Comments by: Boris Cipot, Senior Security Engineer, at Synopsys Software Integrity Group
For many of us, IoT still feels like the technology of the future. However, we have in fact already adopted this technology, knowingly or unknowingly, and we are using it in our everyday lives. Heating regulators, cameras, doorbells, television sets, radios, watches, headphones, cars… All of these devices are now interconnected and often connected directly to the internet. Although this direct connection to the internet delivers a multitude of benefits, it also poses a constant threat as devices become increasingly accessible to bad actors. It is critical that steps are taken to mitigate the risks and to avoid direct exposure, including limiting network availability or segmenting the network. Equally important, is the need to patch devices if security flaws such as BadAlloc are found.
IoT devices run on software that will likely have security vulnerabilities. This is a fact, and therefore, you need to develop a patch strategy. Firstly, you need to know what kind of hardware and software you are using. Plugins and extensions fall into this category too. Then, you need to follow the vendors or open source communities that take care of the software you are using in order to know when the software needs to be patched or upgraded. If you have the devices directly connected to the internet, then you might benefit from automatic updates. Nevertheless, it is important to be aware that not all of the devices have an OTE update feature and in many security-aware locations, they are not permitted. Even if devices are behind a firewall or even in a separate network, make sure that you schedule update windows for those devices and follow through with it.”
Comments by: Oded Vanunu, Head of Product Vulnerability Research, at Check Point Software Technologies
IoT/OT systems are considered “easy” gates for malicious actors since these devices are usually getting less security attention with security software updates and have access to public networks. Potentially all vulnerabilities reported by Microsoft can allow running remote code on the devices and take full control on the device which can assist with continuing the attack to the cooperate networks or home networks.
CISA’s recommendations are the correct way to reduce the risk:
- Apply available vendor updates.
- Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember that VPN is only as secure as its connected devices.