IoT security:

What you should know,

what you can do

Copyright ©2017 CBS Interactive Inc. All rights reserved.

2 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

IoT security: What you should

know, what you can do
Copyright ©2017 by CBS Interactive Inc. All rights reserved.
TechRepublic and its logo are trademarks of CBS Interactive Inc. Credits
All other product names or services identified throughout this
book are trademarks or registered trademarks of their respective Editor in Chief
companies. Reproduction of this publication in any form without Jason Hiner

prior written permission is forbidden.

Managing Editor
Published by TechRepublic Bill Detwiler
February 2017
Feature Editors
Disclaimer
Jody Gilbert
The information contained herein has been obtained from
Mary Weilage
sources believed to be reliable. CBS Interactive Inc. disclaims
all warranties as to the accuracy, completeness, or adequacy of Editorial Assistant
such information. CBS Interactive Inc. shall have no liability for Amy Talbott
errors, omissions, or inadequacies in the information contained
herein or for the interpretations thereof. The reader assumes Graphic Designer
sole responsibility for the selection of these materials to achieve Kimberly Kalisik
its intended results. The opinions expressed herein are subject
to change without notice.

TechRepublic
9920 Corporate Campus Dr.
Suite 1000
Louisville, KY 40223
Online Customer Support:
http://techrepublic.custhelp.com/

Copyright ©2017 CBS Interactive Inc. All rights reserved.

3 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Contents
04 The biggest IoT security threats facing the enterprise in 2017
08 There will soon be more IoT devices in the world than people;
security risks abound
10 Why big data leaders should worry about IoT security
12 Operational technology must be addressed to secure
industrial IoT
14 Privacy concerns about IoT devices won’t be assuaged soon
16 Three inexpensive steps to secure IoT
18 How to secure your IoT devices from botnets and other threats
21 Everything old is new again: IoT could unleash a flood of denial-
of-service attacks
23 About TechRepublic

Copyright ©2017 CBS Interactive Inc. All rights reserved.

4 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

The biggest IoT security threats facing

the enterprise in 2017
By Teena Maddox

In the past year, IoT security has escalated as a hot-button issue with multiple threats against the enterprise,
such as the Mirai botnet that took down Twitter, Amazon, and Netflix. What’s most alarming, though, is that
it’s likely only the beginning, as more companies deploy IoT sensors and devices across their networks.
According to Gartner, more than half of major new business processes and systems will include an IoT
component by 2020.

Predicting the future is never easy, but TechRepublic talked to IoT security experts to find out what to expect in
2017. Participants were Frank Gillett, Forrester analyst; Sanjay Beri, CEO of Netskope; Adnan Amjad, partner,
Deloitte Cyber Risk Services; Simon Moffatt, senior product manager, ForgeRock; Eve Maler, vice president of
innovation and emerging technology, ForgeRock; Javvad Malik, security advocate at AlienVault; Jason Collins,
vice president of IoT marketing at Nokia; David Campbell, chief security officer, SendGrid; Kirstin Simonson,
second vice president at Travelers Global Technology; Chip Witt, senior product manager, threat intelligence,
HPE Security Research, Hewlett Packard Enterprise; Kurt Collins, director of technology evangelism and
partnerships at Built.io; and Tom Kellermann, CEO of Strategic Cyber Ventures.

How serious is the IoT cybersecurity threat for the enterprise in 2017?
Frank Gillett: Forrester predicts a large-scale IoT security breach will occur in 2017. The biggest targets are
fleet management in transportation, security and surveillance applications in government, inventory and ware-
house management applications in retail, and industrial asset management in primary manufacturing.

Javvad Malik: In 2017, the IoT device security debate will escalate, putting pressure on manufacturers to
architect fundamental security principles into the designs of internet-connected products. We may even see
governments around the world take an active role in IoT safety legislation. Everyday appliances (e.g., the iron,
washing machine, and dryer) are subjected to rigorous testing, both by the manufacturer as well as indepen-
dent testing labs, but a similar approach is not being taken with respect to cybersecurity for IoT devices. As a
result, most are unsecure by design, and many vendors choose convenience (e.g., using default credentials in
their appliances) over implementing proper security measures—a flagrant violation of best practices in product
development.

Tom Kellermann: In 2017, I predict we’ll see at least two polymorphic worms targeting IoT that will spread in
the wild and be leveraged for widespread DDoS attacks. One of these will be developed by North Korea and it
will be used to punish the West via internet outages.

Jason Collins: There will be more and more IoT security breaches that will impact service acceptance. A
growing realization is that the network has a large role to play in security for IoT because devices will not be
able to handle the threat.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

5 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Adnan Amjad: In 2017, the continued rise in popularity of connected products results in an increase in
the number of back doors open to an adversary, and IoT devices will become a target for ransomware. For
manufacturers, building security in from the ground up and making it an integral component of the product—
as opposed to adding in security at the final stages of manufacturing—can help prevent security issues later
on in the product lifecycle. For businesses, develop your cybersecurity plan under the assumption that you will
be breached. Prioritize the things that you need to keep safe and embed security elements into everything,
beginning at the earliest stage of development.

Simon Moffatt: DDoS attacks and internet shutdowns powered by cheap, unsecure IoT devices will become
more common but become less lethal as backbone providers harden their defenses and device manufacturers
adopt identity-based security to close vulnerabilities. However, the sheer number of cheap and unsecure IoT
devices deployed globally will ensure DDoS attacks continue sporadically through 2017. Catastrophic DDoS
attacks might dominate tech media coverage, but the failure of IoT devices, service, and infrastructure to
adopt and scale robust security and privacy tactics will play out in several ways also through 2017.

Chip Witt: The security industry has been talking about the security challenges IoT devices present for a
few years, but 2017 will see attacks truly proliferate with the exponential adoption of connected devices
and their associated (lack of) security. IoT sensors, with their limited computing power are only as secure as
the firmware running on them, which means that their security posture depends on the readiness of device
manufacturers to quickly react to attacks when they happen. Successful attacks on IoT sensors are difficult to
detect because of the limited access to the device’s system state, insufficient computing power for endpoint
protection software to be installed on them, and lack of security compliance standards for IoT security best
practices.

Do you see more security intervention happening in the enterprise in

2017?
Sanjay Beri: 2017 is the year of the security intervention. The recent Dyn DDoS attack plus IoT plus cloud will
force board-level meetings on cybersecurity at most Fortune 500 companies. This will force a doubling down
on hiring and spending to quickly deal with enterprise blind spots.

David Campbell: DDoS mitigation will be center stage for internet-based companies in 2017. After the
widespread DDoS attack of hosting company OVH in 2016, in which 150,000 internet-connected devices
were leveraged for a 1 Tbps attack, companies are going to have to start getting on the defensive side of
DDoS mitigation. The Internet of Things is not going away, and without a way to regulate the resiliency of the
firmware that operates these devices, the best way companies can protect themselves is with a clear DDoS
mitigation strategy. It’s not a matter of if anymore, but when, so having a mitigation strategy and having a
relationship with a DDoS mitigation provider is table stakes for doing business on the internet in 2017.

Kurt Collins: In the next year we’ll start to see more security-oriented measures put in place for IoT, and
blockchain will play an integral role in that. One of the foundational premises of blockchain is to make sure that

Copyright ©2017 CBS Interactive Inc. All rights reserved.

6 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

certain records and requests are accurate, just like an accounting ledger. When it comes to IoT, that is perfect
because devices are widely distributed, sometimes calling back to the server and sometimes not. However, if
they don’t call back to the server, you want to make sure that the call any IoT device makes is actually the call
it is supposed to make. By using blockchain on top of IoT, companies can implement a ledger methodology to
any request that needs to be made to or from an IoT device and verify it is doing the right thing. Blockchain is
critical in this because it is very difficult to fool blockchain and it creates a method of transaction verification.

What impact do you think the General Data Protection Regulation

(GDPR) to strengthen and unify data protection in the European Union
will have on security?
Beri: With the GDPR deadline fast approaching, we’ll see an increase in governance over unsanctioned apps
where risky activities are blocked. Since the GDPR was adopted in 2016, we are now within the two-year
countdown for compliance, which will provoke a sense of urgency for organizations in 2017. Compliance is
going to play a bigger role in the cloud as organizations become savvier to the apps people are using and
increasingly realize how much sensitive data they have in their environments. 2017 will be ransomware’s big-
gest year yet because organizations aren’t inspecting for malware in the most commonly used apps. Malware
is hiding in plain sight as SSL traffic passes through uninspected (which is a huge issue in general for enter-
prises).

Eve Maler: The most mature part of the IoT security and privacy technology stack comes from its web API
heritage, with protocols such as OAuth and OpenID Connect playing a key role. With the FCC tightening
privacy rules for broadband providers in the US, and the GDPR looming in the EU, the adoption of the OAuth-
based consent and delegation standard User- Managed Access (UMA) protocol is likely to accelerate.

What might happen in 2017 so that IoT device makers can provide ad-
ditional security before rolling out devices to a broader audience?
Gillett: New certifications will be born. Major vendors like Cisco, Microsoft, IBM, and others will invest heavily
in the form of low- or no-cost training and certifications. Meanwhile, Forrester expects that 10 industrial ven-
dors will jointly certify their IoT-enabled products with enterprise vendors, as Rockwell Automation has done
with Cisco.

Kirstin Simonson: Security standards are still evolving to accommodate the plethora of devices coming to
market without the necessary internal security features in place. For makers and manufacturers of these
connected devices, it is extremely important that consideration for the digital security of each device is
incorporated into the development protocols or methodology behind their production. In other words,
security should not be an afterthought of product development. As a reference point, the National Institute of
Standards and Technology (NIST) provides a comprehensive framework for businesses who design or develop

Copyright ©2017 CBS Interactive Inc. All rights reserved.

7 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

numerous types of devices, which provides information that is very relevant to this topic. There are also
other organizations that provide useful information for building security into the development methodology of
electronic devices.

Witt: While it is likely that more security features will be built into IoT devices in 2017, making IoT inherently
more secure, a large number of existing unsecure devices will be used as the platform to launch targeted
breaches and DDoS attacks. The trend will likely lead many companies to rethink the approach of
protecting their internet-facing services against the DDoS attacks. Organizations will need to ensure they are
implementing proper application security testing of connected devices and taking a data-centric approach that
protects the sensitive information throughout its lifecycle with proven encryption and tokenization techniques.

Jason Collins: Governments will start exploring moves to regulate the IoT. Security and privacy concerns
around IoT will create a situation where governments will push to regulate in a patchwork fashion. They will
move to push the regulations into the network where there are more reasonable controls than controlling the
end-user devices.

What impact do you think a new president will have on IoT security?
Beri: With the increase in high profile data breaches in 2016, such as the Yahoo data breach and DNC hacks,
the incoming administration will make cybersecurity a key focus. Particularly, the newly appointed federal CISO
will make cloud security and safe cloud enablement a priority, as it’s expected to be the biggest threat vector
for the government. Cloud adoption is only going to rise from here, and the federal CISO needs to be aware of
the threat shadow IT poses to the government.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

8 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

There will soon be more IoT devices in

the world than people; security risks
abound
By Alison DeNisco

In 2017, 8.4 billion connected devices will be in use worldwide—up 31% from 2016, according to a recent
Gartner report. That means that the number of Internet of Things (IoT) devices on the globe will surpass the
number of people alive this year, with spending on IoT endpoints and services predicted to reach nearly $2
trillion.

IoT use is being driven by Greater China, North America, and Western Europe, according to Gartner, with
those three regions making up 67% of the overall IoT installed base this year.

The largest user of connected things? Consumers. This group is operating 5.2 billion connected devices this
year, representing 63% of the overall number of IoT applications in use. Enterprise users come in second and
are on track to use 3.1 billion connected things in 2017.

“Aside from automotive systems, the applications that will be most in use by consumers will be smart TVs
and digital set-top boxes, while smart electric meters and commercial security cameras will be most in use by
businesses,” said Peter Middleton, research director at Gartner, in a press release.

Among enterprise users, IoT devices made specifically for certain industries—such as manufacturing, utilities,
and healthcare—will be primary forces for the growth of connected things, with 1.6 billion such devices in use.

Manufacturing, transportation, and utilities top the list of industries that invested the most in IoT in 2016,
according to a recent IDC report.

This will likely change in 2018, Gartner predicts: At that point, cross-industry devices, including those for smart
buildings (such as LED lighting, HVAC systems, and physical security systems), will drive IoT connectivity
growth as these devices rise in popularity and drop in price. By 2020, there will be 4.4 billion cross-industry
devices in use, compared to 3.2 billion industry-specific devices.

Consumers may own more IoT devices, but businesses spend more, the report found. Enterprises will
represent 57% of overall IoT spending in 2017. Enterprises will spend an estimated $964 billion on connected
hardware this year, while consumers will spend $725 billion. However, by 2020, spending from both sectors
will hit nearly $3 trillion, according to Gartner.

Total IoT services spending—for professional, consumer, and connectivity services—is predicted to reach
$273 billion in 2017.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

9 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

“Services are dominated by the professional IoT-operational technology category, in which providers assist
businesses in designing, implementing, and operating IoT systems,” said Denise Rueb, research director at
Gartner, in the press release. “However, connectivity services and consumer services will grow at a faster
pace. Consumer IoT services are newer and growing off a small base. Similarly, connectivity services are grow-
ing robustly as costs drop and new applications emerge.”

With the number of IoT devices in homes and workplaces on the rise, security issues abound. The Mirai
botnet, which looks for vulnerable IoT devices and turns them into bots to use in cyberattacks, is of particular
concern. In October 2016, a DDoS attack on internet performance management company Dyn used the
Mirai botnet and left several websites without service for a day. Security experts predict a rise in IoT security
breaches in 2017, making it extremely important for manufacturers to ensure devices are secure and for enter-
prise and consumer users to have security protocols in place.

The three big takeaways for TechRepublic readers

Some 8.4 billion Internet of Things (IoT) devices will be in use worldwide in 2017—up 31% from 2016,
according to a Gartner report released Tuesday.

Consumers are driving the use of connected things, with 5.2 billion connected devices in use this year,
compared to enterprise users, who have 3.1 billion connected things in use this year.

With spending on IoT endpoints and services predicted to reach $2 trillion this year, it’s of the utmost
importance that consumers and businesses ensure these devices are secure to avoid cyberattacks.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

10 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Why big data leaders should worry

about IoT security
By Mary Shacklett

A series of distributed denial-of-service (DDoS) attacks powered by the malware botnet Mirai on October
21, 2016, disabled Dyn, the domain name system provider for hundreds of major websites, including Netflix,
Twitter, and PayPal. The malware infected and spread through systems with the help of hacker-compromised
web-connected cameras and digital recorders in consumer households, and security experts expressed their
concerns about new threats from home electronics and the Internet of Things (IoT).

Big data leaders should take particular notice of this attack, because it highlights why security needs to be top
of mind when incorporating IoT into analytics projects.

Research firm Gartner has predicted that 26 billion IoT devices will be installed by 2020. These IoT devices
and sensors will be connected to freight containers, facility alarms, data centers, HVAC environmental
monitoring equipment, hospital operating rooms, etc., and companies will be expected to do something with
the information collected from these devices.

IoT applications that are already in the field include smart meters used by electric and gas utilities. Estimates
are that by 2020, there will be more than 900 million of these smart meters installed globally, with Asia
leading the transition to smart energy grids, followed by Europe and North America. The cost of installing
these smart meters is more than $100 billion, but the projected financial benefits will reach $160 billion. So the
return on investment (ROI) is there, but what else do companies have to worry about?

With smart meters, we’re looking at millions of devices with physical exposure and the ability to inject
software attacks from multiple points of entry. To a greater or lesser degree, this IoT exposure also applies to
manufacturing, logistics, and other companies operating IoT devices at the edges of enterprises, and even to
highly centralized companies where malware could leak in through an IoT HVAC or environmental monitoring
device.

More about IoT security attacks and vulnerabilities

In December 2015, 30 of 135 power substations in the Ukraine were taken out for nearly six hours by
a cybersecurity attack. Initially, hackers used malware to direct utilities’ industrial control computers to
disconnect the substations; then, they inserted a wiper virus that made the computers inoperable.

In September 2016, IoT devices and around 150,000 CCTV cameras were used as part of a botnet to attack
the infrastructure of a French web hosting company, also compromising IoT devices. At one point, 1.1 Tbps
were being dumped on the firm’s networks.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

11 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

“We’ve speculated about malicious use of IoT devices before, but this appears to be one of the first large
DDoS attacks that can be directly attributed to compromised IoT,” Ken Munro, a partner of Pen Test Partners,
told Internet of Business. “We find vulnerable IoT devices with huge installed bases every week. Just this
week we’ve privately disclosed to the vendor a remote code execution vulnerability on a domestic IoT device
with at least 300,000 units installed. That RCE could be used to trigger a large number of requests, leading
to DoS. That’s just one device type in just one country.... Hence, we don’t think the limits of IoT-derived DDoS
have been seen at all.”

What IoT security steps you can take

One problem facing companies that use or are considering using IoT with their big data plans is that there
currently is no consensus on how to implement security in IoT on a device. This lack of consensus is
an issue for standards committees to resolve, not for corporate IT to address. So what do you do if your
company is using or planning to use IoT? Follow these steps.

First, identify all your IoT exposure points for hacks and breaches and write and enact a plan for regularly
monitoring them. This monitoring should occur at two levels: regular physical inspections of devices and
continuous software-based monitoring and logging of emissions from these devices that are conducted
by a network-based system. If unusual activity from a device is detected at any time, there should be a
way to immediately shut down that device.

Second, if your plan is to immediately shut down a device if unusual activity is detected, you should also
have disaster recovery and failover procedures in place so your plant, environmental monitoring systems,
or any other IoT applications can keep running.

Third, meet with your liability insurance provider. As you implement IoT, you should anticipate increases
in liability insurance premiums in your budgeting, too. Your liability insurer doesn’t want to see data
breaches, compromises, and damages costs go up, either. Your insurer likely has a list of best practices
for clients that it can recommend and that can help you in your IoT planning and mitigation strategies.

Fourth, meet with your prospective IoT vendors about security. What security technology and best
practices come with their products? What security warranties and protections are they willing to provide?
In the case of a security breach, what levels of incident escalation and support do they offer?

The good news

IoT is still an infant technology in most companies’ big data plans. As your company evaluates where IoT best
fits in its operations and strategies, you should also plan for security, failover, and mitigation practices. You
have to—because the hackers will surely be out there.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

12 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Operational technology must be

addressed to secure industrial IoT
By Conner Forrest

The key to properly securing the industrial Internet of Things (IoT) is a combined approach of IT and OT
(operational technology), according to Tom Le of GE Digital Wurldtech. Le spoke at last year’s Structure
Security conference in San Francisco, where he explained the different challenges facing industrial IoT.

The biggest difference between standard IoT and industrial IoT is that attacks on industrial IoT have a physical
impact if they’re followed through with. While traditional IoT attacks can put data and privacy at risk, Le said,
industrial IoT attacks pose a risk of human safety, environmental damage, and massive system disruption.

Le said that he considers endpoints in three tiers, relative to how much the devices are used. Standard end-
points like smartphones and laptops have pretty good security, he said, but the middle tier of smart appliances
and the low end of connected cameras and other devices have poor security today.

One of the big ideas around industrial IoT security is the concept of an air gap, which is the idea that the
industrial IoT system is secure because it is isolated from an unsecured network. Le said that this is a myth for
industrial systems, because they are exposed by “indirect connectivity.”

He also noted that we’re rushing to bring even more unsecured assets online, due to the promise of the
additional usefulness they may bring.

Another difference between standard and industrial IoT are the assets involved. Assets on the IT side, such as
phones, routers, and laptops, tend to be replaced every couple of years or can be easily updated.

On the OT side, however, the lifecycle can last sometimes as long as 40 years. And some have maintenance
cycles that last years as well. Many of these systems can’t be updated anymore. Le said that he’s aware of
thousands of Windows XP hosts that are still managing industrial systems, and updates are difficult for those
systems and require an additional cost.

This leads to an interesting truth, he said: “The threat of change is often greater than the threat of cyber,” when
it comes to industrial systems.

Many things that are taken for granted on the IT side of things can cause a major disruption within OT. One
example Le cited involved a company that had deployed a new printer. When it began to scan the network,
it disrupted many of the key OT systems there. A lot of these legacy industrial systems weren’t designed for
modern networks, Le said, and companies need to be aware of that when they begin securing them.

Along with both edge and cloud security, Le said, industrial companies need to look to the proper standards
that address industrial systems for their industrial IoT products. For example, GE is including cybersecurity

Copyright ©2017 CBS Interactive Inc. All rights reserved.

13 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

out of band for its industrial products. So a connected turbine or engine will come with an additional piece of
technology that protects it from malicious activity or misconfiguration.

The risks posed by industrial IoT are great, and Le said that what keeps him up at night is the threat of the
next big security event that has a physical effect. He gave the example of a German mill that had its blast
furnace taken over and controlled by hackers. Hopefully, modern security standards, and addressing both IT
and OT, can help prevent future attacks like that.

The three big takeaways for TechRepublic readers

GE’s Tom Le said that companies must address IT and OT to properly secure industrial IoT.

Industrial IoT’s risks are different from standard IoT, and they include environmental damage and risk to
human safety.

OT products often have longer life cycles and maintenance cycles than IT devices, and that needs to be
realized for proper security.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

14 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Privacy concerns about IoT devices

won’t be assuaged soon
By Michael Kassner

Tech pundits have been warning that IoT devices are low-hanging fruit just waiting to be plundered by cyber-
criminals. The Dyn DDoS attack on October 21, 2016, indicates that the pundits’ predictions are now fact.

In a blog post last December, researchers at the international law firm of Mason, Hayes, & Curran suggested
that is indeed the case. As evidence, they cited findings from a recently published report by the Global Privacy
Enforcement Network (GPEN). The researchers said:

“Earlier this year, the Global Privacy Enforcement Network (“GPEN”) published the results of its global privacy
review of ‘Internet of Things’ (“IoT”) devices. This annual review, dubbed the ‘Privacy Sweep’, found that many
companies failed to explain to users how their personal data is collected, stored and safeguarded via devices
that boast internet connectivity. GPEN found that companies demonstrating good privacy communication
practices were in the minority.”

To determine the lack of privacy, GPEN worked with 25 of the Data-Protection Authorities based in 39
jurisdictions around the world—including most EU countries and the US—to inspect more than 300 IoT
devices. They focused on what the IoT-device manufacturers communicated to their customers regarding
the customer data collected and the amount of privacy being guaranteed. The Mason, Hayes, & Curran post
added, “The aim of the review was to increase awareness of best practices and to encourage compliance with
privacy legislation.”

Conclusions from the privacy report

The 2016 GPEN Privacy Sweep report came up with the following conclusions:

68% failed to explain properly how information was stored.

72% failed to explain how customers could delete their information off the device.

59% failed to adequately explain to customers how their personal information would be collected, used
and disclosed.

38% failed to include easily located contact details should customers have privacy concerns.

John Rogers, senior investigations officer at the Office of the Data Protection Commissioner (DPC) in Ireland,
coordinated the Irish privacy sweep. The DPC inspected nine devices, from smart electricity meters to fitness
trackers. “There can be no doubt as to the benefits of modern technology in our everyday lives, but the
introduction of this technology must be done in a clear and transparent manner and not adversely impact
privacy rights. The findings of our sweep show that much more needs to be done to meet data protection

Copyright ©2017 CBS Interactive Inc. All rights reserved.

15 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

standards,” he said. “Companies making these devices must make it clear to consumers about how their
personal information is being collected, used, and how consumers may delete their information if they wish.”

The Mason, Hayes, & Curran blog post said that officials from the DPAs involved in the sweep are reviewing
their options going forward: “This may include action against the developers and suppliers who have been
found to be in breach of law. Concerns identified by the Privacy Sweep may result in enforcement action.”

Advice for IoT device developers

The Mason, Hayes, & Curran researchers said that regulatory bodies are increasing their focus on the
principles of data protection by design and default, particularly where “large amounts of personal data are
collected or used.” They suggested that IoT developers and manufacturers should:

Be transparent about how personal data is collected, used and disclosed.

Implement privacy policies and just-in-time notices to inform users and other individuals.

Design, optimize and adopt internal data protection policies and practices in line with these principles.

The reality of the situation

Sadly, there is a good chance nothing will be done to improve privacy with regard to IoT devices. Alasdair
Allan, in his Motherboard article Why the Internet of Things May Change How We View Privacy, said:

“Right now there is a poor understanding of how the Internet of Things will be paid for, and in the short term
companies are attempting to fill the gap using the business model they’re most comfortable with, the business
model that supports the other internet, the digital one. Increasingly the data we leave behind us is being
bought and sold.”

Copyright ©2017 CBS Interactive Inc. All rights reserved.

16 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Three inexpensive steps to secure IoT

By Keith Townsend

The DDoS attack against Dyn gave us an opportunity to highlight a primary reason for organizations to secure
their systems against intruders. One of the common refrains I hear from IT managers is that their IT assets are
of little value. Manufacturers, for example, don’t believe their control systems are of any value to hackers, as
they don’t hold critical information and are easily reset to factory defaults if hacked. Hackers view such targets
as precious resources.

The attack against Dyn had a sustained rate of 620Gbps. The result was the outage of several web services
due to the inability to perform DNS resolution. According to security experts, the botnet was composed mainly
of compromised IoT devices. Unsecured IoT devices are a treasure trove for botnet operators. It’s the respon-
sibility of IT managers to ensure that these devices remain protected against botnet enlistment. IT security
vendors offer expensive protection products, but there are three simple steps to protect your enterprise IoT
against compromise—even if you have a limited budget.

1. Identify IoT devices

It’s common to consider only devices marketed as IoT in the past few years as targets for compromise.
Common IoT devices include security cameras, industrial lighting systems, and manufacturing controllers
managed by a web-based solution. An example is an IP-phone provided by a cloud-based PBX. However,
an IoT device is any nontraditional endpoint with an IP address. It’s these systems that may fall through the
cracks and become targets.

Some commonly overlooked IoT devices include multi-function printers, security scanners, and inventory
scanners. A high-level place to begin identifying nontraditional IoT devices is your IP addressing system. If
you have tight controls around IP addresses, the IP address inventory is a good place to start identification.
Administrators should audit their IP address system for unmanaged systems. Another IP address source is the
DHCP system.

2. Isolate the systems

Another best practice is to change default passwords and apply security updates to devices. In the case
of some of the devices compromised in the Dyn attack, updates or changing the default password isn’t an
option.

A potential security mitigation technique is to isolate the devices from the production network. There’s rarely a
good reason for unmanaged, or even managed, IoT devices to reside on the same logical network as end-
user devices and servers.

A solid approach is to create a VLAN specifically for IoT devices. By placing the devices in an isolated
network, administrators can apply layer 3 security policies to large swaths of the network. Layer 3 network

Copyright ©2017 CBS Interactive Inc. All rights reserved.

17 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

isolation allows the use of existing access control lists on routers and traditional firewalls to control the flow of
communication between IoT devices and the production network. This approach allows for mitigation of risk
associated with IoT devices attacking production systems, such as workstations and servers.

3. Limit internet access

Placing IoT devices into an isolated network also allows you to deny internet access by default. Botnet
operators want system resources that they can point toward targets on the internet. If the isolated
devices don’t have the ability to access the internet or to infect other devices with an internet connection,
administrators reduce the desirability of these devices to intruders.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

18 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

How to secure your IoT devices from

botnets and other threats
By Scott Matteson

Challenges lie ahead in IoT security arena. Gartner predicts that over the next two years, more than half of
IoT manufacturers won’t be able to contain weak authentication methods, which can pose a data risk. It
also estimated that, “by 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will
account for only 10% of IT security budgets.”

Appropriate tactics will be a key element in the security battle. A recent Forbes article covered the topic of IoT
security, advocating “strict regulatory standards,” the need to “enhance security while simplifying compliance,”
and implementing “an end-to-end approach that integrates both IT and operations technology (OT).”

Let’s look at some best practices to address the concepts of authentication, data privacy, and botnets.

Authentication
Devices that must authenticate against other systems (generally to access or transmit data) should be
configured to do so securely, such as with unique IDs and passwords. It may also be possible to implement
encryption (SSH) keys to provide device identity to permit it to authenticate against other systems. (Securing
the keys themselves is obviously a critical priority for this model to work.) Examples of IoT devices with this
capability include closed-circuit TV (CCTV) or DVR devices and satellite antenna equipment.

In other instances, device SSL certificates can be issued during the manufacturing process or added later to
establish device identity and to facilitate the authentication process. The concept of building security into the
device from the outset is important for IoT manufacturers to consider so that a careful evaluation of possible
vulnerabilities or flaws is factored into the design process. Among the IoT devices that can use SSL certificates
are the Amazon Web Services IoT Button, smart meters, and home energy management devices.

When it comes to device updates (software and firmware, for instance) authentication should be employed
where possible to ensure that they can retrieve code only from approved systems, such as internal servers or
authorized devices.

Depending on your IoT devices, researching and implementing the capabilities above (if not already present)
would be a good first step in security.

Data privacy
IoT devices can use hardware-based trust anchors, also known as “roots of trust,” which utilize a trusted boot
process to ensure devices operate in a known secured state and that their contents remain private. It’s also
possible to defend against untrusted software attacks by isolating code in different hardware locations so they
can’t access secured resources.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

19 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Whether data is moving or at rest, it should be encrypted to protect the contents where possible.

IoT on-chip memories can protect data from being accessed or stolen by utilizing cryptography to encrypt or
decrypt information. Communication between IoT devices and other systems should be secured via encrypted
links using protocols like TLS (transport layer security), which is commonly used with web browsers such as
when conducting financial transactions. TLS can prohibit “man in the middle” attacks, whereby data in transit
is captured and analyzed for confidential material.

It’s also a good idea to isolate data so it’s available only to systems that need to access it. Using firewalled
networks with just the requisite systems is one example.

Botnets
Internet of Things devices can be at risk from botnets (also referred to as “thingbots”). A botnet is a privately
harnessed group of systems controlled via malware, which has previously infested a device. Botnets are often
used to mount distributed denial-of-service (DDOS) attacks intended to incapacitate or cripple target systems,
for purposes of revenge, extortion, and calculated disruption.

One example is the Mirai botnet. It launched large DDoS attacks last year on Imperva, KrebsOnSecurity,
and Dyn (which affected Twitter, Spotify and other sites). Mirai source code was leaked publicly, and Imperva
researchers analyzed it to understand Mirai better. One of the results of the research was the development of
a scanner that can check whether devices on a network are infected by or vulnerable to Mirai malware. This
scanner, currently in beta mode, can be found here.

Let’s look at some recommendations for protecting IoT devices from threats posed by botnets.

For device owners: “Be careful of what you connect to the internet. Are you sure it needs to be exposed
to the entire world? If not, put it behind your router, and in the settings do not do port forwarding to it, or
limit its access... Change the default password that came with the device to a hard-to-guess one,” said Ben
Herzberg, security research manager at Imperva.

Travis Smith, senior security research engineer at Tripwire, said that updates on IoT devices can also pose a
security risk. “Most devices are running on some variant of Linux, which can be outdated and highly vulnerable
before the device is even released. Even if a vendor releases an update, there are no guidelines on how to
handle the update. Some vendors automatically install the update on the devices as it is released. However,
the majority of devices either never release any security updates or fail to notify the owner of the device about
the update. End-users need to be vigilant about finding out which devices they have installed and continually
check for updates from the vendors.”

For organizations: “Due to the increase in IoT devices, it’s easier for attackers to generate massive DDoS
attacks. Therefore, it is important to plan for such attacks and make sure that the attacking traffic is mitigated
in the cloud before it reaches your organization,” Herzberg said.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

20 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Tim Matthews, vice president of Imperva, said, “Securing IoT devices will require both better education of
consumers, and security by design on the part of manufacturers. Ideally, security companies and device
manufacturers would work together to create standards for credentials and access akin to a UL compliance
seal.”

The Internet of Things Security Foundation also seeks to address these concerns by providing best
practices, tips, and news updates to help companies and consumers stay abreast of security hazards. If
you own or administer IoT devices, I recommend visiting their page regularly to stay informed about new
developments in the IoT security landscape.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

21 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Everything old is new again: IoT could

unleash a flood of denial-of-service
attacks
By Dan Patterson

The hottest trend in cyberattacks is an archaic and simplistic hacker tool. Propelled by the rise of IoT, the
popularity of denial-of-service attacks rebounded in late 2016 and early 2017. Accompanying the rapid
acceleration of the IoT and connected device market, warn cybersecurity experts, will be a zombie botnet
swarm of network-crippling attacks.

Denial-of-service attacks are simple but effective weapons that bring down websites and services by flooding
networks with junk traffic from commandeered botnets. Digital fallout will often incapacitate the target and
ripple across the web to knock out unaffiliated but connected services and sites. “After an attack [clients] often
feel angry and violated,” said Matthew Prince, CEO of denial-of-service mitigation service CloudFlare in an
interview with TechRepublic. “A distributed denial-of-service (DDoS) attack is not a sophisticated attack. It’s
the functional equivalent of a caveman with a club. But a caveman with a club can do a lot of damage.”

“DDoS outages are causing companies to completely rethink their cybersecurity strategies,” said cyber-
defense strategist Terrence Gareau in a report by threat identification firm Nexusguard. Nexusguard examines
network data to identify threat vector trends like duration, source, and variation of denial-of-service attacks.
“Hackers’ preferences for botnets over reflection attacks are typical of cyclical behavior, where attackers will
switch to methods that have fallen out of popularity to test security teams with unexpected vectors.”

Image: Nexusguard

Copyright ©2017 CBS Interactive Inc. All rights reserved.

22 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

Denial-of-service attacks are a broad umbrella used to describe a number of technological sub-tactics.
Denial-of-service attacks are common and relatively easy to pull off because they simply crowdsource web IP
addresses. The hacker group Anonymous made DDoS attacks famous by championing a tool nicknamed the
Low Orbit Ion Cannon, which made denial-of-service accessible and easy. The downside, of course, is that all
cyberattacks are illegal, and unsophisticated DDoS attacks are easy for law enforcement to pursue.

The Nexusguard report shows that hackers are switching from DDoS to IoT botnet-based attacks like last
year’s devastating Mirai hack. “Distributed denial-of-service attacks fell more than 40 percent to 97,700 at-
tacks in the second quarter of the year,” Gareau said. According to the report, IoT attacks targeted at French
data provider OVH broke records for speed and size and were so severe that France broke into Nexusguard’s
Top 3 [cyberattack] victim countries.

“The preferred programming language for the Mirai botnet helped to better handle a massive number of nodes
compared to other typical languages for DDoS attacks,” Gareau said. “Researchers attribute the [DDoS]
attack dip and these massive attacks to hackers favoring Mirai-style botnets of hijacked connected devices,
demonstrating the power IoT has to threaten major organizations.”

Hackers are also diversifying attacks against large organizations in financial services, healthcare, and
government sectors. “Hackers favored blended attacks, which target four or more vectors, in attempts to
overload targeted monitoring, detection, and logging systems,” Gareau said.

To fend off attacks, experts like Prince, Gareau, and Cyberbit’s chief technology officer Oren Aspir agree
enterprise companies need to develop a response plan. “Attacks on an endpoint device will always leave
some sort of trail or evidence to analyze,” Aspir said. “Since the speed of detection is vital, analysts need tools
that will allow them to quickly detect behavior at the endpoint, validate the threat, and perform an automated
forensic investigation in real time on that endpoint.”

Aspir also suggested that companies prepare for DDoS and other hacks by reviewing previous attack metrics,
conduct vulnerability assessment and penetration testing exercises, and simulate attacks to help evaluate
team preparedness. “It’s important for organizations to build a baseline that consists of what ‘good behavior’
should look like on an endpoint. This allows for organizations to take unknown threats and validate them
quickly.”

Though IoT botnet denial-of-service attacks are relatively new, enterprise organizations have learned from
previous attacks and already shifted defense tactics. “Researchers predict the attention from recent botnet
attacks will cause companies to strengthen their cybersecurity... and ensure business continuity despite
supersized attacks,” Gareau said.

Copyright ©2017 CBS Interactive Inc. All rights reserved.

23 IOT SECURITY: WHAT YOU SHOULD KNOW, WHAT YOU CAN DO

About TechRepublic
TechRepublic is a digital publication and online community that empowers the people of business and
technology. It provides analysis, tips, best practices, and case studies aimed at helping leaders make better
decisions about technology.

Resources
Subscribe to our free newsletters: Stay on top of business technology trends, learn about innovative new
products, and hone your skills with our how-to’s and tutorials.

Check out the TechRepublic discussion forums: Touch base with your peers and share tips, advice,
solutions, and opinions.

Catch the latest videos and photo galleries: Our video library offers interviews with entrepreneurs, IT pros,
and CXOs; short clips on the latest tech news; and overviews of emerging technologies. Our galleries offer a
look at everything from the hottest mobile devices to autonomous cars to the gadgets, tools, and accessories
that are headed your way.

Copyright ©2017 CBS Interactive Inc. All rights reserved.