How to Protect Your Business Against an Expanding IoT Attack Surface
Barry J. Ewell
April 15, 2020
The proliferation of interconnected Internet of Things (IoT) devices and the volume of data they generate have created a vast attack surface where hackers and cybercriminals can launch attacks to pilfer sensitive data. According to Forrester1, companies have no choice but to secure this environment with a mix of vendors and solutions and they suggest the following:
Prioritize vendors with proven integrations and broad technology ecosystems. Rich ecosystems attract more partners and talent familiar working with the systems. Companies need to examine and carefully assess how well a given IoT security solution complements and integrates with key IoT security capabilities. Integrations that rely on documented and open application programming interfaces (APIs) should be favored over those that require custom code. Prioritizing vendors this way will allow you to maintain a flexible, modular security architecture and minimize risk of lock-in to specific proprietary solutions. Given that further vendor consolidation is highly likely, a modular architecture also better positions your organization to respond to changes in the vendor landscape with minimal disruption.
As the threat landscape is now larger and finding the right talent across your entire infrastructure is expensive, it is important to work with a vendor that has the resources dedicated to cybersecurity. Honeywell continues to make significant investments in cybersecurity personnel and is well positioned across its entire portfolio to help you navigate this complex landscape.
Prepare for and simulate IoT security breaches to improve organizational readiness. The IoT security threat is constantly evolving. Companies cannot accurately predict every possible attack scenario; security teams need to forecast and document the most probable, highest-impact IoT security scenarios by asking questions like:
- What are my most critical assets and where is sensitive data being stored, processed and transmitted?
- What are the likely attack vectors?
- How should notification be managed?
- How can affected devices be mitigated?
Having a plan in place, as well as holding simulation exercises to gauge readiness, will help ensure that the organization is positioned to handle an IoT breach and can do so in a way that minimizes the impact on customers.
Focus on analytics, not just data collection. IoT significantly increases the amount of available security-related data such as authentication and data usage. While managing and collecting this scale of data can be challenging, it’s an excellent intelligence source that will help identify potential IoT security events and allow your organization to respond quickly to new attacks. Security teams must strengthen security event data collection and normalization capabilities to be able to search through enormous data sets to identify and escalate issues.
Do not underestimate customer data privacy concerns. Many IoT platforms (such as device management and connectivity solutions) capture a plethora of device data, including device status, location and use of connected assets. This data is often fed into cloud-based systems or other components, making it hard to assess at any given point where the data is being stored and processed. The scale and distributed nature of the IoT device data increases the risk of data misuse, whether inadvertent or malicious.
With new data privacy regulations such as the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and many others coming into force in 2019, organizations need to understand if the IoT device’s data collection and use are consistent with all relevant legal, regulatory and compliance requirements. Honeywell has strict Privacy Impact Assessments in place integrated as part of our Software Development Lifecycle so that every product is constantly evaluated throughout its evolution. We do this so that you can buy Honeywell products with the confidence that you are compliant by default at the time of purchase. We recommend that as you integrate our products into your workflows and business, your organization continues this practice so you can reply to queries around compliance with conviction.
Mobile Attack Surface
At Honeywell we aggressively look at what is known as the Mobile Attack Surface of our devices and applications. The term attack surface refers to the amount of code, functionality and interfaces of a system exposed to attackers. We continuously assess and mitigate the possible ways that attackers can attempt to exploit and gain access to valuable data that can result in data loss, or manipulation, identity theft and damage to brand reputations. Vulnerabilities can be found in multiple areas that include data at rest, code functionality, data in motion and backend systems. Let’s take look at data in transit and at rest.
Data in Transit. Data in transit, or data in motion, is data actively moving from one location to another such as across the internet or through a private network. We look at how we can effectively take measures to protect the data that is traveling network to network or being transferred to and from a local storage device to cloud storage device. On the mobile attack surface among others, we should consider issues such as:
- Transport Layer Security (TLS) downgrade done by applications or backend systems and using less secure encryption
- Fake TLS certificates and certificate validation issues
- The “httpOnly” flag is set, or other downgrades done by developers for applications connecting to your backend infrastructure
As an example, the TLS downgrade attack is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g., an encrypted connection) in favor of an older, lower-quality mode of operation (e.g., cleartext) that is typically provided for backward compatibility with older systems. The importance of keeping your data integrity or confidentiality from attackers is critical to business operations in today’s environment.
Data at Rest. Data at Rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, flash drive or archived/stored. Protection for Data at Rest secures inactive data stored on the device or network. Data at Rest is actually more vulnerable and deemed more valuable by attackers than Data in Motion. We consider issues as they relate to:
- Data stored on disk and in external SD card
- Data stored in log files
- Sensitive data should be stored in a “secure enclave”
Encryption plays a major role in data protection for securing data both in transit and at rest. For protecting Data in Transit, the choice is made to encrypt sensitive data prior to moving and/or use encrypted connections (e.g., HTTPS, SSL, TLS, FTPS). Enterprises secure Data at Rest by encrypting sensitive files prior to storing them and/or encrypt the storage device itself. In addition, best practices include:
- Implement network security solutions like firewalls and network access control to help secure the network against malware attacks and other intrusions.
- Use proactive security measures that identify at-risk data and how to implement effective data protection for data in transit and at rest.
- Choose data policies and solutions that enable user prompting, blocking or automatic encryption for sensitive data in transit or at rest such as with email attachments or when data is moved to external storage and removable drives.
- Define policies for systematically categorizing and classifying all company data, no matter where it’s located, so you can ensure that the appropriate data protection measures are applied while data remains at rest and triggered when data classified as at-risk is accessed, used or transferred.
- Always evaluate your public, private or hybrid cloud provider on the security measures they offer. Know who has access to your data, how it’s encrypted and how often it is backed up.
While data in transit and data at rest may have slightly different risk profiles, the inherent risk hinges primarily on the sensitivity and value of your data; attackers will attempt to gain access to valuable data whether it’s in motion, at rest or actively in use, depending on which state is easiest to breach. That’s why a proactive approach including classifying and categorizing data coupled with content, user and context-aware security protocols is the safest and most effective way to protect your most sensitive data in every state.
Honeywell Cybersecurity Circle of Trust
Every day, around the world, businesses are at risk of cyberattacks. Honeywell acknowledges the risk and believes the best way to minimize attacks and the losses that result from them is to take a pervasive and holistic approach to security. Pervasive means Honeywell approaches security from multiple angles, which include gathering intelligence on cyber events in multiple industries, building protections directly into devices and software, and maintaining a 24/7 level of vigilance on the cyber climate. A holistic approach to security means that we need to pay attention to the entire picture and individual aspects of a product offering.
Honeywell aims to integrate all these elements designed to safeguard an organization to empower our customers to build a solution with security built in from the beginning. We focus on protecting you and our products (e.g., mobile computers, scanners and printers) against sophisticated attacks at all levels, from low-level opportunistic hackers to industrial espionage and cyber criminals. Honeywell is a founding member of the ISA Global Security Alliance, which means that all of our products go through ISA62433 security requirements from their inception.
Honeywell’s story begins 100+ years ago as a global leader in industrial manufacturing and advanced technology. We have used that expertise to drive cybersecurity innovation with over 15 years as a key leader in industrial cybersecurity solutions helping transform and protect the world’s most critical infrastructures. Our broad portfolio includes Operational Technology (OT) cybersecurity software products and services that allow customers to simplify, strengthen and scale industrial cybersecurity across an enterprise.
Our global team of 300+ Certified Cybersecurity Experts have successfully implemented 5,000+ cybersecurity projects, managed 400+ industrial cybersecurity sites, conducted hundreds of risk assessments and have the breadth of resources to help execute projects of every size and complexity across 70 industry sectors often involving critical infrastructure and national security. These include: supply chain, healthcare, oil and gas, refining, pulp and paper, industrial power generation, chemicals and petrochemicals, biofuels, life sciences, CPG, F&B, utilities, water/waste, metals, minerals and mining industries.
Honeywell’s large footprint in multiple industries gives us a broad view of emerging cybersecurity threats in their earliest stages in industries where the typical cybersecurity offerings are not usually present. This allows us to identify issues, develop countermeasures and deploy them to our customers earlier than our competition in this industry that usually does not receive attention. We also leverage relationships to receive pre-disclosures of vulnerabilities from industry councils and partners including Intel, Qualcomm and Google as well as from our participation and work with various organizations such as ICS-CERT (concentrated around Industrial Controls), NVD, DHS CISA and many more. Furthermore, Honeywell’s size, strength and global presence allows us to leverage the broad investment in security across our enterprise.
Cybersecurity is core to Honeywell. We design security into our products, policies and processes. Our baked-in-from-inception approach to cybersecurity, design-to-delivery process has a strong emphasis on building security into products to anticipate and mitigate risk before a breach can happen. We do this by embedding deep domain knowledge, product testing and security requirements of industry-leading security practices throughout our full design and development process to ensure our solutions are as secure as possible from the start.
We aim to make our solutions as free of vulnerabilities and attack surface as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices. We believe security must evolve with the product that our customers purchase. A group of dedicated white-hat penetration testers with industry-leading certifications such as OSCE/OSCP, completely independent from the engineering team, continuously test our solutions to ensure we have the highest standards for defense.
Contact a Honeywell Solutions Expert today! Call 1-800-934-3163.
1 Forrester, The State of IoT Security 2018, Merritt Maxim, Published January 19, 2018
Barry J. Ewell is a Senior Content Marketing Communications Specialist for Honeywell Safety and Productivity Solutions. He has been researching and writing on supply chain topics since 1991.