Security’s Greatest Enemy: Endpoints Disguised as ‘Stuff’

When considering the security of the devices that make up the internet of things (IoT), all endpoints must be considered in the risk equation. For years the standard model for non-traditional IT assets—such as printers, IoT, ICS, and anything connected to the network that is not directly managed by IT—is to be ignored by the IT and security functions. If this trend doesn’t change soon, everyone will be able to access whatever data they want with impunity, and any semblance of security and privacy will go out the window.

To set the stage, consider this: Despite government intervention to better secure critical infrastructure such as water and power plants, these systems have been notoriously insecure and often severely outdated. Even with efforts to protect these vulnerable systems, two researchers recently found a way to hypothetically deplete a town’s water supply by targeting less secure, and often ignored, connected devices that are not owned or managed by the target utility. The researchers, posing as attackers, gained control over a relatively small number of connected irrigation/sprinkler systems and demonstrated how they could remotely turn them all on at the same time for an extended period, effectively depleting the town’s water tower.

As IoT devices become more widespread, they open the door to cyberattacks that can lead to everything from interrupting normal operations to jeopardizing sensitive customer information, all of which are costly to the attacked entity. When this type of attack is taken to its full potential, it can cause lasting damage to revenue, reputation and careers, with some attacks bordering on harming human life.

Why Is This Such a Big Problem?

Enterprises across industries have been trying to adopt technology in a secure manner as it becomes available. Between the plunging cost of storage, constantly changing regulations and the incessant push to connect everything to the internet, organizations have been caught in a very awkward place. In a perfect world, the changeover from paper to digital would be a slow process that takes many years of incorporation, training and investment. In reality, the change from paper to digital has been forced, and has happened in a short time frame. This change has made security difficult for everyone. As systems grow evermore complex and difficult to maintain/manage, and the threat landscape and regulatory environment continue to change constantly, maintaining security and privacy has become a herculean task in the modern enterprise.

Here’s one example of an incident that could use unassuming IoT devices to enter a large office, manufacturing facility or any other space that uses industrial control systems to run HVAC, security, water, disaster, etc. While it may seem trivial, hackers could take control of a large number of network-connected devices—such as printers, IP cameras or poorly secured industrial control systems—and cause them to flood the network with traffic. This would make all systems inoperable, or at least incredibly slow, causing significant interruption in the organization’s ability to maintain operations. These forgotten devices can be used as the “launching pad” for a variety of more nefarious attacks, such as turning on fire sprinklers, cutting power, blasting HVAC and more.

There are three major categories of non-traditional endpoints (“traditional” meaning laptops, desktops, servers and the like) that organizations must consider from a security perspective. The oldest is ICSs, which are used to control HVAC, electricity and the like. Enterprise and consumer grade devices, such as printers and digital assistants, are the second and fastest-growing category. Finally, biomedical devices include everything from an insulin strip tester to an MRI machine, and while these may be less likely on the average corporate network, these are still widespread, vulnerable devices that can affect everyone who needs health care.

Industrial Control Systems

Industrial control systems were the first to adopt the idea of a computer-controlled system. Even industrial-grade systems—such as HVAC, electrical and water—were built long before any modern technology regulations were enforced, yet they are often filled with network-controllable devices called primary logic controllers (PLCs). PLCs are present in the form of valves, sensors and other small devices that are typically “dumb”—they do not have any computing power of their own and are completely controlled by a central control system, the industrial control system.

One of the biggest problems with industrial control systems is they are designed to last much longer than a typical connected device. Whereas a computer will have a four-year life cycle, it is common for a HVAC system with industrial control system controls to have a 10- or 20-year life cycle. If anyone plugged a 15-year-old PC into the network, alarms would be blaring and it would be removed promptly. All too often, years go by and organizations leave these industrial devices to their own … devices, which does not bode well for security.

The most important thing that organizations can do to deal with this issue is to know what industrial control system or related systems are connected to their network. One cannot secure what is not known. After this inventory is complete the next phase is to ensure these systems are not able to be easily attacked via the internet or internal network by segmenting them away from both onto a closed subnet.

Often-Overlooked Endpoints

This is by far the largest and most varied of the three categories of IoT, and includes everything from printers to connected coffee pots. In the last few years it has become common to find digital assistants, IP cameras, smart TVs and the like in droves on enterprise networks. These devices, such as the ICS example above, typically are designed to be easy to set up, not to be secure. Another similarity between ICS and endpoint devices is the process for improving their security posture: being aware of all devices on the network, implementing strong network segmentation and updating any devices that can be updated.

Beyond this, it’s crucial to educate both the users and the IT/IS staff on the fact that unapproved devices should never be connected to the intranet. Unfortunately, as evidenced by decades of user interactions, plenty of users still bring insecure personal devices and connect them to the network. This is why further enforcement measures are necessary in most cases, such as a policy stating that any unauthorized devices discovered on the network will be confiscated and inspected for sensitive data before they are returned to their owners. Finally, asset inventories are crucial to keeping these unauthorized devices off the network. If what is supposed to be online is known, then careful monitoring can keep any rogue devices off—or at least immediately notice these insecure devices and remove them quickly.

Biomedical Devices

It’s common knowledge that biomedical devices are some of the most difficult IoT devices to secure. In fact, the only difference between most of the biomedical devices connected to healthcare networks and other IoT categories is the price point. While an infusion pump or X-Ray machine costs significantly more than a connected coffee pot, they are generally about as secure and configurable as consumer-level devices. Medical device manufacturers want their devices to work as easily as possible, and if a device is locked down “out-of-the-box” it would also be more difficult to set up. To add to the list of challenges, many biomed devices are not owned or managed by the healthcare organization hosting them on their network. In many cases, this means that hospitals, for example, cannot perform updates, install security tools or even ensure their MRI and x-ray machines are securely configured.

For these devices, much like endpoint and ICS, the remediation steps are the same: Ensure that everything connected to the intranet is known, and that any device out of the organization’s complete control is on a separate network segment from any sensitive systems.

John Nye

Avatar photo

John Nye

John Nye is Senior Director, Cybersecurity Research and Communication at CynergisTek. He has spent nearly a decade in information security which includes time with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp, and KPMG LLP before joining CynergisTek. John has been working exclusively as a professional penetration tester for the last four years and has presented at numerous local conferences for developers and other IT professionals. Nye’s specialties include user education and risk management, penetration testing, information assurance, DIACAP, security auditing, policy compliance and writing, and security analysis. He holds a Bachelor of Science in Cybersecurity and is currently working towards his Master’s in Cybersecurity. His certifications include CISSP, Certified Penetration Tester and Certified Ethical Hacker.

john-nye has 1 posts and counting.See all posts by john-nye