Ronen Shpirer, Director of 5G Solutions Marketing at our partner Fortinet has contributed this text. If you haven’t already, please read our blog post about Cellular IoT Security threats first.
Hyperscale Cellular IoT – White Paper
This is an excerpt from our white paper Hyperscale Cellular IoT. The full white paper is available here if you like what you read. Don’t hesitate to contact us if you have any questions.
You cannot overestimate the importance of a secure IoT solution. Security is often considered the factor most likely to inhibit both the development of IoT services and their adoption.
The potential impact of a successful cyberattack on an IoT ecosystem may cause failure in critical services and industries and even physical danger to individuals and the environment. It is, therefore, crucial that IoT solution providers show a commitment to providing a service that is secure by design.
IoT solutions encompass many layers, including the devices themselves, but also on-premises gateways, access networks, service platforms, application servers, and internet access gateways. Attacks come in many forms; any of these components could be a target or a steppingstone to a higher-valued target.
Security is not simply a hardened device operating system (OS) or an encrypted access link. It is a multi-layered solution that encompasses everything from the initial boot of the device to distributed denial-of-service (DDoS) protection at the network edge.
Delivering IoT Network Visibility
A significant hurdle in protecting IoT environments is having visibility of devices and traffic. This is the basis for any anomaly detection but also allows teams to verify that all is well in the network.
Visibility can be best described in two parts:
Keeping an Inventory
Enterprises must keep an inventory of the devices themselves, including vendor, device model, and firmware version. The exact information available depends on many factors and will vary from device to device.
Protocol & Application Details
Details of the protocols and applications being used by each device. This can be delivered via application control capabilities and should include support of industrial protocols for Industrial IoT (IIoT) applications.
If device data is being encrypted, in-line decryption should be, if possible, performed in order to verify the device data.
Compromised Device Detection
The goal should be to stop attacks before they can compromise the device. But where an attack gets through defenses, IoT security solutions must be able to detect signs of this and act immediately.
If attackers gain control over a device, they may cause severe damage, including:
Disabling the device: This may be considered a simple denial-of-service (DoS) or could also be more sinister if, for example, a device is monitoring a critical value such as tank pressure or temperature in an industrial context. Critical applications may have other protections against such an attack, but this should never be assumed.
Destroying the device: Some attacks have shown that sometimes, a cyberattack could permanently destroy a device. A simple example could be to trigger excessive battery usage, to the point of exhaustion, in a device whose battery is designed to last the device’s lifetime.
Use the device to launch attacks: Attackers may use a device as a launch point, having potential access to other devices and to the IoT platform and other internal resources.
Recruit the device into a botnet: The 2016 Mirai attack showed the effectiveness of IoT botnets. Up to 2 million IoT devices (mainly cameras and DVRs) were used to stage the largest ever recorded DDoS attack.
The consequences of compromised devices will vary. Compare water pump versus heart pump or streetlight versus traffic light. However, the pure volume of IoT devices will make attacks on non-life-critical devices very severe.
Next-Gen Firewall Protection
Next-generation firewalls must protect IoT traffic. Here we will give some examples of the role of a firewall showcased by FortiGate, Fortinet’s next-gen firewall, which is included in the Enea Aptilo IoT Connectivity Control Service™ (IoT CCS).
Traffic Filtering and Stateful Firewalling
In a typical IT environment, traffic to unauthorized destinations may be common because of many reasons, and such communications are normally simply dropped. But in IoT and other machine-to-machine networks, such communications are usually a sign of misconfiguration or of compromised devices. For this reason, specific negative rules should be configured in a firewall with appropriate action to ensure that it generates an alert or it trigger automatic remediation.
Intrusion Prevention
Next-generation firewalls such as Fortinet’s FortiGate also feature intrusion prevention capabilities designed to detect and block a wide range of different IoT attacks. This includes protection against the aforementioned scanning attacks, exploits, fuzzing attacks, and more.
The FortiGate intrusion prevention system (IPS) function, which contains over 30,000 rules, including an optional industrial package. Rule packages are updated daily to ensure that protection is up to date.
Application & Protocol Control
Application Control can monitor or limit the protocols that the IoT device can use. Any unauthorized protocols can generate an alert and optionally be blocked. With FortiGate, application definitions include over 4,000 application rules in 24 categories. FortiGate covers all commonly used IoT protocols such as MQTT, AMQP, HTTP, and CoAP, and as for IPS, it can use TLS inspection with an appropriate configuration. A wide range of industrial protocols is also available for Industrial Internet-of-Things (IIoT) solutions.
Antivirus
Antivirus is important today mainly for the IoT infrastructure, such as the platform or web servers. But researchers expect that malware attacking the devices themselves—such as with the Mirai IoT malware, perhaps the most famous current example, will become more prevalent in the years to come.
FortiGuard Labs has almost 20 years of experience defending against malware of all types, and although device-targeted malware is rare today, the needed research is already underway to ensure that protection of the highest quality will be ready
Anti-botnet
Any botnet activity, whether detected by destination address, domain, or protocol, can generate an alert and be blocked. Furthermore, connections to other known bad destinations, as detected by the FortiGuard Indicators of Compromise Service, can generate a compromised alert. FortiGuard Labs maintains an updated list of known botnet destination address/port combinations that are checked against all outgoing sessions.
Botnets using fast-flux domains (in which a domain continually changes its IP address mapping) can be checked against the domain itself by intercepting and checking the Domain Name System (DNS) request. Finally, even if the destination address and domain are unknown, many botnets can be detected by their command-and-control protocol. By using these three methods in parallel, Fortinet ensures the best chance of detecting botnet-infected devices.
Automation and Quarantine
Fortinet has a comprehensive automation framework that allows a wide range of triggers to be linked to actions such as alerting, removing rogue devices from the network, or making API calls to other devices.
For example, any of the above detections can cause a device to be quarantined and blocked from further communications until the cause is established and remedial action is taken.
Virtual Private Networks (VPN)
Policy-based control to send selected IoT traffic, such as software updates and analytics data, through VPNs.
