Internet of Things (IoT) – Best Secured with Zero Trust

The World has more than 13 Billion devices connected on the internet, the number only waiting to get multiplied three times by 2025. In a state of the Internet of Things (IoT), anything capable of connecting to the internet can be controlled by remote hardware to render specific services. Examples of IoT Devices include Connected Appliances and Homes, Security Systems, Autonomous factories, Human-Machine-Interfacing Manufacturing Equipment, and Connected Cars are to name a few. Now, for a malicious player in the Game of IT Security, as of now, there are 13 Billion targets to explore, it's no wonder we have an attack every 39 seconds, and it's a good business to create 300,000 malware in a single day making exploitation of Internet of Things highly lucrative. IoT incorporates embedding internet connectivity to computing devices, objects, people, or animals. Each thing has a unique identifier and can transfer data via a network. With the increasing connectivity of the Internet of Things come serious vulnerabilities as attackers can easily infiltrate the more extensive networks. IoT Security is the aspect of technology that focuses on protecting the assets, data, privacy, and safeguarding connected devices themselves. An IoT Security Market Study conducted by Grand View Research projected the value of the IoT security segment at USD 9,881.2 million by 2025. As the market continues to expand, all stakeholder-the users, the manufacturers, and the institutions must prioritize the security of the Internet of Things.

Try to answer this question. How many people or what resources are required to secure approximately 30 billion IoT Devices by 2025?

Zero Trust can be that answer.

Let us explore.

What are the attack surface areas in IoT systems?

The Open Web Application Security Project (OWASP) released a list of areas in IoT devices and systems that threat actors can exploit. Here's a synopsis:

• Devices: Attacks can be initiated through different parts of a device—for instance, the device memory, physical interface, web interface, firmware, and network services. Cybercriminals can also exploit outdated components, insecure default configurations, and insecure update mechanisms, and others.
• Communication channels: Attacks can emanate from channels that connect all IoT components. The protocols utilized in the IoT systems can be vulnerable and affect the whole system. Not only that, IoT systems can be prone to Denial-of-Service attacks and spoofing.
• Application and Software: Threat actors can exploit vulnerabilities in software that run on IoT devices and web applications. For instance, they can steal the credentials of users or push malicious code or firmware updates. Coupled with the attack mentioned above surface areas, manufacturers of connected devices and product designers are more particular about releasing new products on time. Thus, they fail to build security into their product design. In addition, IoT network security is complex compared to conventional network security because it includes communication protocols, a broader range of standards, and device capabilities.

Notable IoT attacks

• One of the largest botnets attacked Brian Krebs' website and OVH, a French web host, in September 2016. It also attacked the domain name system (DNS) solution provider Dyn's network. This attack shut down services to Twitter, Amazon, Netflix, and the New York Times. Additionally, the attack leveraged consumer IoT devices such as routers and IP cameras.
• The Food and Drug Administration of the United States warned that the embedded systems in the radio frequency enabled on St. Jude Medical implantable cardiac instruments such as defibrillators, pacemakers, and resynchronization devices could be prone to attacks and intrusions.
• Trend Micro discovered the Mirai botnet downloader in July 2020. This botnet could adapt to new variants of malware that enable the delivery of malicious payload.
• Verkade, a security camera startup, had 150,000 live-camera feeds hacked by a group of Swiss hackers in March 2021. These cameras were deployed in prisons, schools, hospitals, and other private facilities such as Tesla.

The increasing number of IoT security frameworks

The ever-increasing popularity of wireless technologies and now 5G networks has led to growth in cyberattacks. To address this growing issue, the government is implementing regulations relating to privacy and data security. In addition, manufacturers are connecting consumers goods such as lights, toys, and other home appliances. It simply means these devices come with different forms of vulnerabilities. That's the reason for the implementation of regulations to protect confidential data. Several regulations have been implemented to boost the security of connected devices and prevent misuse of data. In September, California passed a law that addressed IoT security. The law mandated manufacturers of IoT devices to build security features into their products. The government also promulgated the IoT Cybersecurity Improvement Act of 2019 to improve IoT security best practices at the federal level. The act also enables the prevention of default passwords for all connected devices sold to the United States government. It also provides a system for patching the devices of known vulnerabilities.

What is Zero Trust and the Buzz

The terms "Zero Trust" and "Zero Trust Architecture" (ZTA) have been buzzing around the IT security industry recently. The term Zero Trust is easy to digest; Zero + Trust = Don't trust anything (or anyone). But what do these terms mean in the World of Cybersecurity? Indeed trying to conceptualize a network where nothing is trusted would make any network administrator or CSO's head spin. So let us magnify the Zero Trust concept and an example use case for its application. The term and concept are not new. Security analyst John Kindervag re-popularized the term, but it was first used decades ago by Stephen Paul Marsh in his Ph.D. on computational security. Before Zero Trust started to pop up endemically in IT-Sec industry literature, the concepts of "Defense In-Depth," "Least Privileges," and "Multi-factor Authentication" (MFA) were already seen as best-practices for high-security network architectures. So, arguably, the concept of Zero Trust already existed as high-security network architecture.

How Zero Trust is Different

ZTA is a set of security principles capable of micro-segmented access control designed to raise the bar to the next level in response to a blurred network perimeter with ample adoption of cloud resources and remote nodes. Predominantly considered as a Layer-7 Defense using Kipling's Principle. The consensus is that there is no consensus on what Zero Trust technically means [1], but NIST SP 800-207 differentiates Zero Trust in the following way:

Zero-Trust responds to enterprise network trends that include remote users, bring your Device (BYOD), and cloud-based assets not located within an enterprise-owned network boundary. In addition, Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

Not only are networks and their applications becoming more complex, but the value and amount of sensitive data they contain are rising, and so is the cyber-crime itself; hence the industry also warrants increased security at its core. Accordingly, ZTA advocates far more granular access controls for better risk management of organizational assets.

The process of building ZTA looks something like this

• Identify a Protect Surface comprised of critical and valuable data, assets, applications, and services (DAAS)
• Identify how traffic moves across the organization's Information Technology Landscape.
• Segment critical assets on the network to create a Protect Surface between users of different security levels and data requirements
• Develop granular user-access control schematics along the Protect Surface
• Provide Layer 7 threat prevention to ensure network activity is within the defined accepted context
• Monitor, assess, and take the strictest action feasible when activity is out of context

Another valuable way to look at ZTA is by the elements to which Trust can be applied. These individual elements can all be analyzed and broken down into granular contexts where Trust be granted or not. Each of these elements combined to provide an insight into a comprehensive ultimate decision to authorize.

• User Trust
• Device Trust
• Transport and Session Trust
• Application Trust
• Data Trust

How Zero Trust is Different

Let's compare an example of a robust network security architecture vs. a more pervasive Zero Trust model. Let's imagine a remote worker is logging onto a corporate network from home on their laptop. The user plugs in a hardware security key and enters a password into a login prompt. A robust authentication scheme has enforced password security to ensure the users' password contains enough key-space, has been changed periodically, and previous passwords are not being re-used. The user may also be queued to enter an OTP from an MFA app. It's unlikely that a stolen password can get an attacker very far with these authentication security measures in place. The perimeter server control plane checks the system's IP requesting access to make sure it should be granted. Certificates and PKI are used to authenticate the client's identity, and server endpoints establish a VPN tunnel protecting internal network resources from being directly exposed on a public IP.

Although theoretically, the user is now within the network permitter, ZTA does not consider the context secure. Therefore, the connection is subjected to a Policy Engine that operates in the control plane (Figure 1). This zone is commonly described as a Demilitarized Zone (DMZ). To validate a connection as trusted, a set of context-aware input variables examine the user's history, such as geolocation, device identity, correlates with threat intelligence data, and SIEM logs. These are input into a trust algorithm which calculates a final decision to trust the access request or not. Once access has been granted, ZTA demands that the session be continuously monitored, and the user may be asked to re-authenticate if activity times out or other suspicious activity is detected.

Additionally, a ZTA advises that granular access controls for authorization be applied to individual resources, limiting access to resources from particular contexts. For example, the user may be granted access to their company email when connecting from their mobile phone remotely, but RDP access to any internal databases or file-shares is strictly denied.

IoT Security using Zero Trust

Given the statistics and context, virtually all aspects of IoT systems can be exploited unless security becomes a top priority when designing and maintaining IoT systems. Therefore, regardless of the environment, Zero Trust Architecture should be fashioned into all aspects, not just as a feature. That way, the entire configuration can function securely. Here are some cybersecurity guidelines to factor into design:

• All data should be mapped with specific Trust Criteria: Every piece of data shared and circulated within the IoT system should be accounted for and enabled with specific Trust Criteria to be authenticated every time it is called into service. This is not limited to information gathered by devices and sensors in the IoT ecosystem but also credentials in IoT applications and automation servers. The configuration must authenticate as and when need-based, breaking the workflow otherwise. Refer to the building of ZTA above.
• IoT Devices on the network should be accessible only upon establishing Trust: Ensure the device settings are secured before connecting to a network. This includes utilizing multifactor authentication, encryption, password combinations, and a strong username. Assumption of compromise should form a core aspect of the organization's cybersecurity strategy. While protecting against data breaches and cyberthreats is crucial, it is good to assume that no perfect defense exists against emerging threats which is the basis of Zero Trust, meaning Trust Nothing. This assumption will help in designing a mitigation procedure to contain the impact of a successful cyberattack. Various security parameters such as access criteria, who [identity], when [time of access], how [process of access], for how long [duration of access], recording [logging] can help bring additional layers of security.
• Provide physical security for all devices: It is crucial to factor in physical accessibilities when designing cybersecurity protocols for IoT devices. If there is no physical protection, they can tamper. Therefore, ensure you keep them secure and restricted places and put appropriate locks and other security tools. Failure to implement these measures can make malicious actors implant malware into the software or hardware to sabotage the system or spread viruses and malware. User, Device, and Network trust can be achieved with segmentation and authorizing access based on the Principle of Least Privilege.

Additional IoT Security Strategies

Here are other means of implementing IoT Security:

• Network Segmentation: All IoT devices that connect directly to the internet should have their separate network and be restricted from joining the enterprise network. In addition, the network segments should be monitored for any malicious activity; action should be taken where any issue is detected.
• Security Gateways: They serve as the middle point between the network and IoT devices and possess memory, processing power than IoT devices. This enables them to implement security features such as firewalls that block hackers from accessing the IoT devices they infiltrate.
• Patch Management: Enable devices to download patches or update software automatically. Automating key aspects of your ICS vulnerability management will identify new vulnerabilities passively. However, it's worth noting that many IoT vulnerabilities may not be instantly fixable. So, combining IoT data with a tool that compares it to a known CVE database can instantly uncover vulnerable assets and whether there's a patch available. This information could also be used to prioritize patching efforts. On the other hand, applying untested patches can cause drastic effects, hence adopt best practices in Testing and Release, follow stringent risk-based change management.
• Continuous Training: Many security teams are new to how operational system security works concerning IoT. Your team has to stay in the loop of emerging threats in the IoT ecosystem. They should learn new programming skills, architecture and be proactive in addressing new security challenges.
• Consumer Education: Users of IoT must take responsibility for the devices they use. While manufacturers provide manuals on how to stay secure, consumers must follow the manual and update default settings, and download updates.

IoT security should be the responsibility of the consumers, manufacturers, and government. First, manufacturers should build security features into the devices. Second, the users should assume responsibility for their safety and privacy while using these connected devices. Third, the underlying principles of ZTA are not entirely new. Instead, the principles of Defence In-Depth, Least Privileges, Multi-factor Authentication, and Context-Aware Authentication and Authorization are formally bundled into a single concept. Third, evolving corporate work environments require more security due to more complex network configurations and increasing private data value, attracting more cyber-attacks. More outsourced services also mean that more access to external vendors. As a result, less Trust is warranted, and the ZTA is a good ground zero to start building more robust access controls and attain IoT Resilience. Finally, the government should enforce regulations so manufacturers can comply with cybersecurity best practices as far as IoT devices are concerned.