Applying Strong Cyber Hygiene Security to IoT Endpoints
The Internet of Things, better known as IoT. You’ve heard of it, right? But do you know what it is? Simply, it is the interconnection of things (or endpoints) on the Internet to send and receive data. Today, experts calculate that there are 31 billion things connected to the insecure Internet, and growing exponentially. Did you know there are different types of IoT applications? The most commonly referenced application is Industrial IoT (IIoT), but there are also Commercial IoT, Consumer IoT, and Enterprise IoT (EIoT). Although this blog provides a holistic view of the components that make up the Internet of Things, the focus will be the endpoints at the IoT gateway or computing edge up to the data center or cloud platforms.
A fun trivia fact. Cisco coined the term “Fog Computing” back in 2011. Fog Computing is a paradigm that extends cloud services to the network edge (access layer). So how is Fog Computing different from cloud computing? It’s a matter of proximity. Fog Computing is closer to users and highly concentrated connected endpoints that reside in company headquarters, manufacturing floors, or critical infrastructure at the municipal, state and federal levels. Fog Computing and edge computing are now synonymous. Today, endpoints can reside anywhere in the new Anywhere Workplace paradigm shift.
Here are examples of Industrial IoT applications:
- Energy includes electrical production and distribution.
- Utilities infrastructure includes water, sewage and waste management.
- Manufacturing comprises automated parts and assembly, energy efficiency, supply chain management and logistics.
- Oil and gas mining.
- Agriculture encompasses food production, irrigation and water management.
- Smart cities incorporates municipal infrastructure like roads, traffic controls, parking, and transportation. Transportation covers high-speed railways, buses, airports and airplanes, and smart automobiles.
- Building automation includes HVAC, access control, and safety and security.
Here are some of the Commercial IoT applications:
- Hospitality covers guest monitoring and customer service scoring.
- Healthcare encompasses telehealth or telemedicine applications for patient virtual care, wellness and prevention monitoring, and prescription fulfillment.
- Retail includes in-store shopping, ordering and payment, and shopper analytics and trends.
Here are the Consumer IoT applications:
- Hyperconnected endpoints comprised of smartphones, tablets, laptops and desktops used for work and entertainment.
- Smart TVs that host applications for entertainment.
- Smart home automation is comprised of security alarms, smart assistants that perform routine tasks and services (Amazon Echo, Google Home, or Apple HomePod). Also, smart lights, smart thermostats, and smart speakers that employ ambient intelligence that detects occupancy to trigger lighting, user heating and cooling for comfort and energy efficiency, and omnipresent sound experiences.
- Wearables include personal monitoring devices, medical alerting, Apple Watch or Google Smartwatch, and augmented reality (AR) or virtual reality (VR)
- Home appliances like your coffee maker, washer, dryer. and refrigerator.
Here are some of the Enterprise IoT applications:
- Voice communications over IP (VoIP) phones.
- IP cameras for video conferencing.
- Smart printers.
- Location-based geofencing sensors that use near field communications (NFC), Bluetooth (BLE), Wi-Fi, or cellular networks.
- Department of Defense (military) combat robotics, drones, and wearables like AR and VR.
There are certainly overlap and convergence with these different IoT applications, and conversely, there are applications that can be segmented into their own category like military combat applications from the Enterprise IoT umbrella. The nuances depend on the endpoints used and the use case application that accomplishes redundant, complex, or risky tasks by employing automation removing manual workflows.
The IoT technology common architecture consists of these processes: sensors that collect measurement data and/or actuator valves connected to gateway hosts that provide an uplink for the collected data and intermediary storage, send and receive messages brokering and Human Machine Interfaces (HMI), and then transmission to the final destination at the IoT central station located at the corporate data center or cloud platform. IIoT HMIs normally run legacy operating systems like Windows 7 or 8, or outdated Linux distributions and applications that may contain vulnerabilities. Newer Mobile HMIs run today’s modern operating systems like iOS, Android OS, Linux, macOS, or Windows IoT Enterprise LTSC. The central station provides the long-term storage or raw data (data lakes) and classification of all the data using machine learning models used for data intelligence and analytics (data warehouse).
Often mixed within the raw endpoint data are sensitive personally identifiable information (PII) and critical security vulnerability information from all connected sensors, actuators, HMIs, and gateway hosts. The telemetry data can contain a list of security exploits that provide a map of the unpatched vulnerabilities existing on these endpoints to potential threat actors. IoT ecosystem product details Common Vulnerabilities and Exposures (CVE) listings and maintained by NIST at the National Vulnerability Database.
Other challenges include the mixture of legacy and modern endpoints often co-existing within the same network access edge. These endpoints could be running any number of outdated hardware, operating systems and applications leaving them vulnerable to sophisticated morphing and chained exploits like data and credential theft using phishing and pharming, malicious exploit kits including ransomware, and unknowingly used to amplify distributed denial of service (DDoS) attacks. Shodan provides a search engine and network scanning service for internet-connected IoT endpoints.
Then comes the secure transport of this telemetry data to the data center or cloud using IPv6, private 4G/LTE or 5G Access Point Names (APN), low-power wide area network (WAN) or satellite as common medium for long-range network communications infrastructures. IPv6 implements IP security (IPsec) standards like packet authentication and payload encryption, although it must be turned on because it is not enabled by default. 4G/LTE and 5G have their own set of security challenges in their protocols and trust model. A private access point name (APN) that enables secure mobile virtual private network (VPN) specifically IPsec adds considerable security to the transmission of IoT data to the data center or cloud platform. A great blog that details the 5G security journey to the edge was recently published by my colleague, Russ Mohr.
The COVID pandemic have lessened the evolution and use of some sectors in the Industrial and Enterprise IoT applications because of shelter in place mandate, although Commercial and Consumer IoT applications have seen a dramatic spike in usage and growth because of the work-from-home shift.
In conclusion, Ivanti Neurons, MobileIron UEM, Threat Defense, and Zero-Sign On, and Pulse Secure Connect and Pulse Zero Trust Access provide robust management and the security tools to discover and track valuable assets and data, provision and manage apps and content, identity certificates, MFA, security policies and configurations including enabling encryption, WPA3 Wi-Fi security, VPN, and threat defense, and then provide the secure transport mechanism from the edge endpoint to the corporate data center or cloud platform.
Remember to ask yourself - how are you applying strong cyber hygiene security to your IoT endpoints?