This post is also available in: 日本語 (Japanese)
Our position paper, “Governments Must Promote Network-Level IoT Security at Scale," details how network-level security at scale must complement embedded IoT device security. This overview provides a high-level view of the information covered in the paper, which you can download below.
Many governments globally are concerned about IoT security, particularly as more IoT devices are rolling out across critical sectors of their economies and as cyberattacks that leverage IoT devices make headlines. In response, many officials are exploring regulations or codes of practice aimed at improving IoT security. However, these levers have largely focused on consumer devices and on measures that device manufacturers should take when building or maintaining devices, as well as device certifications or labeling schemes. This includes promotion of the ETSI Technical Committee on Cybersecurity’s ETSI EN 303 645 (issued in 2020), a standard for cybersecurity in IoT that establishes a security baseline for internet-connected consumer products.
We applaud the intention of government initiatives that aim to address IoT security, particularly as IoT device use becomes more prevalent among all business sectors and governments as cyberthreats grow. Palo Alto Networks 2020 IoT Threat Report details how high-profile, IoT-focused cyberattacks are forcing industries to recognize and manage IoT risks to protect their core business operations. The Covid-19 pandemic has exacerbated the IoT security challenges: homes are seeing new corporate-issued IoT devices beyond laptops and smartphones, and highly sensitive work that was usually done only on corporate campuses or government networks is now happening at home.
While policymakers focus on steps that device manufacturers should take, they also need policies that promote network-level security at scale, detecting and stopping anomalous behavior by IoT devices, using automation and machine learning. Network-level security addresses IoT security regardless of the type of device or its end-use, which is particularly key given that attacks on “consumer” IoT devices can have ramifications in businesses and throughout economies. This approach can create resilient networks ready-made for IoT and can be leveraged across businesses, governments and homes.
Limitations to Security Controls in Devices
Embedded device security is very important, but by itself is insufficient.
Security Limitations with IoT Devices: It is impossible to embed security in certain IoT devices. Some devices, such as thermostats and smart lighting hardware, do not have sufficient storage or processing power to support logging or cryptographic abilities to protect sensitive information being processed. Many IoT devices are low cost, with no security embedded, making easy entry points for adversaries. In fact, the billions of already-deployed legacy devices are a challenge. They cannot be retroactively designed for security (or certified/labeled).
Threats and Risks in Manufacturer Supply Chains: Even if an IoT device is built securely, weaknesses inserted into devices via a manufacturer’s supply chain might not be visible when the device is shipped.
Security Challenges from Real-World Deployments: Variables in real-world deployments can lead to different risk profiles. The same IoT device may be used in different environments, such as an IoT sensor used in monitoring agricultural activity and for vehicle tracking in the transportation industry. Some IoT devices can also be used in both consumer and industrial settings. An IoT device also can have different functions in the same setting. IoT devices may be unattended, such as some used in power grids. Finally, sometimes IoT devices are purchased by different teams in an organization, resulting in a non-centralized device repository. In healthcare organizations, devices may be purchased by bio-medical teams without the knowledge of the network security team.
Network-Level IoT Security at Scale Must Complement Embedded Measures in Devices
Relying solely on the security controls embedded in devices may bring a false sense of security as it is only half of the answer. Organizations also must deploy network-level level IoT security that is based on a Zero Trust approach to security.
Visibility and Dynamic Identification of Devices: Any organization needs visibility (a full inventory) of IoT devices on its network at any given time. This allows understanding of the “attack surface” and important interdependencies: where IoT devices are, which applications they are using, and how devices are interconnected. Once visible, IoT devices must be identified and assessed for risk when they connect to the network. Overall, device visibility and identification can eliminate critical blind spots that attackers could otherwise access to infiltrate a network or IoT device.
Continuous Device and Risk Monitoring: Once visible, devices must be continuously monitored for anomalous behavior and threats. Because IoT devices are designed for a fixed set of functionalities, their intended pattern of behavior is often predictable (e.g., actions of printers differ from those of medical devices or industrial sensors). Continuous monitoring shows what a device should and should not be doing, enabling detection of abnormal behaviors (e.g., a medical imaging machine should not be streaming videos on YouTube).
Security Policy Enforcement: Finally, visibility and monitoring devices and risks allow organizations to come up with security policies, taking enforcement actions vis-a-vis their IoT devices in real time to prevent cyberattacks and react to anomalous behavior. This includes network segmentation, which creates “least access” zones for IoT devices by their function, so that particular device type can only converse with the network resources they need. This reduces risk and helps limit lateral movement of threats in case an IoT device zone gets compromised. Quarantining (disabling or taking offline) an IoT device that has been infected or breached is another enforcement action.
Prevention and workflow automation are also necessary. Preventing threats (known and unknown/zero-day threats) is crucial. Response to and recovery from incidents are important, but by then the damage is done. Prevention also reduces alerts for already fatigued security operations center (SoC) teams. Automation of workflows is essential across device discovery, risk monitoring, enforcement and threat prevention to stay ahead of the increasingly advanced and sophisticated attackers. Automation must replace manual responses, which are time-consuming, costly and cannot scale against automated attacks.
Machine Learning (ML) Must Underpin Network-Level IoT Security
Recent advancements in ML have made it an essential approach for cybersecurity in the IoT context. In general, ML models leverage an extensive, data-driven understanding of any given IoT device’s expected behavior and usage on a network to efficiently achieve real-time visibility and dynamic identification of devices, continuous device and risk monitoring and enforcement. The predictable patterns of IoT device behavior enable ML to easily learn patterns. And unlike humans, ML can pick up patterns at scale, in real time. This means ML and artificial intelligence (AI) can automate device identification, proactively detect malicious deviations in IoT devices’ patterns of functionality, and automatically prevent attacks. Importantly, ML can help with identifying never-seen-before devices, such as those new to the market.
Network-Level IoT Security Should Leverage the Cloud
Finally, network-level IoT security should leverage the cloud for two reasons. First, many organizations around the world are extending their networks to hybrid (public/private) cloud models, including the networks to which IoT/IoMT/IIoT devices attach. Thus, securing these networks should be done in the cloud. Second, cloud security solutions enable updated controls to be delivered at the speed of innovation and can scale up and down based on computational needs necessary to counter sophisticated, automated cyberattacks.
Government Policies Must Promote Network-Level IoT Security at Scale
Governments are rightly concerned about the risks to IoT, especially given how pervasive IoT device use is throughout their economies. While many people equate IoT primarily with consumer uses, businesses in healthcare, transportation and many other sectors are deploying IoT, as are government agencies. IoT device usage has increased for these organizations as their employees have transitioned much of their work to their homes during the pandemic. In fact, many traditional consumer IoT devices, such as smart appliances and even consumer wearable devices, also are increasingly being connected to corporate networks. The utilization of the Internet of Medical Things (IoMT) in the healthcare market is growing rapidly. IoT is also widely deployed in industrial settings (industrial IoT or IIoT).
To promote secure use of IoT in all of these settings, government policies must promote network-level security practices (in addition to embedded device security). More specifically, governments must take the following approaches to promote effective network-level IoT security:
- Promote use of the cloud and cloud-based security throughout economies.
- Promote the adoption of automated approaches to cybersecurity, specifically those that leverage machine learning.
- Encourage their businesses, government agencies and citizens to take steps to have a full inventory of all IoT devices on their networks, continuously monitor those devices for anomalous behavior and threats, and take automated security policy enforcement actions vis-a-vis their IoT devices in real time to prevent cyberattacks and react to anomalous behavior.
Palo Alto Networks looks forward to contributing our expertise to policymakers’ efforts around the world to improve IoT security.