Why would your friendly, artificially intelligent helpers such as Alexa and Siri threaten the security of CERN, the European Organization for Nuclear Research? Because they belong to the Internet of Things (IoT), that’s why!
The IoT is made up of millions of internet-connected gizmos such as mobile devices, thermostats, refrigerators and cameras, as well as those popular artificially intelligent home assistants Alexa and Siri. IoT devices are everywhere – our homes, our cars, our offices, supermarkets, doctors’ offices, and even attached to our wrists – and they are only becoming more prevalent. Gartner Inc. forecasts that by 2020 the number will skyrocket to 20.4 billion.
The ubiquity of IoT devices represents a shift in cyber security to technology being managed, and consequently secured, by end users instead of corporate IT departments. Most consumers and manufacturers of IoT hardware, however, ignore or are unaware of the security issues leaving millions of these internet-connected devices vulnerable to hackers. Today, the susceptibility to attack of IoT devices is very similar to the less secure world of PC operating systems back in the early 2000s. Sure, consumers are getting innovative products, but these products are being released without a comprehensive understanding of the security threats that impact them, and with a lack of adequate built-in safety protocols to defend against those threats.
Because IoT devices are designed to be interconnected, hacked IoT devices serve as a pathway to countless more devices, including PCs and servers. This creates a lot of opportunities for threat actors. For example, the Mirai botnet attack in 2016 resulted in the infection of more than 600,000 devices across 164 countries, as well as the (temporary) takedown of several major websites such as Twitter, Reddit, and Netflix. This was all made possible by the targeting of IP cameras that were operating with default settings.
In the age of IoT, securing CERN’s massive IT infrastructure – including our General Purpose Network that supports a daily average of 40,000 user-owned devices and the Worldwide LHC Computing Grid that connects thousands of remote researchers through more than 170 computing centers – has become increasingly difficult, though not impossible. My ongoing challenge is to keep this community collaborating in an atmosphere of academic freedom while ensuring that the organization’s experiments and CERN’s computers stay secure, especially given their exposure to countless IoT devices. Though from some vantage points the task may seem as tough as organizing an intergalactic space rebellion, we found that mitigating the threat of an IoT cyber attack is possible (and arguably easier than defeating an evil empire to save the galaxy).
At CERN, to aid in the management of incident response efforts in an environment rife with IoT hardware, we keep an inventory of all connected endpoints by obliging everyone to register their devices before connecting to the network. Without registration, no connectivity.
Cultivating a Culture of Individual Responsibility
We also strive to create a culture of individual responsibility for cyber security. Everyone is responsible for the security of their own devices at CERN. Of course, our IT department is available as a resource for anyone who needs help protecting their equipment by providing central, secured IT services, but our goal is to have people be personally aware and invested in their own cyber security and, subsequently, CERN’s.
We provide awareness training and dedicated courses on white hat hacking to empower people to detect vulnerabilities on their own devices and programs. We’ve found that people are motivated to secure their personal devices and protect their individual lives, and that this mentality carries over to the attention they devote to securing equipment at work too.
As an additional layer of depth to our defenses, we’ve segregated our network to give us the flexibility to isolate individual segments in the event of an attack. At their interconnections, we deeply monitor any network activity in real-time. By running regular disconnection tests to ensure our laboratory can still operate even if certain portions of the network and their control systems have been taken offline, we know that we can safely and proactively isolate our accelerators and experiments from any threat.
Control System Security
Perhaps my most pressing concern in the age of IoT, however, is the prompt patching of control systems. All our accelerators and the majority of our experiments are built on top of an enormous number of interconnected control systems. Unfortunately, we’ve found that far too often the manufacturers of these components prioritize being first to market over security.
In many cases, we discovered that the security footprint on these devices was all but nonexistent. Control systems for electricity distribution and safety systems are industrial standard components for countless enterprises, and if they cannot be released to market with adequate security, patching on these systems whenever an improvement is implemented should be automatic and unscheduled, just like the operating systems on our laptops.
The lack of security in this new era of technology is a worldwide problem that could benefit from the collective efforts of the global cyber security community. IoT security issues are not unique to any one organization or even any one country; this is an international issue on that demands an international effort to resolve.
We have an awesome opportunity to engage vendors and manufacturers in addressing the vulnerabilities of the IoT devices they take to market. Government sponsored bug bounty premiums that encourage white hat hacking to identify security shortcomings and placing incentives or sanctions on IoT device manufacturers to address those weaknesses would be a huge step forward for the community. Given the increasing number of IoT attacks, there could even be a strong case for enforcement of these programs by law to ensure manufacturers aren’t jeopardizing the safety and privacy of their users with unsecured IoT devices.
Cyber security is often described as a cat and mouse game where attackers only need to be right once, and defenders need to be right all the time. This is why fostering more collaboration is critical to cyber security in the age of IoT. Encouraging more engagement with law enforcement, government, vendors, manufacturers, cyber security professionals and other stakeholders just means more "cats" on the frontlines, improving our defenses against malicious actors.
Perhaps more important is collaboration at home, within the environment being secured. To gain a holistic understanding of the environment, how it works and how best to architect a strong security posture for it in the age of IoT, talk to the people operating there. Once they’ve had a chance to speak, go back and talk to them once more, and then a third time again later. Get people together and have them talk to each other. Dedicate time to learn how everyone’s processes and practices impact one another and ultimately influence security. Every environment requires its own unique balance; the best way to find the balance at home is by collaborating with the people who shape and define it every single day.
Enterprise Security in the Age of IoT
As cyber security professionals, combatting the threat posed by less secure IoT devices may appear daunting, but it should never feel impossible. While IT departments may not be able to apply security directly to every device in an environment, rest easy knowing there are various security strategies that can be established in advance to help mitigate the impact of an IoT cyber attack – or even prevent one altogether.
Dr. Stefan Lüders is computer security officer at the European Organization for Nuclear Research, also known as CERN. Check out the CERN customer story to learn more about the organization and how FireEye helps keep them secure.