack Hospital Equipment” [Wired magazine, April 2014]
• Automotive/connected cars: “A Tesla-S driver was able to identify the operating system” running under the hood and installed Firefox [Softpedia, 2014]

First, when discussing the security of network-connected devices, it is important to distinguish between single or multi-purpose devices. Single-purpose devices typically collect a well-defined set of data that is sent back to a specific cloud application for storage, analysis and intelligence gathering – connected medical equipment and devices are a great example. On the other hand, multi-purpose devices connect to multiple servers and services hosted in some form of cloud – the extreme case being smartphones and tablets running any number of apps downloaded from app stores and used alternatively for personal and professional purposes.

The above distinction brings us to recommendations on how to best approach security:

• Single-purpose connected devices or equipment: Apply tight network segmentation and even isolation of the servers or cloud services these devices connect to. Because these are part of a single-purpose specialized network, it should be straightforward to identify and document the applications and the types of files or payload exchanged on the network. Using application-level segmentation is very effective; you can block all traffic except the few applications that are explicitly authorized on this specialized network, regardless of ports used. This approach significantly reduces the risk of malware intrusion and lateral movement and will enable you to perform much tighter inspection of the authorized applications.

• Multi-purpose connected devices or equipment: Key principles such as limiting the traffic on the network(s) to what’s legitimate and classifying all traffic are still applicable, as this will reduce the volume of unknowns and treated risks. Apply the same segmentation and tight control principles between the various cloud services as well. Additional policy rules will be required to flag suspicious application behavior and payload. An obvious one is to not allow the download of .exe files outside of well-codified exception. It might take several iterations to get to the most effective segmentation and related rules. Regardless, continuous monitoring and refinement of the security rules in such environment is a must.

In addition, for devices used for both professional and personal use, such as today’s laptop, tablets or smartphones, we recommend that you deploy on the device a means to apply to the device the same security policies as those applied inside your enterprise. A gateway solution can enable this and start monitoring devices as they connect to your enterprise to prevent any malware intrusion.

• Protecting the endpoint: Wherever applicable, we recommend adding advanced protection directly at the device level. For equipment based on the Windows platform, our advanced endpoint protection solution, aka “Traps,” is a great option given the high percentage of threats that are no longer detected by traditional anti-virus products. Traps is a revolutionary approach for threat prevention that works: Instead of using signatures to detect malware, Traps focuses on the few techniques that threats have to use to infiltrate a system, thus blocking the attack before it even takes its first step.

If you are interested in learning more about implementing the above recommendations, here are some suggested resources to visit:

• The benefits of application level visibility and control
• Upcoming webinar (Oct 22) on the topic of network segmentation
• Application-based network segmentation
• Advanced endpoint protection with Traps