Cyber attacks and data breaches are on the rise. Deep Instinct reported that in 2020 malware increased by 358% overall and ransomware increased by 435% as compared with 2019. But it is the attacks on core systems and infrastructure such as SolarWinds, the Colonial Pipeline and the water system in Oldsmar, FL that have caused the most concern. Smart Cities with their interconnected “things” such as streetlights, cameras, Wi-Fi routers and traffic lights have the potential for chaos should hackers get inside and take control. They will pry and prod until they find a weak spot – it could be a single smart streetlight with a default password – but once in, they can jump from a device to a controller to a gateway to a central management system (CMS). At Dhyan we are experts in device monitoring and management, and in this blog post we give you a useful primer on IoT security and how you can make sure your city or campus is not the next cyber attack headline.

How to secure the IoT/Central Management System (CMS)

The attack surface of a software environment is the sum of the different points (or “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data into or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.
(Source: Wikipedia)

Keeping the attack surface as small as possible, having the various IoT components run with up-to-date versions by applying patches in a timely manner, and closing unwanted or unnecessary doors of access is one of the best ways of avoiding potential attacks.

The different components of an IoT deployment

• IoT system architecture is typically comprised of
  1. end devices
  2. gateways
  3. management server/CMS
  4. clients (PC/laptop browsers, mobile phones).
• End devices are those that are deployed in the field, and a typical deployment consists of thousands of these devices. They could range from smart streetlights to CCTV surveillance cameras to smart waste bins (any “thing” that has network connectivity).
• Gateways aggregate multiple such end devices and help them connect to the management server for bi-directional communication. Typical deployments have many gateways (1-20) to increase range and scale. The gateway could also be software hosted in the cloud.
• CMS (Central Management System) is the most critical component as it controls the entire infrastructure.
• Clients are typically mobile or browser-based applications that run on end-user devices (laptops, mobiles, etc.) from which the user interacts with the CMS.
• An attack can happen through any of these components, depending on their specific vulnerabilities.
• If one of the components get attacked, the entire network could get compromised, even beyond the IoT application itself.

What kinds of attack are possible?

Attackers may do one or more of the following and may demand a ransom:

• Hijack your devices and take control
• Cause an outage
• Steal sensitive information
• Encrypt your data, making it unusable and demanding a ransom to unlock it

Typical exploits (what holes to look for)

Most often, the security vulnerabilities are a result of poor IT practice. Attackers will first take aim at easy-to-exploit holes as below (it is truly amazing how many systems still have these vulnerabilities!). Let’s take a look at the easiest and most common options for the attackers. Even today, after all the publicity surrounding cyber security issues and attacks, many firmware, software subsystems and applications are still running with default passwords.

• Outdated software
• Weak, unprotected, guessable or default passwords
• Insecure network
• Poor security awareness (opening phishing emails etc.)
• Insecure communication mechanisms (between client and the CMS, devices and the CMS, CMS and any external application)
• No backup policies for databases and critical data
• Outdated software components (especially third-party libraries) in the CMS
• Outdated firmware versions in the devices
• Insecure firmware updates, bulk configuration mechanisms which could lead to potential service loss when unauthorized access is claimed

Security checklist. What to monitor on a continuous basis.

General

• Use SIEM (Security Information and Event Management) tools to actively monitor the network for intrusion/suspicious activity.
• Understand and catalogue your software’s many third-party libraries. Keeping them up to date will help you avoid being vulnerable.
• Get all the components’ “software bill of materials (SBOM)” that are used in your IoT deployment and periodically do an independent vulnerability scan.
• A cloud-based CMS is a must as it lessens the burden on you, putting the responsibility for CMS security firmly on the vendor.
• Go for applications that have been independently audited for security and are certified by a third-party security company.
• Some IoT deployments have outdated devices. Perform periodic vulnerability assessments and phase out those components for which necessary controls cannot be established.
• Isolate different applications in your organization so that compromise of one will not impact any others. Review these network policies periodically.
• Disable the services (and ports) you do not need to decrease the attack surface.
• You need to ensure that firewall rules are set up to allow access only by authorized applications.
• Implement two-factor/multi-factor authentication. For example, for critical operations (such as firmware upgrades), you can introduce two-factor authentication mechanisms in the CMS so that remote hackers cannot easily take down the network.
• Have a security incident response plan and work through various incident scenarios.

Client

Ensure the following:

• Good password practice. No default passwords!
• Client is a secure device which follows your organization’s IT policies.

CMS (Central Management System)

Ensure the following:

• Use the latest version.
• CMS is in a protected network.
• CMS is configured to use secure communication.
• Devices are identifiable from CMS, no rogue device present in the network
• Backup exists for critical data and the database
• Have proper whitelist/blacklist mechanisms to avoid allowing unwanted devices into the network
• If your CMS supports it, create text/email notifications for firmware non-compliance, rogue devices, any anomalous behavior etc. so that you are notified immediately in case of any adverse event
• Perform a periodic software audit to ensure that all the libraries are the latest version

A vendor-based cloud-hosted CMS will decrease customer vulnerability since the vendor takes the responsibility for keeping everything up-to-date and secure.                        

Devices and Gateways

Ensure the following:

• Software updates are done regularly
• Phase out/replace obsolete hardware
• Configure devices to use encrypted communication
• Ensure devices securely identify CMS servers/each other, use Certificates to protect from spoofing.
• Disable remote access (except for CMS to reach them).

If you keep this security checklist pinned to the wall (replacing the password post-it notes) you will be ahead of a whole swathe of cities around the world. And if you actually implement these policies, you have a good chance of keeping your city out of the headlines and at the bottom of the “paid ransom” list.