By Jessica Amado, Head of Cyber Research at Sepio
The Internet of Things (IoT) is becoming widely adopted across all industries, including critical infrastructure sectors, such as healthcare, energy, telecommunications, and more. IoTs are valuable tools, boosting efficiency and productivity through big data and connectivity. Contrarily, however, the characteristics of IoTs mean they pose a cybersecurity risk – one that enterprises struggle to manage due to a gap in asset visibility.
The perfect target
In the first half of 2021, there were 1.5 billion attacks on IoTs – more than double the previous year. IoTs make the ideal target for several reasons. Primarily, these devices collect data – a lot of it – and for cybercriminals, data means money. Critical infrastructure, specifically healthcare, collect the most valuable data, with healthcare information selling for almost three times as much as personal information on the dark web. In some instances, the targeted IoT possesses the sought-after data; in others, the connectivity of IoTs means a device acts as a gateway to valuable data.
Similarly, their connectivity means IoTs provide an access point to more critical systems; the compromised IoT is not always the intended target, but their accessibility means they are easier to infiltrate. For critical infrastructure, IoTs (or rather, IIoTs and IoMTs) enable IT and OT convergence. As such, physical equipment is vulnerable to attacks originating in the IT domain, in which the consequences are much more severe.
See no evil
A lack of Layer 1 visibility means security teams struggle to see what devices are operating in the infrastructure. Research finds that 75% of enterprises are experiencing a widening visibility gap in their IoT devices – a challenge not palliated by the fact that IoT security projects fell by 16% in 2021. In short, enterprises do not actually know what their IoT devices are, and with the increasing number of IoTs in use, this is a significant problem.
One such challenge associated with a lack of visibility is that enterprises do not know the components of their IoTs, having been manufactured by different vendors. Raspberry Pis, which many IoTs and IoMTs rely on for operability, go undetected by existing security solutions yet are highly vulnerable to exploitation. One of our healthcare clients, when using our HAC-1 solution, discovered that hundreds of Raspberry Pis were embedded within their critical IoMTs, none of which had gotten detected by their security tools.
Additionally, IoTs, being non-802.1x compliant, get authenticated by alternative protocols, such as MAB and MACsec – both of which rely on a device’s MAC address for authentication. However, MAC addresses are easily spoofed, and the gap in Layer 1 visibility means existing security solutions cannot differentiate between a legitimate and spoofed MAC address. Bad actors know this and exploit the vulnerability with rogue devices that impersonate legitimate IoTs by spoofing their MAC address.
Without complete visibility into their IoTs, enterprises lack the ability to properly enforce access policies and controls, such as Zero Trust and microsegmentation, a challenge that more than 60% of organizations face. Instead, access decisions are made based on incomplete or false (in the case of spoofing devices) information, unknowingly allowing vulnerable devices to operate on the same network segment as critical assets and providing rogue devices with access to the network.
Know your IoTs
The reliance on IoTs by critical infrastructure means there needs to be comprehensive and efficacious policy enforcement and security controls. Meeting such requirements starts with visibility – you can’t protect what you don’t know exists. Sepio’s HAC-1 solution provides a panacea to the gap in asset visibility by covering Layer 1, the physical layer. HAC-1 goes deeper than any other security solution, gathering Layer 1 data to bring complete visibility of all hardware assets, including IoTs. Every device gets detected for what it truly is, meaning vulnerable and malicious IoTs can no longer bypass security solutions and access controls. HAC-1’s Zero Trust Hardware Access approach enhances policy enforcement, ensuring that only authorized devices are granted access. The solution’s rogue device mitigation capability blocks unwanted, hidden, and rogue devices instantly, offering further protection against hardware-based threats.
Jessica Amado is Head of Cyber Research at Sepio, where she researches and covers multiple aspects of hardware-related cyber threats. She is a Regent’s University London graduate with First Class Honors in Global Business Management with Leadership and Management and holds an IDC Master’s in Government with a Specialization in Homeland Security and Counterterrorism.