ADDRESSING OWASP IoT VULNERABILITIES WITH SURELOG SIEM

Internet of Things (IoT) continues to digitize ordinary physical objects more and more in our daily lives. Organization, who adopted “If you do not run, you will fall behind” mantra, are already seeking to gain more financial and operational benefits from connected machines and devices used in different industries known as the Industrial Internet of Things (IIoT). 

Despite the promise of enhancing our lives, it is a sad fact that securityis not a high priority for most of the IoT / IIoT manufacturers. Since there are no penalties to force them to comply with the standards, most of the manufacturers simply favor time-to-market and cost cuttings over security. Similar to all systems that generate, process, exchange critical information, IoT and IIoT systems are as easy targets to fall prey to cyber criminals. 

Organizations such as OWASP, NIST, and ENISA attempt to provide security best practices around IoT usage and adoption. However, industry wide accepted IoT security standards are yet to be developed. With all these shortcomings, organizations and consumers should pay extra attention to IoT / IIoT security best practices.

We will provide a practical approach to address OWASP IoT Top 10 vulnerabilities with a next-generation SIEM solution: ANET SureLog SIEM platform.

Heterogenous nature of IoT systems with diverse protocols along with sheer volume of data in unusual formats makes the process of integrating a SIEM solution within the IoT ecosystem quite challenging. To accomplish this successfully, the people-process-technology aspects of IoT should be planned and executed carefully. At a minimum, we need these three magical ingredients: 

  1. People – Your organization have resources who know your IoT ecosystem including all its components such as web, mobile, API, sensor, actuator, and cloud interfaces.
  2. Process – Your organization has written and well communicated process, procedures, standards, and policies around the IoT, including management of risk, asset, vulnerability, patch, vendor & supplier security aspects with clearly defined roles and responsibilities.
  3. Technology – Your organization has adequate cyber security technologies with identify, protect, detect, respond, and recover capabilities, including a next-generation SIEM platform such as SureLog, that leverages enhanced correlation rules with machine learning capabilities.

With the careful planning and harmonious cooperation of these three ingredients, there is a great deal of value that can be realized by this integration to reduce the attack surfaces introduced by IoT / IIoT systems. Even if your organization does not have these three magical ingredients today, you still have an option to leverage Managed Detection Response (MDR) technology capabilities with security process and team enhancement services from reputable consultancy organizations (spoiler alert: I highly recommend Cyber Electra for this engagement). Let’s see some real-life best practices to address OWASP Top 10 IoT security vulnerabilities.

OWASP IoT # 1 – Weak, guessable, or hardcoded credentials can be compromised via brute force.  

People: Prepare an inventory of IoT devices and change default passwords upon acquisition 

Process: Access management standards around IoT are in place

Technology: SureLog authentication exceptions correlation rulesets are in place monitoring brute force attempts, access date and time violations, access location anomalies, access methods used, command injection attacks etc.  

OWASP # 2 – Insecure network services running on the IoT devices

People: Decide which services are absolutely necessary for the operation of IoT system and disable unnecessary ports and services upon acquisition

Process: Vulnerability management and configuration managements standards are in place

Technology: SureLog insecure network detection correlation rulesets are in place. Example rules: insecure network port and protocol detection, unusual data flow monitoring, command injection detection, etc. 

OWASP # 3 – Insecure ecosystem interfaces

People: Perform risk assessment and review for each interface such as web, mobile, API, cloud, etc.

Process: Risk assessment, cloud, mobile, web, API standards and procedures are in place

Technology: SureLog insecure ecosystem interface detection correlation rulesets are in place monitoring authentication and authorization anomalies, encryption violations, unexpected events per second (EPS) from log sources. 

OWASP # 4 – Lack of secure update mechanisms

People: Ensure the latest software / firmware in use upon acquisition and perform regular currency and patch management activities in a timely manner.

Process: Patch management, configuration management, vulnerability management, and change management processes are in place for IoT/ IIoT systems.

Technology: SureLog SIEM secure currency detection rules are in place detecting old operating systems, and lack of secure delivery methods.

OWASP # 5 – Use of insecure or outdated components

People: Perform patch management activities

Process: Patch management, configuration management, vulnerability management, incident management process, procedures, and standards are in place

Technology: SureLog SIEM insecure component detection rules are in place. SureLog NextGen SIEM platform ingests vulnerability data from third parties and can alert when systems may be vulnerable to attacks. This provides users a targeted list of devices that may need updating or close monitoring.

OWASP # 6 – Insufficient privacy protection 

People: Ensure IoT device does not store user’s personal information insecurely or without user’s consent.

Process: Privacy policy, standard, and procedures are in place

Technology: SureLog SIEM platform privacy violation detection rules are in place monitoring the IoT devices and ensuring in-scope regulations such as GDPR and  PIPEDA, are not being violated.

OWASP # 7 – Insecure data transfer and storage

People: Ensure cryptographic controls to protect data in transit and at rest are implemented

Process: Cryptography, network, storage security standard, process and procedures are in place.

Technology: SureLog SIEM platform insecure data transfer and storage detection rules are in place monitoring IoT devices. All communications protocols commonly used for data exfiltration, such as BitTorrent, command-and-control (C&C) channels, Gnutella, and others are monitored. Also, unusual network traffic spikes to and from sources, transmission of sensitive data in plain text

OWASP # 8 – Lack of device management

People: Register IoT devices into the asset management inventory with the ownership, end-of-life, support, and criticality information. 

Process: Asset management, patch management, system monitoring, incident response management standard, process, and procedures are in place.

Technology: SureLog SIEM platform lack of device management detection rules are in place monitoring devices and raising alerts if a device stops forwarding logs after a threshold limit. Applications suspicious performance indicator, resource utilization vector, update and backup failures, logins against terminated employeesare monitored.

OWASP # 9 – Insecure default settings

People: Perform the hardening of overall system upon acquisition of the IoT system.

Process: Configuration management, security hardening requirements, change management standard, process, and procedures are in place.

Technology: SureLog SIEM platform insecure setting detection rules are in place that audit access and modifications made to files and databases by detecting when the hardening of a system is weakened by human error, misconfiguration, attack, or as a result of a failure on some other part of the system. 

OWASP # 10 – Lack of physical hardening

People: Ensure only required physical external ports are allowed, and disable unnecessary ports. Acquire tamper resistant products if possible, if not, ensure devices are protected with physical security controls such as access cards, and door systems.

Process: Physical security standard, process, and procedures are in place.

Technology: SureLog SIEM platform physical access security violation detection rules are in place offering monitoring of physical access, such as access cards, door systems, personnel on-site, firmware, geofencing, etc.

Please note that recommendations provided here are not exhaustive and should be considered as a good starting point. Since IoT systems are so diverse, additional correlation rules should be in place depending on the nature of the IoT/ IIoT systems. We have high success rate with ANET SureLog SIEM platform for protecting the IoT ecosystem, giving an adequate protection level to the IoT / IIoT devices.

Notes: 

SureLog next-generation SIEM is a registered trademark of ANET Canada. More information can be obtained at www.anet-canada.ca/