Over the course of recent years, Internet of Things (IoT)-embedded technology has become more pervasive. IoT is finding its way into all of the major industries. From retail, to to critical infrastructure and everything in between, IoT devices are everywhere. They are the smartwatches, smart televisions, industrial controllers and traffic sensors which, when connected to the Internet, add interactive functionality to an existing space.
IoT Devices Experiencing Expansive Growth
Business Insider predicted that by 2020, there would be more than 24 billion IoT devices on planet earth. Investments are expected to exceed $830 billion in that time. IoT-embedded devices can be installed, attached, mounted, or otherwise moved into the existing space to provide convenience, security, control, and – of course – data for analysis.
However, with the positive projections, there come the vulnerabilities to cyber threats. IoT devices can be used to orchestrate cyberattacks such as Distributed Denial of Service (DDoS). Cybercriminals are becoming more sophisticated, with bots and worms taking over vulnerable smart devices. Industrial control systems are also being targeted by more hackers, raising critical infrastructure and public safety issues.
IoT Security Considerations
When it comes to security, just knowing that a device connects to that vast ocean of cyber activity that the Internet brings is just the proverbial tip of the iceberg. IoT devices provide all the perks and benefits that remote servers, cloud infrastructures, wireless communications networks, and a variety of applications can bring. But when considering IoT devices, DevSecOps teams need to consider securing the entire ecosystem, not just the device itself.
Consider a satellite communication center threat model. IoT devices – such as the connected aircraft or drone – connect to the Internet through a direct link to the satellite. The vast majority of devices, though – such as a media crew’s uplink system – may connect to the Internet through a telecom network. Aircraft or drones connect to the Internet through a direct link to the satellite. The vast majority of devices, though – such as a media crew’s uplink system – may connect to the Internet through a telecom network.
The telecom network, then, connects to the Internet and receives information through the satellite ground communications center. Complex communications networks are required for IoT interconnectivity, which also must be secured. Consumer IoT comprises a relatively simple ecosystem. As can be seen from the architecturally-based process flow diagram below, however, even a basic set of smart locks and intrusion sensors involves at least three intended extensions into the world beyond the physical home (cell tower, cable modem, and at least one app existing on the cloud).
Securing IoT Beyond Device Security
IoT devices themselves are only a minor part of a holistic cybersecurity approach. Securing IoT also requires more than simply making the endpoint devices secure – the entire ecosystem must be secured.
Consider the 2016 DDoS attack on Dyn that disrupted Internet usage across much of the US. The attackers created a massive botnet from some 100,000 IoT endpoints using the Mirai malware. Much of the incident reporting revolved around how the attackers were able to create a massive botnet because the conscripted devices had poor security measures – such as hardcoded passwords like “admin” – or no security measures at all. However, few if any reports considered that the DDoS attack was possible precisely because each of those IoT endpoints connected to an ecosystem far beyond the device itself.
In another well-publicized incident – the 2013 Target breach – the confidential information of nearly 70 million consumers was downloaded. The attack was made possible because the HVAC vendor’s IoT sensors enabled the attackers to access the credit card payment system. Securing IoT ecosystems cannot be overlooked. Had Target properly secured their IoT endpoints with network segmentation, the attack would have been foiled without incident.
Two Certainties with IoT: Devices and Connectivity
Smart devices, whether for the consumer, commercial and industrial or the government market, are only “smart” because one of their primary functions is connectivity. Many IoT devices have minimal storage and computing functionality. Without said connectivity, the devices are relatively “dumb.”
However, with that connectivity, the devices can translate information about the physical world into terabytes of data. This information is processed by remote applications and monitored by remote users. Furthermore, connectivity allows many IoT systems to turn a series of digital commands into physical action, for example, which can start a stopped heart or administer precisely controlled dosages of medicine. Other applications include controlling traffic patterns, raising drawbridges, affect the fuel efficiency of automobiles and aircraft, controlling the distribution of electrical power, and even unlocking your front door as you walk up the sidewalk.
It is not the local device, though, that was smart enough to determine the most efficient fuel-air mix or to recognize you from the rest of the people on the sidewalk. The “smarts” of IoT devices are just an arbitrary attribute we give them due to unseen automation and remote processing performed on the cloud somewhere.
Bad Actors Pose a Remote Security Risk with IoT Devices
The greater security risk, and why securing IoT requires a “big picture” perspective, has to do with hackers’ ability to target IoT devices remotely. Attackers do not need to be in proximity to IoT devices to exploit their inherent or relative security weaknesses. Through the connectivity of IoT, attackers can remotely affect cars, aircraft, trains, factories, traffic signals – and yes – gather and analyze terabytes of data IoT devices are continuously sending. Far beyond just legislating that vendors take responsibility for IoT devices security.
Threat Modeling Provides the IoT “Big Picture” for Security
Threat modeling an IoT system from an architecturally-based process flow diagram provides the needed “big picture” for securing IoT ecosystems. For example, the healthcare cyber-physical system threat model diagram shown below shows two data sensing vectors and multiple control vectors which could be applied to patients either in-house or hospital.
Between these IoT endpoints, though, is an extensive system of cloud and on-premises computing and human interactors with 34 high and very high-risk threats (representing 44% of the total threats identified), whereas only 17% of the total threats came from the actual smart devices. Securing IoT devices is not enough to ensure patient safety. Attacking the system through its connectivity and – for example – taking over a heart device may be received by the smart device as a legitimate command. No device-centric security measure would be able to prevent such a disastrous attack.
In an electrical substation threat model, a low number of threats rated high or very high are produced from the IoT devices themselves; the rest is created by the greater IoT ecosystem. Clearly, securing IoT systems requires a “big picture” perspective.
The architects of the Ukraine Crash Override attack were able to exploit weaknesses in the electrical substation’s larger cyber ecosystem while depending on the actual control devices to function normally. Securing controllers and other IoT devices is good and necessary – to a point. It is absolutely necessary to secure the connectivity that exchanges data to and from IoT devices. Securing IoT ecosystems starts with threat modeling.
To learn more about how ThreatModeler can help, we recommend scheduling a live demo. For more information, you can also contact ThreatModeler.
 Hilton, Scott. “Dyn Analysis Summary of Friday October 21 Attack.” Dyn Company News. Oracle: Manchester. October 26, 2016.
 Vamosi, Robert. “IoT Hack Connected to Target Breach.” Mocana IoT Security Blog. Mocana Corporation: February 5, 2014.
 “S. 1691 — 115th Congress: Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” www.GovTrack.us. 2017. October 3, 2017