On October 21, 2016, a domain name service host and internet management company experienced at least two waves of a distributed denial of service (DDoS) attack that impacted at least 80 websites, including those belonging to Netflix, Twitter and CNN. The attack was launched by infecting millions of American’s Internet of Things (IoT) connected devices with a variation of the Mirai malware. The Mirai malware primarily targets IoT devices such as routers, digital video records and webcams / security cameras by exploiting their use of default usernames and passwords and coordinating them into a botnet used to conduct DDoS attacks. The U.S. Federal Bureau of Investigation (FBI) does not have confirmation of a group or individual responsible for the attack. In September 2016, two of the largest IoT DDoS attacks using the same malware disrupted the operations of a gaming server and computer security blogger website.
In light of these attacks, there has been an increased focus on IoT security at the FBI, the U.S. Department of Homeland and Security (DHS), the National Institute of Standards and Technology (NIST) and Capitol Hill.
Five days after the October 21, 2016 attack, the FBI issued a Private Industry Notification, providing a list of precautionary measures stakeholders should take to mitigate “a range of potential DDoS threats and IoT compromise,” including but not limited to:
- Having a DDoS mitigation strategy ready ahead of time and keeping logs of any potential attacks;
- Implementing an incident response plan that includes DDoS mitigation. The plan may involve external organizations such as law enforcement;
- Implementing a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location;
- Reviewing reliance on easily identified internet connections for critical operations, particularly those shared with public facing web servers;
- Ensuring upstream firewalls are in place to block incoming UDP packets;
- Changing default credentials on all IoT devices; and
- Ensuring that software or firmware updates are applied as soon as the device manufacturer releases them.
A copy of the FBI Notification can be found here.
On November 15, 2016, the DHS issued its own non-binding guidance for prioritizing IoT security, aimed at IoT developers, IoT manufacturers, service providers, industrial and business-level consumers. According to the DHS, there are six non-binding principles that, if followed, will help account for security as stakeholders develop, manufacture, implement or use network-connected devices.
Principle #1 – Incorporate Security at the Design Phase
The DHS notes that security should be evaluated as an integral component of any network-connected device. Building security “in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed.” To that end, the DHS suggests the following practices:
- Enable security by default through unique, hard to crack default user names and passwords.
- Build the device using the most recent operating system that is technically viable and economically feasible.
- Use hardware that incorporates security features to strengthen the protection and integrity of the device.
- Design with system and operational disruption in mind.
Principle #2 – Advance Security Updates and Vulnerability Management
Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been sent to market. The DHS notes these flaws can be mitigated through patching, security updates, and vulnerability management strategies. Suggested practices include:
- Consider ways to secure the device over network connections or through automated means.
- Consider coordinating software updates among third-party vendors to address vulnerabilities and security improvements to ensure consumer devices have the complete set of current protections.
- Develop automated mechanisms for addressing vulnerabilities.
- Develop a policy regarding the coordinated disclosure of vulnerabilities, including associated security practices to address identified vulnerabilities.
- Develop an end-of-life strategy for IoT products.
Principle #3 – Build on Proven Security Practices
According to the DHS, many tested practices used in traditional IT and network security can be applied to IoT, and can help identify vulnerabilities, detect irregularities, respond to potential incidents and recover from damage or disruption to IoT devices. The DHS recommends NIST’s framework for cybersecurity risk management, which has widely been adopted by private industry and integrated across sectors. Other suggested practices include:
- Start with basic software security and cyber security practices, and apply them to the IoT ecosystem in flexible, adaptive and innovative ways.
- Refer to relevant Sector-Specific Guidance, where it exists, as a starting point from which to consider security practices (e.g., the National Highway Traffic Safety Administration recently released guidance on Cybersecurity Best Practices for Modern Vehicles and the Food and Drug Administration released draft guidance on Postmarket Management of Cybersecurity in Medical Devices).
- Practice defense in depth.
- Participate in information sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public and private partners.
Principle #4 – Prioritize Security Measures According to Potential Impact
The DHS recognizes that risk models differ substantially across the IoT ecosystem, and the consequences of a security failure will vary significantly. The DHS therefore recommends:
- Knowing a device’s intended use and environment, where possible;
- Performing a “red-teaming” exercise where developers actively try to bypass the security measures needed at the application, network, data or physical layers; and
- Identifying and authenticating the devices connected to the network, especially for industrial consumers and business networks.
Principle #5 – Promote Transparency Across IoT
Where possible, the DHS recommends that developers and manufacturers know their supply chain, and whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization. This increased awareness could help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies. Recommended practices include:
- Conduct end-to-end risk assessments that account for both internal and third party vendor risks, where possible.
- Consider the creation of a publicly disclosed mechanism for using vulnerability reports.
- Consider developing and employing a software bill of materials that can be used as a means of building shared trust among vendors and manufacturers.
Principle #6 – Connect Carefully and Deliberately
The DHS notes that consumers, particularly in the industrial context, should “deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.” To that end, suggested practices include:
- Advise IoT consumers on the intended purpose of any network connections
- Making intentional connections.
- Build in controls to allow manufacturers, service providers, and consumers to disable network connections or specific ports when needed or desired to enable selective connectivity.
A copy of the DHS guidance can be found here.
On November 15, 2016, NIST released its own guidance advising IoT manufacturers and developers to implement security safeguards and to monitor those systems on a regular basis. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. The new NIST Special Publication 800-160 is the product of four years of research and development, and focuses largely on engineering actions that are required to ensure connected devices are able to prevent and recover from cyber attacks, and lays out dozens of technical standards and security principles for developers to consider.
A complete copy of the NIST guidance can be found here.
One day after the DHS and NIST guidance was released, on November 16, 2016, the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The witnesses were Dale Drew of Level 3 Communications, Kevin Fu of Virta Labs and the University of Michigan, and Bruce Schneier from the Berkman Klein Center at Harvard University.
The witnesses uniformly recommended that while the DDos attack in October was just on popular websites, and not critical infrastructure, attacks toward critical infrastructure, including public safety and hospital systems, are likely. Each witness stressed the importance of addressing the vulnerabilities at the onset of developing technology, and urged greater oversight by lawmakers.
A video of this hearing can be found here.