IoT -
IoT
Internet věcí (anglicky Internet of Things, zkratka IoT) je v informatice označení pro propojení vestavěných zařízení s Internetem. Propojení zařízení by mělo být zejména bezdrátové a mělo by přinést nové možnosti vzájemné interakce nejen mezi jednotlivými systémy a též přinést nové možnosti jejich ovládání, sledování a zajištění pokročilých služeb. Problémem ovšem jsou různé existující standardy pro komunikaci různých skupin výrobců, mezi které patří Open Interconnect Consortium (Intel, Samsung, Dell, Broadcomem, ...), AllSeen Alliance (Cisco, LG, Microsoft, Qualcomm, Sharp, ...), Industrial Internet Consortium a OGC Sensor Web Enablement.
Sofistikované útoky
Some threat actors are sophisticated, motivated by economic factors. These actors are commonly associated with nation-state or terrorist threats in energy and the public sector, but also they are motivated by competitive advantage in manufacturing, where a rival may seek details about technology designs and manufacturing processes, pricing and business plans, legal agreements, and contact lists, or supply chain disruption. The level of sophistication is evidenced by what we’ve learned about these attackers and their tools, including a number of malware campaigns and hacking groups (see sidebar, “Sophisticated Malware and Hacking Campaigns.”
Insider Threat
The insider threat in IoT is a multifaceted problem that relates to both malicious and unintentional security incidents involving employees, contractors and vendors. One common form of the unintentional threat from insiders is due to the high-availability requirements of IoT combined with these systems sensitivity to adverse network traffic based on their historical isolation from adverse network traffic and diverse network protocols. Another vector of the unintentional threat is when third parties are used as an attack vector for self-propagating malware or persistent attackers seeking a foothold in an air-gapped or otherwise isolated network. Many of the incidents documented herein incorporate some form of this attack vector. For example: ● Contractor infecting network with laptop infected with a virus ● USB storage device transmitting virus ● Watering-hole attack in which an employee at a targeted company downloads an IoT software update from a vendor’s site that has been compromised with a Trojaned software update. ● Phishing attack against employees at targeted company Malicious intent in IoT environments have similar characteristics of traditional insider threats except for the impacts that can feel more tangible, such as the overflow at a wastewater treatment plant or smart-meters that employees configure to underreport electricity usage.
Attack Patterns
A number of patterns emerge from looking at IoT security threats.
Targeted attacks
In IoT, many of the attacks are persistent and targeted, where adversaries use multiple vectors of attack to gain a foothold within the network from which to move laterally. In this environment network managers can’t rely on the security strategy in which they merely get rid of the low hanging fruit of security vulnerabilities hoping that attackers would quickly move on to the next easy target.
Collateral Damage Risk
The growth of IoT specific malware, even when designed for a targeted attack, often employ self-propagating infection techniques. As such, even unintended targets are often compromised. Significant disclosure of new vulnerabilities (and frankly - old but unpatched/unaddressed vulnerabilities), and even zero-day exploits mean that these concerns will only increase. You may not be the target, but you might get compromised
Sociální inženýrství a phishingu
Just as in traditional IT and operational technology environments, employees are a weak link in the security chain. Many of the targeted attack campaigns use employees to gain an initial foothold on a network. This is also a common initial vector for malware.
Vzdálený přístup
The distributed nature of IoT controllers, as well as the common scenario where a vendor is used to manage a system, combined with components that often don’t support modern security controls or protocols, means that remote access is a common vector of attack. Many of the documented incidents use this as a primary attack method.
Vulnerability Landscape
Extensive Vendor Vulnerabilities Exist ICS-CERT published its own list of advisories for IoT systems, which provide information about security issues, vulnerabilities, and exploits. Where traditional IT/OT network environments tend to be at risk from the latest threats, the long lifespan of many IoT systems and the challenge of patching mean that new threats tend to be additive, that is, the risk tends to multiply as the vulnerabilities accumulate. Patterns in IoT Network Vulnerabilities According to ICS-CERT, based on the security assessments it conducted in FY14, a significant number of vulnerabilities it found (28 percent) on critical infrastructure networks was clustered in six areas (in terms of NIST 800-53 control families): Control Family Description Boundary protection Lack of firewall control of IoT networks, including lack of sufficient logical separation from enterprise IT/OT networks or Internet. Information flow enforcement Lack of technical access control mechanisms, such as firewalls, routers, proxies, gateways, and tunnels to control the flow of information in an IoT network and ingress/egress between networks in accordance with policy. Remote access Weak security controls for remote access including internet facing systems, vendors and contractors, VPN configurations, the use of personal devices and vulnerable OSs. Least privilege Provisioning users with elevated privileges beyond the minimum required, such as the use of administrator accounts for routing functions, creates a risk for both unintentional and malicious incidents. Physical access control Not securing physical access to IoT equipment. Security function isolation Implementation of flat network topologies without multiple layers of security controls simplify exploitation while making monitoring connectivity between systems of different trust levels more difficult.