 Hi there Welcome to my talk mind the gap the risks in managing enterprise IoT My name is Cheryl Bissboss. I also go by encrypted. I work as a threat Intel analyst with a bank here in Canada I am a founding member of the Diana initiative. We just had a terrific conference this year Thank you. If you're able to attend or support us in any way Where we support the diversity and inclusion in tech I'm also a member of the C3x college student cyber simulation and Annual event where we run a simulation and help college students get some real good hands-on training Okay, let's get started of course the obligatory disclaimer The views expressed here are mine mine alone and not those of my employer This talk is about taking a bigger picture view of the threats and risks to our enterprise attack surface See what we're missing and then identify the gaps based on existing regulations and security frameworks I hope to give you some takeaways to better understand IoT and enterprise environments in terms of definition threats and attacks and also to give you some Recommendations so that you can better secure what you've got in place and enhance your security policies All right Let's start here Points of ingress that lead to further access We all know what IOT is well Welcome to the EOT the enterprise of things Essentially, it's what happens when we bring all the things that connect IOT into organizational networks So just think about that for a sec because we've really got a handle on this IOT thing, right? That's why I'm here because there's a lot we need to talk about Now I first gave this talk in 2019 surprise Not much has changed Except there's a lot more things that got connected and aren't really protected According to Gartner all the things that connected doubled between 2018 and 2020 as the older tech was replaced with new The enterprise and automotive IOT market grew to 5.8 billion endpoints in 2020 from 4.8 in 2019 Building automation grew the most by 42% in 2020. Thanks to Connected lighting devices smart bulbs anybody There's a lot of talk about the benefits how equipping enterprises with smart connected devices will improve efficiency Innovation and collaboration, of course, we want that but as the saying goes Be careful what you wish for like the sorcerer's apprentice When it comes to EOT, we don't really understand what we're doing and yet here we are Bringing IOT devices in without actually having a plan or security in place The biggest industries are manufacturing transportation and utilities So let's take a moment and consider this Over 90% of the data in the world has been created in the past two years Current output exceeds 2.5 quintillion. Yes, that's a number bites a day and we just keep making more of it When IOT becomes EOT that surface increases and so does our liability So what does it look like? It's better known as OT or operational tech in many places and it's tied to achieving the goals and outcomes of a line of business In manufacturing of automation sensors and scanners There are robots on the manufacturing floor Healthcare uses it to cut costs and improve the quality of care for patients There's remote patient monitoring and telemedicine pumps MRI machines Patient monitors There have been some excellent talks about IOT and medical devices and security risks and it all continues to grow There can be up to 15 connected devices per bed So just shout out and thanks to the great work done By the I am the cavalry people Business and corporations are using smart TVs and digital conferencing and don't forget the printers and scanners Retail uses it everywhere that it can Beacons are pushed out with messages at points of sale Automated checkout kiosks are showing up more and more. There's inventory management done via smart shelves tracking and monitoring for theft digital displays Transportation and logistics use sensors for warehouse management and on vehicles to track locations for fuel consumption delivery times and to reroute vehicles And how about wearables that enable workers to communicate with their colleagues? Buildings and facility management use security and webcams walks lighting and HVAC systems That is a lot of vulnerability just waiting to happen and then COVID-19 happened A new study by zscaler looked at iot devices left on corporate networks during the pandemic 575 million device transactions and 300 000 iot specific malware attacks Were blocked over a two-week period in december of 2020 Now that measured as an increase of 700 from pre-pandemic levels The attacks targeted 553 different types of devices all connected to and communicating with corporate IT networks While the workforce was remote Now 76 of these devices were communication on unencrypted plain text channels Let that sink in And that is the majority of iot transactions which poses a significant risk to any organization The highest traffic came from manufacturing and retail industries With 59 of the measured transactions Enterprise was second with 28 and healthcare was third with 8 Always expect the unexpected there were smart fridges on there and oh Musical lamps sending traffic through corporate networks Do you know what's on your network? The greatest projected sources for endpoint electronics revenue in 2020 Were consumer connected cars And networkable printing and photocopying We are so hacked In order to understand iot We need to understand iot So i'll start here They do say a picture is worth a thousand words Here you go Simply put iot devices are typically non-internet items that have been enabled to connect So that they can communicate with other devices iot comes in different flavors There's enterprise iot Industrial iot The internet of health things This is tech that communicates machine to machine or mobile to mobile An iot in any flavor means extending internet connectivity to physical devices Ordinary objects So what we are doing here is expanding beyond our defined security and monitoring Permiters to connect physical devices that were not originally designed to connect We're adding digital intelligence to enable communications and then taking us the humans out of the equation Now in that sense We're handing over our control to the machines Let me just leave that with you Many iot devices are unmanaged systems Which can communicate with other devices and systems in your organization They process and transmit information They have an operating system, no matter how simple that is But they cannot be managed via traditional security tools They don't let us configure them to be better We're stuck with what we get These unmanaged endpoints don't really have any built-in security that we can manage Things like plug and play Convenience my friends has become the root of all evil Think refrigeration on trucks The temperature control fails The sensor does not alert Valuable cargo spoils That's money lost And let's talk about something bigger You can think HVAC systems anywhere that we work live or stay What about an outbreak of an airborne contagion like Legionnaires disease Think quality control that regulates the safety of what we eat or what we use If those are tampered with Would we know? If somebody changes the settings just enough How would we know? Call me paranoid We rely on these devices to be reliable to notify us We trust them So let's talk about how these things are put together How they're designed We can think of it in terms of three layers First there's the physical layer Their sensors, actuators, smart devices, the things And they are at the edge of the IoT network Edge nodes They interface and communicate to the cloud Using either wire or localized radio frequency networks And those are done through gateways Some come internet ready out of the box and they require little to no configuration There are others Those are older and legacy items And they use conventional methods Like analog or serial connections The conventional devices can get connected to things like microcontrollers Systems on modules Or single board computers Think Arduinos Or Raspberry Pis Next we have the IoT gateways These work as the middlemen Their messenger and translator between cloud and smart device clusters Physical devices or software programs run from the field in close proximity to the edge sensors and other devices Now these mostly normalize Connect and transfer data between the physical device layer and the cloud But they can also support additional computing and peripheral functions So you have telemetry or multiple protocol translation You can have artificial intelligence These can do provisioning Even device management You can put data encryption and even security monitoring On here And last is the application layer also known as the cloud It communicates with the gateway by the internet Using either a wired or cellular connection There is a ton of raw data being collected by all of those sensors And you are going to need a lot of processing power and space for it Now these are the four communication architectures used There's device to device So the devices within the same network connect using wireless pan protocols Those could be Bluetooth or ZigBee Device to cloud Let's the IoT devices connect directly to the cloud And they use long range communication networks such as cellular In device to gateway Well they transfer information from sensors to the cloud Via a gateway device which collects the data And then it communicates it to the cloud Through additional network connectivity such as Wi-Fi or cellular And then cloud to cloud which is known as backend data sharing It enables third parties to access uploaded data from IoT devices For example smart buildings that receive data from Smart thermostats or smart light bulbs can send that data to the cloud via Wi-Fi Wireless sensors and actuators provide the connection between the digital and physical worlds And they work together to produce and collect vast amounts of user data For example as an illustration consider your cell phone The camera and micro sensors The speaker and screen are actuators Billions of IoT based sensors are predicted over the next year And the average home creates enough data to fill more than 332 gigabyte iPhones Now much of this is unneeded and it has to be filtered out All of those sensors how much data actually gets used At a gas rig managers claim to use just one percent From a ship's 30,000 sensors for maintenance planning On average companies use maybe 10% of the information they gather Actuators can produce physical changes based on the data that they get from the sensors So that they can shut off a device or move equipment I want you to think back to how we were talking about handing over control to the machines And what could go wrong and that brings us here We have to integrate all the fast-moving progression into established constraints Think of enterprise architecture or EA as urban planning for systems networks integration Because all the things have to live somewhere So systems engineering that's for one component like a building But EA it's for all the things And the challenge comes from trying to incorporate all of this new technology Into the existing and legacy systems They are not designed for the speed or agility of the newer technology Which leverages machine learning algorithms key to IoT This is where innovation is valued and hence the challenge IoT is constantly developing which is the desired state because Innovation right So EA principles need to not interfere with that But to still provide enough in terms of oversight and control Combining principles of EA with IoT strategies not so easy If business context business value competitive advantage Impact customers partners employees in terms of experience You can see how security got left off this list It kind of looks like this Again, there's a lot of moving pieces and integration is complex even complicated From a security standpoint we're monitoring data flow across three networks Physical devices with firmware issues to logical layers and third-party APIs So to recap three layers of architecture Billions of physical devices Monitoring data flow across three networks and integration issues What's on your network, let's be clear very clear We'll talk about hyper connectivity That consumer driven need for all the things to connect which has made its way right into enterprise environments There's the rush to market and no security in the software defined lifecycle Supply chain risk and don't we know about that? The possibility for the liability Devices get shipped that can't be updated or with limited capacity to be updated And risk gets pushed along the supply chain Whoever buys it owns it Which leaves customers to bear the security maturity for EOT You can consider it an open invitation to shadow IT through increasing unmonitored unsanctioned BYOD In a survey of IT leaders 78 percent reported that over a thousand shadow devices connected to enterprise networks daily That included things like fitness trackers digital assistants smart TVs gaming consoles bring your console to work smart kitchen appliances, etc As IOT moves into a range of enterprise environments driven by consumer demand and BYOD desire Shadow IT becomes shadow ET And it brings new challenges and risks that our existing compliance and security Don't address or regulate So let me ask you this Does your security policy manage the IOT of your third parties? Most organizations still don't inventory IOT devices because They don't have centralized control over what IOT devices and apps are in their workplace How are you inventorying the personal devices used by your staff? BYO IOT hello shadow In an article from CSO from 2018 97 of risk professionals admitted a data breach or cyber attack caused by unsecure IOT devices Could be catastrophic to their organization Mori Sarani the CTO of cyber mdx had this to say That 61 of all medical devices on a hospital network Are at cyber risk and they could be compromised by malicious attackers seeking to steal the data harm the patients or do ransomware The truth is IT teams in hospitals don't have the visibility to see how many or what types of medical devices are connected to the network They don't have the critical insight into the threats and vulnerabilities of these devices So they don't understand them in terms of risk to attack And what's more according to sarani anyway most hospitals don't have the visibility to see if their medical devices have been hacked But these devices are getting attacked for their access to data personal health financial on patients and employees And they can get pulled into botnets or be used for ransomware Breaches are caused by unsecured IOT devices and that increased to 26 percent by 2020 from 15 percent in 2017 Now these devices can collect very sensitive data Connected devices are always communicating with other devices on the network 98 percent of enterprise IOT communications Are in plain text and unsecured that's from a study done by paulo alto in 2020 IOT devices are low-hanging fruit 57 percent are vulnerable to medium or even high severity attacks 83 percent of medical imaging devices run on unsupported Operating systems and that is up by 56 percent since 2018 Have we learned nothing? We do face serious capability gaps and issues integrating IOT into business Companies are not taking a holistic or big picture view, but they're just focusing on one enterprise IOT program Which leaves out organizational capabilities Change management programs that are required when you roll out large-scale initiatives We know now that IOT and ET are different in terms of the standard equipment we connect There's an ongoing increasing risk of shadow I.T. becoming shadow ET and we need to go look for it So let's talk about how IOT attacks are different We're used to attacks or breaches that are primarily focused on data exfiltration for identity theft and credit card fraud, etc Great examples from the rash of ransomware attacks and name and shame sites Business email compromise is just increasing exponentially as well, but in the IOT world There might be some of that but connected devices have more riding on them in terms of running the things that we need and rely on And that's about availability Attackers can turn devices against the company and that's about integrity So it's more about disruption or destruction and impact is measured in damage that becomes dollars This presents the challenge of securing Beyond our cia triangle Attackers can carry out man in the middle attacks spoofing cloning Their software attacks to steal credentials and encryption attacks target key algorithm implementations In a study that was done from the ordedo global report in may of 2019 They surveyed 700 enterprises across five countries The respondents stated a distinct lack of optimism about the future security of IOT devices in their organizations I wonder why an 82 percent of organizations that manufacture IOT devices Were concerned that the devices they developed were not adequately secured from a cyber attack That gives me so much confidence Or there's this in the u.k. Germany and china 100 percent of IOT device users Believe that the cyber security of the devices they use could be improved Either to a great extent or to some extent Again very concerning considering the rate at which these are proliferating through organizations This is from a forest or survey Peer to peer is notoriously hard to secure What are the firmware update policies for devices? How about default configurations Do you look for undocumented backdoor accounts? And then there's misconfiguration. What's turned on by default that exposes you and could be turned off Things like universal plug-and-play or open ports And what are the consequences of an action In april 2019 microsoft threat intelligence center discovered a targeted attack by apt-28 or strontium Against iot devices This involved a voip phone a printer and a video decoder They hit multiple locations and they used the devices as access points into the wider corporate networks Two of the three devices Still had factory security settings And the software and the third one it hadn't been updated So let's talk about this a little bit more Because I work in threat intel. So we follow the game's nation states play Now they have the means and motivation to target critical infrastructure We've seen destructive targeted malware like shamun Triton not pecha And international economic sanctions provoke retaliation With iran and north korea both demonstrating their capabilities here Thanks to the release of the mirai botnet source code We've got a plethora of weaponized botnets out there that can do a whole lot more than just ddos attacks This is all about power and control So unmanaged and iot et are far more valuable far more vulnerable To attack than conventional managed devices And we can't apply the same attack scenarios and threat models as we do for enterprise it Why we need to evaluate what we have in place? Well attackers can leverage and pivot and each of those end points becomes a point of ingress for further access Let's look at some attacks Who remembers this one millions Of first generation amazon echo devices and eighth generation amazon kindle devices Were vulnerable to something known as key Reinstallation attack or crack a four-way handshake vulnerability a series of them actually disclosed in october of 2017 Now these could be exploited by attackers to conduct man in the middle attacks Against wpa to protected networks And then they could steal information from the targeted devices by decrypting packets that were sent By clients But it also let attackers replay the old packets and then perform a denial of service attack Disrupt network communications or replay attacks Decrypt data and information transmitted by victims Forge data packets etc But we've moved on from here Here's another thing Because what enterprise organization doesn't have polycoms or teleconferencing? There are a lot of end points in these systems and they each have their own security and risk factors to consider More importantly every single endpoint represents an opportunity to get into the network Who actually implements these very likely it's the good folks in av But I don't think they're thinking about security when they're setting it all up This is an attack on the polycom hdx videoconferencing systems omni discovered it back in august of 2018 Thousands were exposed externally and many more were deployed internally Polycom systems are linked to each other across different corporate offices globally A trio of iot botnets bushido hades and yaoi that were based on mirai were used in the attacks They spread by telnet and brute force was used for access Then things like busybox and wget and other binaries on the linux operating systems were compromised Just one One exposed and misconfigured system Infected the entire network The risk of unified communications devices with default passwords or pins And there you go But now there have been a series of massive attacks Not just one several Over 2019 to now and these Well, we're going to get into them Identification is hard, but taking action to remediate them is even harder Device vendors would need to take the updated tcp ip stacks And integrate them as firmware updates into their products And you're going to see an interesting Connection or theme revolving around tcp ip stacks in these The thing is Many vulnerable devices don't even ship with the ability to update the firmware and that means that some of that equipment Will likely remain vulnerable for the rest of its life Let's start with this urgent 11 July of 2019 This was a set of 11 vulnerabilities which affected the vxworks tcp ip stack and ip net It's perhaps the most widely used operating system you've never heard of Six of these were critical vulnerabilities that could enable remote code execution There's a wide range of affected versions spanning across 13 years And how many manufacturers use vxworks? Countless There were over 2 billion devices impacted Now the attackers can circumvent net and firewalls to control devices remotely via the tcp ip stack Undetected With no user interaction required Yeah The vulnerabilities have a low level position in the stack and so the attacks are viewed as legitimate network activity And because the vulnerabilities Don't require any adaptations for the various devices that are using the network stack It spreads really easily This is what's impacted Real-time operating systems that are used in critical infrastructure And manufacturing the stuff that we rely on More than just running our day to day lives, but actually helping us stay alive In an example of an attack This one Attacks the vxworks devices at the perimeter of the network such as firewalls now you expect these devices to be designed To fight off incoming attacks and that they should be secure However, an attacker can take over the sonic wall firewall on the perimeter via urgent 11 and an internet connection It uses a specially crafted tcp packet and then it takes over all of the firewalls to build a botnet Urgent 11 enables attackers to take over the devices with No user interaction required so that it can bypass perimeter security devices like the firewall and that solutions And these vulnerabilities are essentially warmable So they can be used to propagate malware into and within networks So an attack It can resemble that of the eternal blue vulnerability the one used to spread want to cry malware This impacts Literally any vxworks device with an external network connection And the attacks can take control regardless of the firewall or NAT solution like I said On the perimeter of the network to fend it off Moreover the attack can remain invisible to security measures because like we said earlier the vulnerabilities are low level So they're seen as benign TLS doesn't even matter But then we got to 2020 And in june ripple 20 was discovered Those were 19 vulnerabilities that impact a tcp ip library developed back in 1997 and it's the base of many iot products It enables the devices or software on them to connect to the internet using of course tcp ip connections What's the impact hundreds of millions of things from Smart home devices routers communications equipment that's used in mobile and satellites data center equipment It affects health care systems transportation systems power grids It can steal information from a printer. It can mess with an infusion pump. It can impair industrial control device functions essentially Quote an attacker could hide malicious code within embedded devices within embedded devices for years And one of the vulnerabilities could enable entry from outside Into the network boundaries and this is only a small taste of the potential risks December of 2020 brought us amnesia 33 The affected libraries were added to device firmware to allow products to support You got a tcp ip which is as you've guessed by now Currently the most widely used networking communications protocol This creates a greater risk when you're working from home Because all those unmanaged home routers can compromise vpn protected corporate networks And then they gain access to your offices and plants And if exploited an attacker Could among other things perform Remote code execution to take control of the targeted device Or do denial of service to impair the functionality and impact your business operations There could be information leakage and you could acquire as an attacker potentially sensitive information Or there could be dns case poisoning attacks and point devices to a malicious website But here we are in 2021 and in february for scout found vulnerabilities in Multiple you got it tcp ip stacks where initial sequence numbers or isns We're being improperly generated The thing to know about these isns are that they have to be randomly generated To ensure that the tcp connections between the devices are unique And these are used in establishing new sessions within tcp connections Otherwise there are collisions And with collisions You could get an attacker or a third party interfering with the connection in progress And if an attacker can guess an isn well, they can potentially hijack an ongoing connection Or spoof a new one The attacker jack added seven more vulnerable tcp ip stacks to the four open tcp ip stacks that were identified in amnesia 33 Increasing the vulnerable devices by millions This stuff is all ongoing Nothing's been completely fixed The popularity and some use cases of the vulnerable is stacks. Well, that's extensive Because it's used by millions of devices and includes everything from file servers to embedded components This makes identification a challenge because You don't always know what stack a device is running You may not even know at all It may not be Made apparent to you may not be enclosed in the literature when you get it And these embedded devices are very difficult to manage an update What can you do about it? Well, you need to discover and inventory the devices you've got that run on vulnerable tcp ip stacks and keep track of that patch when possible segment networks And you can use ip sec And that brings us here To april of 2021 and namerick now This affects The dns Implementation these are the vulnerabilities and they can cause either Denial of service or remote code execution It affects four More popular tcp ip stacks. We've probably mentioned these before so free free bsd That's one of the most popular operating systems in the bsd family ip net you've heard me mention this earlier because that's the one with vx works There's net x And this is part of thread x's real-time operating systems and it is currently an open source project maintained by microsoft Under the name of azure rtos net x and then there's nucleus net This is another real-time operating system. It's meant. It's uh under mentor graphics, which is a semen's business. So yeah, you're thinking medical industrial consumer aerospace In an attack threat actors could exploit name wreck vulnerabilities to cause some serious damage to government or enterprise servers health care facilities Retailers or companies in the manufacturing business And attacks can involve stealing sensitive data or modify and take equipment offline for sabotage They can also tamper with critical building functions in either residential or commercial locations Can control the heating the ventilation? disabled security systems so Now you have a good idea of how these attacks work and polycoms Just takes one to infect an entire network But now we're looking at a whole host of massive vulnerabilities leveraging the tcpip stacks the problems of identification and of mitigating embedded devices Please make it better When you're talking about iot architecture, these are some of the essential requirements The good news is that some progress has been made in terms of legislation In january of 2020. We had the california iot cyber security improvement act an oregon followed on those heels Manufactures of iot devices are required to equip any iot device that they make with reasonable security features appropriate to the device The information that it may collect hold or send and protect that device and the information on it from unauthorized access destruction use modification or disclosure In december of 2020 president trump signed into law the iot cyber security improvement act and this provides the first federal standards for this area And nist was charged to develop minimum cyber security standards for any internet connected device sold by vendors to the u.s. government And iot vendors to create vulnerability disclosure policies to inform promptly We're getting there a little bit but We need to put some rules in place Businesses need to be clear on why they are using what they are using and understand the path of the data flows and how it will be handled They need to design with security from the beginning Because it and ot need to work together on this with clear roles to manage applications system infrastructure and data We need to leverage the power of the bomb Bill of materials for all the things software hardware firmware Know you're normal so that you can monitor for anomalies and you need to automate to get the visibility and to stay current And this please Because you don't know what you've got till it's pwned This whole section has been a takeaway so finally spend some money and some time We need to do a culture shift and break down the silos within and between it security and other departments to ensure visibility as well as understanding Our shared goal needs to be to build a cyber security strategy Across departments and functions. I know that sounds like role piece But I'm going to end here Who has seen the movie iRobot? It was good until it wasn't good, right? And which about sums up what it's like when iot infiltrates enterprises These devices are not the obedient little soldiers that computers and laptops are They interact differently with the existing network and they behave differently They operate with little to no human intervention Automating convenience with inadequate supervision is going to end badly Just saying Thank you so much for your time. I hope you enjoyed this talk and got something to take back with you Those are my details there Bye