COMPANIES TODAY have lost track of millions of network-addressable devices, the so-called Internet of Forgotten Things (IoFT). With 27 billion IoT devices projected to be deployed by 2025, according to IoT Analytics, the IoFT will likely grow as well, potentially making businesses more vulnerable to cyberattacks.
“These devices are everywhere,” says Sean Tufts, practice director in ICS and IoT security for Optiv, an infosec consultancy and integrator.
Securing newer IoT devices you know about is hard enough. Securing older ones long since fallen out of use is harder still. There are some ways to help your clients close these security gaps, however.
First, consider how we got here. Tufts says companies may install devices for a specific purpose and then forget that purpose. For example, he recently spotted a state lottery vending machine in an airport with both a cellular and ethernet network connection, two paths to the internet in a very sensitive area, although he had high confidence the device was segmented and not a current threat to the airport. “What happens in 2032 when they do a large firewall or cloud migration?” Tufts asks. “This device could easily end up in the wrong location with the wrong connectivity.”
Sean Tufts
In addition, operational technology (OT) groups, particularly in manufacturing, sometimes install sensors and industrial controls that are outside of IT’s purview. These devices “serve narrow purposes, are largely unmanaged, and can be deployed for a decade or more,” says Bo Lane, vice president of global engineering at Kudelski Security, the cybersecurity division of the Kudelski Group, a global digital security and convergent media solutions company.
Given the numbers, says Lane, “it’s highly probable that organizations have connected devices or OT-type controls in place, unmanaged and ‘forgotten.'” Specific industries like manufacturing and critical infrastructure have more opportunities to “forget” devices than others, he adds, noting that they’re “heavily reliant on OT, and utilize connected devices at very remote sites.” This extends the problem to the far ends of the company and includes locations with few IT resources.
The problem is not exclusive to those industries though, says Tufts. While a highly robust and monitored network will have fewer IoFT devices, he notes, “it’s not uncommon to find gaming systems and smart TVs where they shouldn’t be.” Users seem to think hiding devices from IT is a fun challenge, he notes, and the less aware the IT group, the more common the problem.
So how do you stop IoT devices from becoming IoFT devices? “Treat all devices like we do a corporate-issued PC,” Tufts advises, which means tagging, tracking, and monitoring them.
Maintaining an accurate asset inventory of all deployed IoT devices is also critical to preventing them from being forgotten, Lane says. “Accurate IoT asset inventory is the current rage,” agrees Tufts, and an abundance of tools can expand your network monitoring footprint.
Bo Lane
For instance, an IoT management platform can automatically generate regular reports. For cellular and Bluetooth devices, you’ll need tools that can scan frequency spectrums and further fingerprint and triangulate the exact location of individual devices. Lane recommends adding each device you find to “a lifecycle management plan for IoT devices, including ways to safely and securely decommission devices at the end of their useful lives.”
Tufts also suggests sniffing the environment for unknown but approved devices, then go one step further: “Having the ability to knock them off the network is a key capability.” When possible, have the user justify the device, and log it in the proper management database. If no one claims the device, he suggests you play IT’s favorite game: “Turn it off and see who complains.” Of course, he cautions the need for common sense when it comes to medical devices and other potentially risky applications.
Forgotten devices can sometimes be controlled by a management platform, adds Lane, either by using default credentials or a factory reset. If so, it may then be possible to disable the device in place and mitigate the security risk. “However,” Lane stresses, “physically removing the device is the only way to guarantee that the forgotten device does not continue to represent a continuing security risk.”
Image: iStock