As the "Internet of Things (IoT)" phenomenon is catching on in a big way, I wanted to quickly capture the state of affairs of IoT in the context of security and how different Juniper technologies can help provide security to IoT infrastructure as well as protect other enterprise infrastructure from IoT devices.
A key challenge with IoT security starts with the simple question of, “What is IoT?”. IoT takes on wildly different meanings for different audiences. Iot devices can broadly be classified into:
- IP IoT devices in enterprise IoT
- Non-IP Industrial IoT Networks
- Service Provider Narrow Band IoT
Following discussion focuses on the IP IoT devices, primarily from enterprise perspective
There are some fundamental differences between the traditional IT and the evolving IoT domains. These include:
- Diversity: While traditional IT assets can be classified in to a handful of categories based on their utility, like servers, laptops, desktops, networking, storage devices etc., the types of devices involved in the IoT world are very diverse. From thermostats to light bulbs to cars to aquariums to pace makers to agricultural systems to manufacturing plants to power plants, the diversity of the types of devices and their capabilities is mind boggling in the IoT world.
- Risk profile: While the risk of a security compromise in the IT world typically was loss of sensitive data, security compromise of IoT devices can result in loss of human lives and more. Check the risks for pace-makers, connected cars, connected home thermostats to get an idea about the risks involved.
- Scale: While enterprise IT typically deal with assets that number in the thousands or hundreds of thousands, the number of IoT devices enterprises may deal with could easily reach millions of devices. As the DynDNS attack has shown, malicious actors can harness this scale to bring down mission-critical services and severely disrupt businesses, utilities, hospitals, energy grids and more.
With this backdrop, lets look at some of the key security challenges that are critical for IoT deployments, and how Juniper solutions can help protect from these challenges.
Challenge #1: IoT devices are vulnerable to advanced malware. Compromised IoT devices can further compromise other enterprise assets. Organizations need a way to detect compromised IoT devices and contain lateral spread of malware inside the network.
Solution: Juniper's Software Defined Secure Network (SDSN) solution enables enforcing security controls not just at the perimeter firewall level but also at the wired and wireless switch port level. We've in fact demonstrated this scenario at the IoT Security Summit by infecting an IP camera with malware and showing how SDSN auto-quarantines the infected camera, shutting down the ability of that ‘thing’ to launch further attacks. Malware detection as well as botnet communication of infected IP camera is delivered by SkyATP solution, and automated remediation at wireless switch port is orchestrated by Security Director Policy Enforcer
Challenge #2: Malware may not be the only way to compromise IoT devices. Is there a way to identify anomalous behavior of IoT devices to see if something may be off, creating a security risk?
Juniper SRX can identify traffic from IoT and IT devices destined to malicious “Command-and-Control (CnC) Servers”. IoT devices communicating with Botnet/CnC servers is a tell-tale sign that the devices are compromised. With the Juniper SDSN solution, customers can surgically isolate the compromised devices in the network and make sure these devices do not have access to sensitive data
Juniper Security Analytics (JSA) is the industry's best Security Information and Event Management (SIEM) solution. It can identify any behavioral anomalies with the devices connected to the network. Organizations can leverage this solution to identify anomalous behavior and then take remediation actions with Security Director Policy Enforcer. These actions can be at the perimeter firewall (SRX) level or at the wired/wireless access network level.
Challenge #3: There are a plethora of new IoT specific protocols that are being used on top of IP. There needs to be a way to visualize what communications are in use and a way to control the traffic based on identification of IoT protocols
Solution: Juniper's SRX supports Layer-7 IoT App-Signatures including MODBUS, Scada/DNP3, and many more. Check here for the supported application signatures. Juniper SRX also provides the ability for end users to write their own custom application signatures, to customize the solution. More support is coming up for additional consumer and industrial IoT application protocols. Juniper Security Director makes it easy to visualize the applications in use and modify application signatures
Challenge #4: Manufacturing and other industrial IoT installations need protection from external attacks.
Solution: Juniper SRX's Intrusion Prevention System (IPS) supports robust Scada signature sets. Check the list of supported Scada IPS signatures. Juniper SRX also provides the ability for end users to write their own custom IPS signatures, to customize the solution. Juniper Security Director makes it easy to visualize and manage IPS features of SRX
Challenge #5: IOT sensors typically create short session to exchange sensor information with the IOT applications. Given high volume of IOT devices in a typical enterprise or SP network, there could be millions of short lived sessions demanding high CPS and session capacity.
Solution: Juniper’s 4K and 5K series support high CPS and Session capacity to allow large scale IOT deployments. Juniper SRX is already deployed in mission critical IOT applications such as protecting large power grids in North America.
Challenge #6: IoT sensors and other battery operated devices have very little ability to run expensive encryption/decryption techniques we normally use for IT -- not IoT-- devices. IoT sensors typically send small bursts of data. How can we make sure these battery-powered systems stay secure without running out of battery power?
Solution: Juniper is contributing to the 3GPP to come up with a " Battery Efficient Security for very low Throughput Machine Type Communication (MTC) devices (BEST)" framework to optimize for battery efficiency and security for this scenario.
Come 2018 we are going to come up with some more exciting solutions targeted for the IoT security use case.
[Download Nemertis whitepaper on IoT Security for interesting coverage]