19 July 2020

A New Approach Is Needed to Secure the Internet of Things

By Dan Gouré

Most of us have enough trouble just trying to keep the security programs on our computers and cell phones up-to-date. But we are going to have to adjust to a future in which virtually everything in our lives will be rendered “smart” and connected in what is characterized as the “Internet of Things” (IoT).

The construction of networks built on 5G technology will accelerate this process. With this explosion in connectedness, cybersecurity is being completely reconceptualized. Recently, a set of vulnerabilities was found in a software program used to connect hundreds of millions of IoT devices. While this vulnerability is being addressed, more are sure to be discovered. To guard against bad actors exploiting vulnerabilities in the IoT, it will be critical to ensure the ability to automatically surveil all the devices on networks, identify those that are unauthorized or vulnerable to attack, and isolate them before they can be compromised or do harm.

While virtually everyone is familiar with the Internet and its common use to connect devices such as computers and mobile phones, the IoT concept is relatively new. As sensors and computing devices became smaller and more capable, it became possible to embed them in just about anything connected via a network. These miniature devices made simple electronics smarter and allowed ever more complex systems to be managed remotely. Today it is possible to control and supervise every device in your home from heating and cooling to the refrigerator sprinkler system to baby monitors.

One subset of the IoT is called Operational Technologies (OT), referring to those devices used to remotely manage physical systems and processes. Much of the world's industrial processes, medical facilities, and physical infrastructure will be monitored and controlled through these OT devices. Even the U.S. military will be part of the IoT with platforms, headquarters, and even individual weapons and warriors all linked together. As an article in Wired Magazine, succinctly explained the IoT: "Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together."


The growth in the use of embedded sensors in the platforms, systems, and electronics that dominate our lives is almost too great to fathom. In 2018, there were just 7 billion IoT devices on the Internet worldwide. In 2020, that number is expected to rise to 31 billion devices and by 2025 to 75 billion.

The billions of devices residing on the IoT and in OT require special software that connects these devices to the Internet allowing data to be shared and commands to be sent and received. Such special software is called transmission control protocol/Internet protocol (TCP/IP).

While the IoT and OT can benefit our private lives, improve the efficiency of business operations, and help the U.S. military maintain is technological superiority, it also can give rise to vulnerabilities that threaten our privacy, the safe operation of critical industrial processes, and military operations.

A recent wakeup call regarding the vulnerability of the IoT and the challenge of securing it from hacking is instructive. A team of cyber experts announced the discovery of a collection of vulnerabilities, collectively termed Ripple20, in the popular TCP/IP software from one company that is used to connect hundreds of millions of devices. Affected industries and device types include industrial and manufacturing systems, power grids, medical devices, oil and gas, transportation, home devices, retail devices, and aviation, among others. Ripple20 vulnerabilities allow malicious actors to paralyze the device or force it to run any malicious code they choose. That is especially concerning if the affected device runs in a utility, manufacturing, or medical environment.

The company responsible for the TCP/IP software in question reports that it has developed fixes for the Ripple20 problem. However, it is not certain how many of the company’s customers have implemented these fixes or how extensively they have cleaned up all the devices vulnerable to Ripple20. According to the online cyber journal Cyberscoop, “The code is deeply embedded in some systems and can’t be easily updated without interrupting the process they support.”

With millions of devices being added to the IoT every day, it can be difficult to keep track of them and ensure that they have the proper security features. It is possible that many of the companies and network providers that use the software program with the Ripple20 vulnerabilities may not be aware of all the devices they are hosting, which ones are authorized, or even which ones are employing the vulnerable software.

While developing patches is important, that alone is insufficient. Before remedial actions can be implemented, organizations need to understand their risk exposure and conduct a fast and accurate inventory of their assets. That must be the first step. Then, there must be a means of enforcing segmentation controls and proper network hygiene. External communication paths need to be restricted and vulnerable devices identified, isolated or contained prior to their being secured. In addition, companies need to monitor progressive patches released by the software and device vendors. 

The federal government has implemented several programs that are designed, inter alia, to address the kind of cybersecurity threat posed by Ripple20 and similar vulnerabilities in the IoT. The Department of Homeland Security has initiated the Continuous Diagnostics and Mitigation (CDM) program, designed to provide federal agencies with constant surveillance, threat identification and timely response to network threats. The Department of Defense is implementing the Comply-to-Connect (C2C) program designed to automatically identify devices connected to DoD networks, identify vulnerabilities, and then either apply patches to remediate vulnerabilities or isolate the affected devices.

The IoT is already too big to fail. It is also too big to monitor and secure through conventional cybersecurity measures. Only automated processes based on strategies such as that employed in CDM and C2C have a chance of being successful.

Dan Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Goure has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.

No comments: