10 Tips to Ensure your Privileged Accounts for IoT are Protected and Secured

By Joseph Carson

Welcome to the world of IoT (Internet of Things) as more and more devices get connected online, with approximately 9 billion devices today. Every day billions of employees power up their devices and connect to the internet to plug into their everyday world – check the news, receive and respond to emails, chat with colleagues, pay invoices, work, shop, listen to music, stream the news, and the list goes on and on.

The connected world has become a reality in business. In the past few years, we have seen every new technology being introduced connected to the internet, collecting vast amounts of data, and sending it across the world to be analyzed. This includes health devices, car engines, power stations, wind turbines, transportation and supply chain components, financial metrics, CCTV, and even children’s toys.

The Industrial Internet has smart cities coming online with sensors and data monitoring for every move we make – for example, autonomous vehicles communicating with infrastructure like traffic lights, weather conditions, and road traffic to ensure the most efficient traffic flow. We have seen everything from payment systems, medical, energy and infrastructure systems all being connected and the data being continuously analyzed to improve the services these companies provide and to stay innovative.

The challenge with IoT is that industrial companies make systems typically prioritize for a long production life cycle, so devices last 7 to 20 years. This is typical in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Sensors, and Programmable Logic Controllers (PLCs). But, when these systems are now connected to the internet, almost every scenario shows security has been sacrificed, because they are purposefully built to rarely need updates, and because their internet-connected security is usually only considered at the end of design, if at all.

Many of IoT systems and devices being introduced today:

  • Run legacy operating systems, in some cases Windows 7 and even Windows XP
  • Have firmware with hard coded passwords
  • Use web Interfaces running over HTTP
  • Have security controls with very basic and simple PIN numbers, and no authentication integration
  • Have no encryption of data at rest or in transit

These choices might have of been fine in a completely air-gapped system, where the perimeter could be controlled and tightened. However, with today’s cloud, mobile, and connectivity, protecting devices with these kinds of basic security vulnerabilities is an impossible task and these systems are being actively exposed to the public internet.

The lack of security by design means that the risks and threats against IoT devices and systems are high, and all companies considering deploying IoT should carefully consider the increased risks against the benefits.

Real world examples of cyber-attacks against IoT in the past few years include:

  • Texas Tornado Alarms being set off, causing panic across the city.
  • A German Steel mill blast furnace being damaged.
  • Ukraine Power Grid being taken off-line and impacting 86,000 homes.
  • Hospital devices hit with Ransomware, causing state of emergencies to be declared because the hospitals were unable to continue critical services.
  • IoT devices being turned into a BOT, and then being controlled and used to participate in a DDOS (Distributed Denial of Service) attack like the one that has targeted Dyn, bringing popular websites like Netflix, Twitter, Amazon, AirBnb, CNN and the New York Times to their knees and offline.

Several things in common with all these devices are that they collect data, they communicate across the internet, and in most scenarios, they have credentials and passwords to protect their configuration or to communicate across networks.

How to Protect Today’s IoT Devices?

One of the most important tasks when deploying IoT and Smart devices is to ensure the default credentials and passwords are correctly configured, manage the privileged accounts to protect these devices, and ensure only authorized access is permitted. Using an Enterprise Privileged Account Management solution can ensure privileged accounts are discovered, protected, and controlled. Automation for managing each device’s privileged accounts is important to prevent these devices from being compromised, used to gain access to the broader network, or used to attack another target.

Protect Smart Cities and IoT by using Privileged Account Management and ensuring controlled access, auditing, monitoring, and continuous security of these devices.

10 Tips to Ensure your Privileged Accounts for IoT are Protected and Secured:

  1. Perform an extensive audit to identify who has access to IT admin credentials – access should only be given to people and applications necessary.
  2. Keep credentials up-to-date, set up alerts when an admin changes a password.
  3. Continuously audit privileged account access & remove access when people change roles or devices are deprovisioned.
  4. Keep credentials hidden.
  5. Enable 3rd party access securely.
  6. Enforce random and long privilege passwords, change passwords regularly, and enforce one-time-passwords and Checkout.
  7. Record and monitor privileged account SESSIONS.
  8. Monitor for unusual behavior with privileged behavior analytics and usage trends.
  9. Ease of integration – use a password vault for application passwords, do not hardcode passwords into devices.
  10. Remove and deprovision unused privileged accounts.

Want to learn more? Download the free “Internet of Things: How to Secure this Growing Gateway to Cyber Exploitation” whitepaper.

Source:: Thycotic