The familiar concept of devices that connect to the Internet – the so-called IoT or Internet of Things devices – is that they are…. well… devices. They are the smart watches, smart televisions, industrial controllers, traffic sensors and what not that are installed, attached, mounted, or otherwise moved into the existing space. They are devices which, because they connect to the Internet, provide convenience, security, control, and – of course – loads of data for analysis. However, when it comes to security, just knowing that a device connects to that vast ocean of cyber activity called the Internet indicates that the device proper is just the proverbial tip of the iceberg. IoT devices provide such wonderful convenience, security, control, and piles of data for analysis precisely because they are connected through the Internet to an IoT ecosystem full of remote servers, cloud infrastructures, wireless communications networks, and a variety of applications. Thus securing IoT requires big-picture thinking about the ecosystem, not just the device itself.
Consumer IoT comprises a relatively simple ecosystem. As can be seen from the architecturally-based process flow diagram below, however, even a basic set of smart locks and intrusion sensors involves at least three intended extensions into the world beyond the physical home (cell tower, cable modem, and at least one app existing on the cloud). Should an intruder want to break into this home with stealth, forcing the front door lock or windows might not be the best idea. It would be better for the intruders to attack the IoT home’s IoT system instead remotely and simply open the front door from their cell phone.
Securing IoT Requires More than Device Security
Recently, a good deal of media attention has been given to the relatively lax security of IoT devices as they proliferate for consumer, commercial, and government use. However, the IoT devices themselves are only a minor part of the whole. Thus securing IoT requires more than simply making the endpoint devices secure – the entire ecosystem must be secured.
Consider the 2016 DDoS attack on Dyn that disrupted Internet usage across much of the US last year. The attackers created a massive botnet from some 100,000 IoT endpoints using the Mirai malware. Much of the incident reporting revolved around how the attackers were able to create a massive botnet because the conscripted devices had poor security measures – such as hardcoded passwords like “admin” – or no security measures at all. However, few if any reports considered that the DDoS attack was possible precisely because each of those IoT endpoints connected to an ecosystem far beyond the device itself.
In another well-publicized incident – the 2013 Target breach – the confidential information of nearly 70 million consumers was downloaded. The attack was made possible because the HVAC vendor’s IoT sensors enabled the attackers to access the credit card payment system. Securing IoT ecosystems is cannot be overlooked. Had Targeted properly secured their IoT endpoints with network segmentation, the attack would have been foiled without incident.
Two Certainties with IoT: Devices and Connectivity
Smart devices, whether for the consumer, commercial and industrial, or the government market, are only “smart” because one of their primary functions is connectivity. Many IoT devices have minimal storage and computing functionality. Without said connectivity, the devices are relatively “dumb.”
However, with that connectivity, the devices can translate information about the physical world into terabytes of data for processing by remote applications and monitoring by remote users. Furthermore, connectivity allows many IoT systems to turn a series of digital commands into physical action that can start a stopped heart or administer precisely controlled dosages of medicine, control traffic patterns and raise drawbridges, affect the fuel efficiency of automobiles and aircraft, control the distribution of electrical power, and even unlock your front door as you walk up the sidewalk.
It is not the local device, though, that was smart enough to determine the most efficient fuel-air mix or to recognize you from the rest of the people on the sidewalk. The “smarts” of IoT devices are just an arbitrary attribute we give them due to the unseen automation and remote processing performed on the cloud somewhere.
Therein is the greater security risk and why securing IoT requires a “big picture” perspective: Attackers do not need to be in proximity to IoT devices to exploit their inherent or relative security weaknesses. Through the connectivity of IoT, attackers can remotely affect cars, aircraft, trains, factories, traffic signals – and yes – gather and analyze those terabytes of data IoT devices are continuously sending. Far beyond just legislating that vendors take responsibility for IoT devices security.
Threat Modeling Provides the IoT “Big Picture” for Security
Threat modeling an IoT system from an architecturally-based process flow diagram provides the needed “big picture” for securing IoT ecosystems. For example, the healthcare cyber-physical system threat model diagram shown below shows two data sensing vectors and multiple control vectors which could be applied to patients either in-house or hospital. Between these IoT endpoints, though, is an extensive system of cloud and on-premises computing and human interactors with 34 high and very high-risk threats (representing 44% of the total threats identified), whereas only 17% of the total threats came from the actual smart devices. Securing IoT devices is not enough to ensure patient safety. Attacking the system through its connectivity and – for example – instructing the smart devices to administer a lethal dose of
medicine may be received by the smart device as a legitimate command. No device-centric security measure would be able to prevent such a disastrous attack.
In the electrical substation threat model generated by the following process flow diagram, only 23% of the threats rated high or very high are produced from the IoT devices themselves; the rest are created by the greater IoT ecosystem. Clearly, securing IoT systems requires a “big picture” perspective.
The architects of the Ukraine Crash Override attack were able to exploit weaknesses in the electrical substation’s larger cyber ecosystem while depending on the actual control devices to function normally. Securing controllers and other IoT devices is good and necessary – to a point. Securing the connectivity with instructs and receives data from the IoT devices is absolutely necessary. Securing IoT ecosystems starts with threat modeling.
Ready to learn more about getting the “big picture” for securing IoT or other systems? Click here to schedule a live ThreatModeler demo.
Security starts here!
 Hilton, Scott. “Dyn Analysis Summary of Friday October 21 Attack.” Dyn Company News. Oracle: Manchester. October 26, 2016.
 Vamosi, Robert. “IoT Hack Connected to Target Breach.” Mocana IoT Security Blog. Mocana Corporation: February 5, 2014.
 “S. 1691 — 115th Congress: Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” www.GovTrack.us. 2017. October 3, 2017