By Curtis Simpson, CISO
Un-agentable computers, otherwise known as OT and IoT devices, are rapidly on pace to dwarf the number of PCs, Macs, and mobile devices in enterprise environments. According to our research, enterprise IoT devices are growing at 29% CAGR and will reach 7 billion by 2021. At that point, IoT devices will account for approximately 90% of all devices in enterprise environments. Though IoT devices are in fact tiny computers, running an operating system and communicating with other computers and services on a network, their risks typically cannot be managed using the same tools and techniques that we commonly use for traditional computers.
IoT Devices are Un-agentable
One reason why traditional security tools won’t work on IoT devices is that additional software (such as endpoint protection or other local agents) cannot be installed on an IoT device. The underlying operating system and software components can only be updated by the manufacturer, even if the OS is based on something familiar like Windows or Linux. Patching, when possible, must be performed using manufacturer-specific tools and may or may not be centrally manageable.
These un-agentable computers provide material value in both consumer and enterprise use cases. As a result, their propagation continues at the ever-growing rate that we are witnessing. In fact, the intersection of both in an enterprise environment has rapidly become the norm.
For example, Alexa-type devices are being used in boardrooms to make the collaboration equipment easier to use. Personal Bluetooth headphones (once again, a computer) are being connected to mobile devices that are authorized to access company email and periodically used as access points for a company laptop.
IoT Devices are Growing In Number
Every enterprise across every industry has un-agentable IoT devices with direct or indirect access to enterprise assets (systems, data, users). Examples of common un-agentable devices in every environment include VOIP phones, network printers, smart lighting, HVAC controllers, firewalls, smart TVs, and “casting devices” (Google Chromecast, Amazon Firestick, etc.). Industry-specific examples include infusion pumps, MRI machines, quality control sensors, manufacturing equipment, and refrigeration.
In a recent study by Forrester Consulting, 87% of enterprises have seen an increase in the use of unmanaged and un-agentable IoT devices. In addition, Gartner estimates that by 2020, 25% of cyberattacks against an enterprise will be conducted through un-agentable devices. Enterprises are improving their ability to prevent, detect, and respond to attacks against traditional devices, and this is causing bad actors to shift their attacks to the less protected areas of the enterprise.
IoT Devices Are Hard To Patch
Getting in front of this risk first involves acknowledging the fact that un-agentable devices are computers with most if not all of the same exposures as PCs, but for which many of the traditional risk management solutions that we’ve used for years are ineffective or simply inapplicable. The inability to install endpoint protection (also known as antivirus or anti-malware) software combined with challenges in patching vulnerabilities in such devices is a particularly problematic combination.
Let’s stay on patching for just a moment: We’re all used to automated patching systems for our traditional managed computers. But the Meltdown and Spectre vulnerabilities gave us a taste of how much more difficult it is to patch computers when our standard, centrally managed processes and solutions do not confidently and effectively apply. The firmware patches that were needed for Meltdown and Spectre required a large amount of manual effort and proved to be very problematic, even though these were updates to well-understood computers.
The complexity of this situation was compounded in organizations that purchased various models of computer equipment from a variety of PC and server manufacturers. Unique updates needed to be applied using completely different tactics specified by each manufacturer, which at times varied by unique device models.
These were computers that we touched all of the time. Yet, addressing these exposures proved to be extremely difficult. The difficulty grows exponentially with IoT, when the vulnerabilities reside in computers embedded in everything from elevators and MRIs to VOIP phones and firewalls. Patches for such devices are rarely ever issued by manufacturers. In turn, enterprise IT managers are often unaware how to both receive or apply updates and are concerned with potential post-patch device failures. Patching may also require the physical interaction with every device needing an update.
The most recent example of patching difficulty is associated with Armis’ URGENT/11 disclosure. In short, we found that billions of devices that are running various types of real-time operating systems (RTOS) contain several critical vulnerabilities. Hundreds of millions of devices utilizing one of seven different operating systems and leveraging a specific software library used for network communications are now vulnerable. It's the networking software library that critically exposes the entire device through a number of severe vulnerabilities.
IoT Devices Are Hard To Find and Identify
Identifying that such vulnerable devices exist within an environment can be a challenge, at best, through traditional means. Devices will go undiscovered or unidentified on a varying level of significance. Assessing and managing vulnerabilities in these devices and preventing the exploitation of these vulnerabilities through traditional means is even more challenging, if not near impossible.
Many companies impacted by URGENT/11 have thousands of devices spanning tens of manufacturers within their environments. Assuming that all manufacturers release a working patch for their impacted devices, each device must now be updated and tested using varying tools and techniques. Also, even if the use of impacted devices is generally known by an enterprise, if these devices cannot be accurately discovered using traditional capabilities, many will go unpatched regardless of any heroic efforts executed over the months to years required to touch all impacted devices.
The key to success is a passive means of successfully discovering all un-agentable computers in an enterprise, passively (no touch) assessing and managing risks associated with these assets, and enforcing approved behaviors and communications through policy, minimizing or eliminating the need for patching. Visibility and the ability to respond to potential exploitation is also key, but also a challenge to achieve through traditional capabilities.
A New Approach to IoT Device Security
Managing the risk associated with un-agentable devices that are rapidly becoming the most prevalent in enterprise environments requires that we take a different approach. A solution is required that spans all forms of enterprise IoT and unmanaged devices across all industries and intended uses that communicate on a wired or wireless network. Any effective solution must be holistic and end-to-end, and traditional solutions requiring a presence on the endpoint will simply not work.
A solution built from the ground-up with a holistic focus on this new landscape should be considered as part of every security program, regardless of the size of the enterprise managing this risk. Every enterprise has un-agentable computers, and they are growing in number, rapidly becoming the target for bad actors, and are not able to be managed through traditional means. Solutions such as those from Armis can help enable your ability to effectively manage this risk.
To learn more about the explosion of IoT unmanaged and un-agentable devices and what IT professionals are doing about it, download the recently published Forrester report and check out the corresponding InfoGraphic.