You may have many IoT devices on your network, yet you might not be aware of where they are, what they are, or who they are communicating with. Companies without knowledge of their IoT devices face significant security exposures.
For example, hackers used the HVAC control system at Target Stores in 2013 to get access to and steal millions of customer credit card numbers. (see darkreading.com)
IoT is short for "Internet of Things" and any device that communicates with the Internet is considered an IoT device. Each day there are more devices being added to corporate networks, each doing its job to collect and report data, as well as control systems and environments.
Here’s a sampling of devices that exist in most environments:
Many of these systems may have been deployed by the facilities, or helpdesk groups, so the network and security teams may not even be aware of them on the network.
If an IoT device becomes compromised, there are many possible risks that businesses face:
Many of these devices may be connected almost anywhere to the network, either via a cabled connection or wireless.
Finding where they are typically involves knowing what to look for. This may be looking for MAC OUI manufacturers of IoT devices, or looking for rogue OUI entries that don’t seem to match the normal business operations.
Once you have found a suspected IoT device on the network, you have to determine what its function and purpose is. Typically this involves looking up the MAC address of the device in ARP caches to learn the IP address, then doing a port scan to find out if you can Telnet/SSH/HTTP/HTTPS into the device to learn about it.
If it responds to HTTP or HTTPS, then visit the website to learn what its login page looks like. Usually, it will have telltale signs like "Company XXXX HVAC Management Node" or "Printer model x451". Sometimes, right-clicking on the website and choosing “View source” will help disclose copyright information that will help disclose what the device is and who manufactured it.
Note: | Most IoT devices are connected to the network without any consideration of changing the default password. Thus, you should be able to search the Internet to find the default password for the device and login. It is strongly advised to change the password to a non-default password to prevent the device from being usurped by internal or external actors. |
IoT devices typically talk to a specific set of servers. For example: An HVAC management device might have the following communications:
The controller server may be on-prem or cloud-based. The other communications destinations may be cloud-based, or hosted by the HVAC manufacturer or by the service company directly.
You would want to template each IoT device to learn its communications patterns so you would be able to know when the following occurs:
All of these communications can be typically seen by analyzing NetFlow records or doing packet capture analysis.
In a perfect world, you would want to set policies where the legitimate communications would be accepted, but anything beyond that would trigger an immediate alert so unauthorized communications can be terminated before problems occur.
PathSolutions TotalView automatically scans to find IoT devices, and identifies what they are and whom they communicate with, so that exposures can be remedied.
Contact us with questions about how PathSolutions TotalView can make IoT network security easier.