Unsecured IoT Devices Increase the Risk of Attack on OT Systems

Internet of Things (IoT) devices provide significant value to organizations in a wide range of industries. If they’re not properly secured, however, they pose significant risk to mission-critical operational technology (OT) systems.

The Microsoft Defender for IoT research team recently investigated attacks on water utilities in the United Kingdom. The researchers found that the utilities were using routers that were intended for use by consumers. Attackers leveraged a remote code execution vulnerability in the routers to install the Mirai botnet. A patch for this vulnerability had been available for more than two years, but the update had not been applied.

In this case, the SCADA systems that monitor water quality were not breached. However, the vulnerable routers could have allowed the attackers to move laterally through the network and gain access to sensitive OT systems.

This is the conundrum posed by the IoT. Organizations are deploying IoT devices with the presumption that those devices are secure. However, many IoT devices weren’t really designed to be connected to the open Internet and have only the most rudimentary security controls.

Organizations should perform regular vulnerability assessments to find risky IoT devices. They should also develop and implement a security program that specifically addresses IoT risk.

Interested In Learning More?

IoT Devices Have Common Vulnerabilities

The OWASP Internet of Things Project has listed 10 of the most significant vulnerabilities found in IoT devices:

Insecure web interfaces, insecure cloud interfaces and insecure mobile interfaces do not lock out accounts after X number of failed login attempts, and may reveal account information when the wrong credentials are entered.
Insufficient authentication/authorization mechanisms may not require strong passwords, and may transmit credentials in clear text when password resets are requested.
Insecure network services expose ports to the Internet, and leave open unnecessary ports. This makes the devices susceptible to buffer overflow and denial of service (DoS) attacks.
Lack of transport encryption allows IoT data to be viewed in clear text as it travels across the Internet.
Privacy concerns are also related to unavailable or misconfigured encryption. Sensitive data is often collected and transmitted by IoT devices and may be exposed if not encrypted.
Insufficient security configurability limits the user’s ability to alter the device’s security controls such as setting password policies, logging security events and setting up event notifications.
Insecure software/firmware results when there is no mechanism for installing updates when vulnerabilities are discovered. Software/firmware may also be insecure if user credentials are hardcoded.
Poor physical security allows an attacker to disassemble the device or to access external ports or removable storage media.

Steps Organizations Should Take

Organizations should assume IoT devices are insecure and implement security controls in the early stages of an IoT initiative. The first step is to select devices with strongest security controls — not consumer-grade products. Administrators should also change the default username and password on the device and encrypt data at rest in storage and in flight across the network.

It's critical that organizations have visibility into all the devices on the network. Often, IoT devices are installed by users and even vendors without the knowledge of IT. DeSeMa can help organizations discover these devices and perform continual audits that track every change. Asset inventories are always up-to-date and can be accessed through a web-based portal.

DeSeMa can then assess the potential threats posed by IoT devices in the environment. Our experts can help organizations reduce the attack surface by eliminating unnecessary network connections and implement controls to help prevent attacks.

Many organizations are racing to tap the operational benefits of the IoT, and to gain business insight from the vast amounts of data collected by IoT devices. However, security is critical to the success of any IoT initiative. Until IoT device security becomes more robust, organizations must ensure that the IoT does not leave them vulnerable to attack.