Securing IoT Networks

Type trendmicroblog
Reporter William "Bill" Malik (CISA VP Infrastructure Strategies)
Modified 2018-02-22T15:28:10


The typical enterprise has more than 500 applications in place.

Q: How do you segment a mesh?

A: You can’t.

Legacy IoT devices, Industrial Control Systems with custom networking, are exceptionally difficult to secure. Typically, these devices contain only enough compute capabilities to support their primary operational function. They have limited memory, low power, constrained CPU resources, and very little network bandwidth. They do not authenticate incoming messages, authorize users, log network traffic, support on-line updates, or use the OSI protocol stack. Many use entirely proprietary, vendor-specific, bit- or byte-oriented protocols.

Starting in the 1990s, IoT 1.0 hybrid networked ICS devices standardized on Telnet, FTP, OCS (OLE [Microsoft’s Object Linking and Embedding] for Process Control), ODBC (Microsoft’s Open Database Connectivity), and DCOM (Microsoft’s Distributed Component Object Model). ICS vendors chose these standards based on Microsoft’s apparent market leadership in distributed software architecture, without any detailed analysis of the security risks they might bring to ungoverned networks. By the late 2000s, IT organizations abandoned them as fatally vulnerable. ICS devices typically have in-service lifetimes of 15 to 30 years or more. Many hybrid devices using these weak protocols remain in service today, unshielded, and will through the 2020s. Applying conventional network security poses numerous problems, including the challenge described in Figure 1, below. (Hint: not counting the Internet, this network has 16 unprotected access points, assuming the three cellphones have only one network service active. Most smartphones have four or five.)

Figure 1: Mesh Network. Where do you put the firewall?

For a deeper discussion of traditional and legacy IoT, consider this article: <>

Today’s IT devices are disposable assets. They have such short in-service lives that they cannot be depreciated under FASB. That’s why there is no market for improving the security of legacy IT tools and products. By the time a post-sales security solution could become generally available, the target product is obsolete. I like my Nexus 6 phone, but it stopped receiving updates on Oct 2016. It is unsafe. There is no infosec aftermarket.

IoT 2.0 devices incorporate networks conforming to the OSI reference model. The current generation of IoT uses the full OSI stack, and contains ample processing power, memory, and network capacity. These devices can support the full suite of conventional cybersecurity measures any networked IT device might use. However, the team implementing these measures must be wary of potentially compromising responsiveness, safety, or availability. Some vendors have designed capabilities to handle information security without harming IoT design requirements. But the users of these technologies must design, integrate, and validate IoT design goals with information security requirements.

Here is what you can do:


  1. Isolate the network. Do not connect ICS and older IoT (0.9, 1.0) devices to the corporate backbone. See <> for a discussion of the generations of IoT devices.
  2. Lock down configurations. Prohibit automatic updates, upgrades, and installations.
  3. Check for atypical device utilization, power consumption, and network traffic.
  4. Deploy out-of-band analysis and logging tools. Gather and analyze network traffic, alerting on anomalous traffic.
  5. Scan traffic exiting the network for C&C communications, data exfiltration, or DDoS attack traffic.
  6. Integrate with SEIM. Consolidate reporting on a single pane of glass.

Let me know what you think! Post your comments below, or follow me on Twitter: @WilliamMalikTM .