HouseCall for Home Networks
Noticed any strange devices connected to your Wi-Fi?
Scan connected devices in your home network for security risks
Scan connected devices for security risksLearn more
Targeted attacks are veiled, silent, and sometimes completely invisible, which makes them difficult to prepare for or defend against. And now the threat of “invisible attacks” will increase as smart and connected devices get more prevalent in the market. This column discusses the threat of targeted attacks in the IoT era and its countermeasures, learned from the attack on NASA published last month.NASA hacked: Security risks in the IoT era
According to a report issued by the NASA Inspector General on June 18, 2019, a hacker infiltrated the Jet Propulsion Laboratory (JPL) network in April 2018, stealing confidential data related to the Mars project. They have positioned this attack as a targeted attack and announced that it was under investigation.
The cyberattack on NASA is considered a textbook targeted attack case that takes advantage of risks unique to the IoT era. The features of this case include the following:
A Raspberry Pi was used as an entry point in this case, but any device connected to the internet can be used as a possible entry point. The total number of IoT devices in the world is expected to exceed 40 billion by 2020 — providing attackers with more possible entry points and organizations with more potential devices to secure. That is one of the IoT era's biggest security risks.
In addition, companies must continue to protect their devices. In other words, it is necessary to properly operate and maintain a system consisting of an increasing amount of devices. NASA's report also pointed out that operations managers ran systems with vulnerabilities for about half a year, which facilitated the intrusion.
The problem doesn't end with one device, as the damage can spread from the device to the entire system. Unlike consumer devices, IoT devices deployed in enterprises are connected to various IT systems via networks managed by organizations, and these systems store valuable information such as customer information and sales data. The figure below shows the entire enterprise system divided into four functional layers:
Figure 1. The four layers of the IoT architecture
These four layers work together in the IoT system, and all efforts to protect the entire IoT system is called IoT security. This architecture also shows that IoT security is not just a problem for the Corporate IT division but also for the line of business (LOB).
IoT devices are explosively increasing. Some devices might be invisible to the administrator. The device layer is just the starting point, and the damage could spread to the upper layers. The NASA example shows the risks involved in increasing the number of entry points, the need for system visualization, and the importance of systems that can protect the entire system.Systems Thinking
The idea of IoT security is similar to systems thinking. Systems thinking is an approach to analysis advocated by Peter Senge, a professor of Massachusetts Institute of Technology Salone's Graduate School of Business, in his book “The Fifth Discipline.” The approach focuses on the relationship and interactions between elements related to the event to solve more fundamental problems.
As mentioned earlier, IoT Security is security for the entire IoT system. When it comes to IoT security, we typically focus on securing IoT devices, but it is much more effective to optimize the entire system. Trend Micro's IoT Security Solutions page provides an overview, as well as solutions, for each layer.
In the IoT era where the potential entry points continually increase, the Zero Trust approach would be the best choice for administrators. Each IoT system is never going to be the same, but all enterprise IoT systems have a multi-tier architecture. The defense-in-depth approach is also effective as a countermeasure against targeted attacks.