Digitized, Connected and Exposed

Dec. 16, 2022
Will 5G and IoT/OT create the most complex infrastructure attack surface ever?

Cyber threats and vulnerabilities in the electronic security industry exist today, and they are increasing. But there are new and darker threats on the horizon. And suppose end-users and all industry players don't implement proactive measures. In that case, they will undoubtedly be held accountable by their organizations and customers and may even potentially share liability for being hacked.

The threat is the merged capabilities of two remarkable and promising technologies intended to bridge the digital divide, satisfy the universal need for connectivity, bring substantial economic benefits, and impact almost every industry and consumer globally, the Internet of Things (IoT) and 5G. Our ability to evaluate the revolutionary impact that IoT and 5G could bring to the global economy requires us to fully understand how the industry, manufacturers, and integrators will solve the risks accompanying these technologies if they address them.

This article should not be considered an exhaustive risk summary or technical review of all attack methodologies or vectors. It is based upon the considerable amount of analysis that already exists for both IoT and 5G risks and vulnerabilities and should be considered as additional analysis.

What is the Big Deal About 5G and IoT?

What is so promising about 5G and IoT is the ubiquitous interconnectivity of intelligent sensors and devices, unparalleled and untethered speed, vanishing latency, and new functionality across the entire business and consumer spectrum. These features and capabilities will translate into new business models, revenue streams, and monetization of new private and public infrastructure. And for the security industry, which has repeatedly been retooling 20-year-old technologies while at the same time praying for new opportunities to improve their bottom lines, and value propositions, the union of 5G and IoT appears to be the Holy Grail delivered on a silver platter.

Further proof of the race toward the marriage of 5G and IoT lies in a report titled "The Internet of Things: Catching up to an accelerating opportunity" In their report, McKinsey & Company states that IoT could unlock $5.5 trillion to $12.6 trillion globally by 2030 including the value captured by consumers and customers of IoT products and services. Those are certainly big numbers, and there is a lot of momentum behind the rapidly growing development of IoT. And the numbers surrounding 5G deployments are equally impressive.

The Ericsson Mobility Report, dated June 2022, states that 5G subscriptions will reach 1 billion by the end of this year. The report also claims that 5G standalone networks are increasing as providers prepare for innovation to address opportunities beyond enhanced mobile broadband. And even JP Morgan predicts that 5G adoption will accelerate IoT connections by up to 29% CAGR.

Demand for high bandwidth connectivity is sought in every industry vertical. But it is not only increased bandwidth connectivity. It's a speed of up to 10Gbps, low latency of 1ms, and one of the core capabilities of 5G, Massive Machine-Type Communications (mMTC), which will support connection densities of up to one million devices per square kilometer. As a result, lightbulbs are going off like paparazzi in the security industry.

Here is the Problem.

Individually, IoT and 5G implementations are super attractive targets. Together, 5G networks connected to IoT devices will create interconnected attack surfaces at an unprecedented scale. Furthermore, this evolving web of connected technologies will further expose existing cyber vulnerabilities by increasing connectivity and information exchanges with enterprise systems and cloud-based systems and reveal new ones within the electronic security markets and elsewhere. And once breached, it will become a buffet for purveyors of ransomware and new and unimagined threats.

With such economic potential, is the market possibly overlooking some of the more apparent risks? How would two universally acclaimed technologies with so much promise potentially cause harm? And why isn’t there a greater sense of urgency to secure the obvious vulnerabilities? For that answer, let us turn to some of the Fundamental Realities of Security from Cisco, which may be familiar to many and not just to the electronic security industry:

  • Implementing a security program is constrained by the threats we know about or the threats we can imagine for the near future.
  • Security is often addressed after the fact and is frequently sacrificed for "time to market" considerations. Or the "if it ain't broke, don't fix it" model.
  • Vendors and consumers often scramble for something faster but not something more secure until they've been hacked.
  • Most users have limited knowledge of the security details of their network connectivity.
  • Once a security vulnerability is exposed, the hype cycle reaches a crescendo, and after a mad dash to fix the problem, security is again pushed to the side.
  • New and better security functionality is almost always compromised by the desire for legacy interoperability (and fewer help desk calls).

According to the 2021 Ponemon Institute "Cost of a Data Breach Report," published by IBM, Physical Security Compromise is already the 5th most popular attack surface with an average total loss of $3.54M per incident. An unfortunate fact is that IP cameras have been one of the favorite cyber targets going back at least six years when the Mirai botnet attack caused an internet outage for much of the east coast, as was the lesser, but still harmful, Persirai botnet attack which also targeted IP cameras. And let’s not forget how a third-party piece of code became a hackable flaw called Devil’s Ivy. The code was used in physical security devices, potentially allowing remote threat actors to fully disable or take control of thousands of network-connected security devices.

And the truth is that cyber threat actors are aiming at the existing and developing IoT industry and the deployment of 5G. Most IoT devices are unmanaged, do not possess realistic security measures, and are attractive targets. According to PaloAlto Networks Unit 42, nearly 98% of all IoT traffic is unencrypted, exposing personal and confidential data on networks. And 57% of IoT devices are vulnerable to medium or high-severity attacks, making IoT easy targets for attackers.

A study commissioned by ARMIS and conducted by Forrester Consulting states that:

  • 69% of enterprises have more IoT devices on their networks than computers
  • 84% of security professionals believe IoT devices are more vulnerable than computers
  • 67% of enterprises have experienced an IoT security incident
  • Only 16% of enterprise security managers say they have adequate visibility of the IoT devices in their environments
  • 93% of enterprises are planning to increase their spending on security for IoT and unmanaged devices

Some of the most frequent attacks leverage known default device passwords. But lack of password management is not the only weakness. Other vulnerabilities include a lack of timely firmware updates, a lack of identifying, managing, and controlling rogue IoT devices on networks, and risks compounded by manufacturers building connectivity into a myriad of devices as varied as speakers, security cameras, sensors, and telecom devices.

And 5G networks fare no better as they are not secure by design. But they do have a significant impact on the nation’s critical infrastructure. Things to consider. 5G affects the ability of the nation to operate the core network while providing wireless network services and provides internet routing, access, and connection services. Given the criticality of 5G, the software-defined networks and virtualization, which are key features, will create new attack vectors to be exploited, especially in private deployments. CISA has identified 5 “Primary Buckets of Vulnerability” within 5G networks. One of those is the use of untrusted components or IoT.

How Did We Get Here?

The race towards digitalization and convergence has given birth to many fantastic and beneficial technological solutions. Within the security industry, we have seen remarkable features, functionality, and capabilities in the areas of AI, analytics, and machine learning to name just a few. But it also catalyzed the early development of IoT and OT devices. IP cameras are probably one of the most significant examples of a current electronic security IoT device, but not the only one. And with nearly 85 million IP cameras in the US alone and an estimated one billion worldwide, that is quite an installed base of security related IoT devices. And that's just the beginning.

Estimates vary, but as of this year, it is forecasted that there will be around 18 billion IoT devices worldwide operating in nearly every industry, including security, with sensors and cameras embedded in entirely new devices and applications. And the CAGR of IoT is expected to accelerate significantly, reaching a projected range from 30% - 37%. The fine point of it is that each IoT device is a potential entry point into a network and business.

Together and individually, IoT devices and the proliferation of 5G have associated risks. As we become increasingly dependent upon connected technologies, we will risk catastrophic failures and Black Swan events across multiple industries and geographies that will hit modern life like rolling blackouts in a summer heatwave.

What is Being Done and What are the Solutions?

The good news is that efforts are underway to address the IoT security vulnerabilities and those related to closely aligned ICS and OT markets. And the US Government, in addition to other industry players, is also providing guidance for various threat scenarios in 5G deployments. Here are just a few.

 NIST – You can find efforts by NIST to develop guidance for government applications by viewing the video, Overview of SP 800-213 / 213A: IoT Device Cybersecurity Guidance for the Federal Government.  

IoT Security Foundation – You can also learn more about global efforts by visiting the IoT Security Foundation.

IEEE SAIEEE SA supplemental information referenced by the European Rolling Plan for ICT Standardisation can be found here.

5G NSA/CISASecurity Guidance for Cloud Infrastructures.

Most importantly, there are Immediate steps available to mitigate existing risks, including cyber hygiene measures. These initiatives and applications will go a long way in shrinking the attack surface of electronic security enterprises, which should be the immediate goal. As important, these measures will assist in bringing your enterprise security systems into IT/InfoSec compliance.

Specific Recommendations:

Organizations should consider implementing solutions that extend Zero Trust protection to IoT (physical security) hardware through automated provisioning and management of digital certificates at scale, thereby enabling the determination of the legitimacy of IoT devices. These solutions should be able to provision certificates, confirm status, refresh upon expiration and even revoke certificates at will.

Organizations should consider implementing a password management tool that allows changing default passwords at the device (e.g., camera) level from a central location while storing and documenting the dates when a password was last revised. Implementing password management eliminates the risk of what we saw during the Mirai Botnet attacks a few years ago and is a significantly lower-cost alternative to visiting each camera to change the password.

Automating firmware updates from a central location helps assure patches to devices are not only timely but also significantly reduces the costs of updating security devices by several orders of magnitude.

Conclusion

Chasing the dream of ubiquitous connectivity at blinding speeds and enabling a fully connected enterprise with on-demand access to everything is revolutionary, but only if we take equal measures to ensure the security of our existing infrastructure and the technological advancements that both IoT and 5G will bring. The industry must take security measures now to inoculate against our current and imagined vulnerabilities. Likewise, end-users need to understand the vulnerabilities of their existing systems and adopt a more holistic approach to securing what they rely upon to protect their organizations.

About the Author: Eddie Meltzer is the Founder and CEO of Security Cloud & Mobile Partners. He is a 30-year veteran of the electronic security industry and a champion for big data analysis of security operations. In addition, Eddie is a subject matter expert in bringing electronic security systems into InfoSec/IT compliance, service and support programs, and global business development. He welcomes your calls at 816.215.9398 or emails at [email protected].

Visit his website: www.securitycloudmobile.com.