Protecting IoT networks from privilege abuse by criminals and malicious insiders

As the Internet of Things (IoT) grows to an estimated 55.7 billion devices next year, according to IDC, the range and extent of cyber threats has grown correspondingly. IoT environments now represent an expanding and poorly secured attack surface. Many rely on legacy operational technology (OT) and devices that lack strong defences, which together present high levels of vulnerability. 

Many devices have no management at all. A study by network security firm Byos found 73% of OT devices are completely unmanaged, which is a critical weakness in industrial systems. Devices frequently have default passwords that attackers can easily break. 

Encryption of transmitted data may also be absent, exposing it to interception or tampering. Many manufacturers fail to provide timely security updates to their devices in the field, leaving them vulnerable to the latest threats. Visbiilty is another problem as established IoT networks grow and change over a period of years. As complexity develops, successive admins can easily lose track of the security status of devices.

This is exactly what a threat actor like Water Barghest is looking for. Using automation it identified and compromised 20,000 devices in minutes, turning them into residential proxies it offers for sale to other cyber criminals. It created a botnet featuring devices from some of the best-known device manufacturers which were infected with Ngioweb malware.

Addressing these challenges requires a comprehensive overhaul of device security by extending the principles of privileged access management (PAM) used in IT systems into IoT environments, creating a unified approach. In IT systems, PAM enables organisations to manage and secure privileged accounts, ensuring only those with the appropriate credentials have access to perform critical functions within the infrastructure. The same approach must be extended to IoT networks. 

The steps towards strengthening IoT access management

While PAM offers a framework for the management of secure privileged accounts across IoT ecosystems, there are particular challenges because many devices lack the capacity for manual credential rotation. This is why automation is essential, ensuring rotation of passwords and their deletion when no longer legitimately required. 

It is vital that security integrates automated identity authentication of each device. With more advanced platforms, IoT device certificates can now be securely generated, signed and managed through policy-driven automation. 

The benefits of integrating PAM across IT and OT are in streamlined processes for device and credential management, as well as a significant elevation of control and oversight. Malicious insiders, for example, are always threats that are easy to overlook amid the justifiable attention given to ransomware and nation-state-affilitated groups. An integrated platform will provide effective real-time oversight using behavioural analytics, which is more likely to flag up suspicious activity by malicious individuals with inside knowledge.

Implementation of PAM across IoT

PAM implementations in IoT networks should follow what have become best practice guidelines. This begins with an audit of all access privileges and accounts associated with IoT devices. It is common for privileged accounts to outnumber employees by a factor of three or four, which complicates management. 

Automated password generation and rotation is essential so that organisations can increase device security without heaping greater workloads on their IT teams. Passwords need to be updated regularly and stored securely.  

User activities need to be tracked in real time and audited, which is important for fast responses when incidents occur and for any subsequent forensics investigations. This is also extremely useful for compliance with GDPR and other standards such as NIST and HIPAA in the US. Detailed logs make it far easier to supply the necessary information to regulators in the event of an attempted breach. 

The next step is to enforce consistency. Rigour is required to enforce the principle of least privileged access. Organisations should adopt role-based access control methodologies to assign different levels of access based on responsibilities. Temporary access privileges can be granted for specific purposes but should be revoked immediately after a task is completed.

Among best practices is the use of multi-factor authentication (MFA) to strengthen the protection for all accounts by requiring multiple forms of verification. As PAM evolves, technologies such as biometric authentication and OTP tokens (which dispense with passwords) are becoming part of the overall approach. 

The many benefits of PAM in IoT 

The benefits of PAM are in reduction of risk from credential theft – reducing the likelihood of unauthorised access and the creation of botnets or lateral movement from IoT into sensitive IT systems and data. 

The simplication of compliance through automated maintenance of detailed audits enables organisations to meet their legal obligations and avoid penalties – especially beneficial in areas such as healthcare. For hard-pressed IT or security teams, the unified approach to PAM and implementation of automated credential-management and session-monitoring means they are not spending large amounts of time on manual oversight and administration. For their organisations this reduces errors. 

With machine identities outnumbering human equivalents by a factor of 45:1, the scale and complexity of IoT demands its protection is fully integrated with IT, using the principles of zero trust and least privileged access in an automated, unified approach. Continuous assurance, threat validation and lifecycle management should be integrated with PAM, alongside policy-driven data encryption and continuous, automated monitoring. 

This is the comprehensive approach that will ensure best possible protection for the mushrooming IoT networks on which so many industries, utilities and public services depend.