IoT Security And Reducing Business Interruption Posted on : May 15 - 2018

The internet of things (IoT) is being increasingly adopted by the world. According to this Forbes article, "29% of organizations globally and across all industries adopted IoT" in 2017. This made IoT security more important for organizations. When a vulnerability is discovered in an IoT system, how do you mitigate the problem without interrupting the business?

How IoT Vulnerabilities Are Handled Today

Let's look at how IoT vulnerabilities are mitigated today by using connected medical devices as an example. On April 17, ICS-CERT issued an advisory on a defibrillator, exposing a vulnerability on this device. While no details were released on when this vulnerability was reported and how long it took to patch the faulty devices, in the advisory we found CVE-2017-12712 was assigned to this issue. From the method by which Common Vulnerability Exposure numbers are assigned, we can infer this issue was reported back in 2017, most likely around fall time. At least six months have passed since the vulnerability was discovered.

Here is a typical life cycle of an IoT device vulnerability. A researcher finds a security vulnerability on an IoT device, either from a penetration test or by other methods such as a source code audit. The researcher reports the vulnerability to the device manufacturer and keeps this secret from the rest of the world for a given period of time (aka a "grace period"). The grace period is typically 60 to 90 days so that the manufacturer can develop a fix for the problem (i.e., a firmware patch). After the grace period, the researcher will release the discovery to a broader audience so as to create awareness of the vulnerability and affected devices. The researcher can then report the discovery to the proper authorities, and a CVE number is assigned to keep track of this issue.

Both researchers and attackers are looking for vulnerabilities. When a researcher finds an IoT vulnerability and reports it, attackers may also find the same vulnerability, around the same time or even earlier, since attackers are often better equipped. From the moment an issue is reported, attackers probably start attacking devices with that vulnerability.

This left us wondering: During the months after an issue is discovered and device manufactures busy developing patches, are devices and the patients using them properly protected? When a patch is developed, how will it be delivered to the devices? View More