Securing IoT with Microsoft Defender for IoT sensors
Securing the Internet of Things is increasingly important. IoT hardware is at the heart of much modern operational technology, the systems that support businesses, the systems that mix modern IoT hardware with legacy control and data collection devices. But, we can’t secure it the way we secure PCs and servers, as much IoT hardware is single-purpose, built to run from firmware and unable to install additional software.
That approach is both a blessing and a curse. Single-purpose hardware is relatively hard to compromise, but it’s also hard to monitor. Further, agents can’t be installed on it, as simple microcontrollers have limited memory and fewer threads.
In some circumstances, businesses are able to use secured core hardware like Microsoft’s Azure Sphere systems with their built-in Pluton processors. But in most cases, they use devices built around off-the-shelf microcontroller security operating centers from vendors like NXP and Broadcom.
SEE: Hiring Kit: IoT developer (TechRepublic Premium)
As a result, businesses often rely on hardware that can’t be managed or monitored — something of an untrustworthy foundation for operational technology. That’s resulted in compromised hardware shutting down critical systems, including bad actors targeting devices with malicious firmware updates.
The risks associated with OT hardware are significant, with attacks that not only compromise devices but, in doing so, are able to damage physical plants — much like the results of the Stuxnet attacks on certain types of SCADA devices.
Introducing Defender for IoT’s sensor
So how can we protect our devices, networks and businesses, especially when we already have a large estate of deployed hardware? Microsoft’s Defender for IoT is one option, adding network sensors and firmware analysis tools to help spot compromised and at-risk hardware and working in conjunction with Microsoft Sentinel to use machine learning to identify threats early.
As IoT and OT hardware is often specialized, proprietary systems, running custom firmware, agent-based techniques don’t work. Instead, at the heart of Defender for IoT is a network sensor appliance, which can be used to get an inventory of the devices on a network, and more importantly, their traffic patterns. This lets IT teams get a picture of the current state of an IoT network, mapping its topology and helping identify how to better connect and segment devices.
At the same time, other tools can be used to identify firmware versions, letting security teams see devices that may be at risk or that have been misconfigured. OT networks are typically diverse, combining IoT hardware with industrial control and process control systems and technologies like SCADA. This approach can be a useful way to identify any quick wins, especially in OT environments that have grown organically over the years.
Understanding what can be updated or what needs to be changed helps prioritize devices by their risk score and can help to build a threat model that can identify possible attack methods. Additionally, it can identify devices that may have been deployed and forgotten or that have become disconnected from management platforms.
Using the sensor
Once up and running, the sensor platform looks for more than TCP/IP network packets, with its deep packet inspection tool aware of the major industrial communications protocols, including those used by proprietary services. The sensor takes a copy of network traffic and analyzes this, avoiding affecting any hardware that might be susceptible to active probes and ensuring OT systems continue operating.
Working with IoT hardware requires a different approach from traditional network security, and systems need to identify anomalies rather than tracking known compromises.
Deploying Defender for IoT is simple enough. As the sensor is a Layer 7 device, it’s transparent to the rest of the network and can be connected to a network switch in the OT network. Results are then delivered to the Defender for IoT service, either locally to a management console or to a cloud-hosted SOC, and to security information and event management tooling.
The sensor itself can be a virtual appliance, only needing access to a dedicated network card in the host server, running on Microsoft’s Hyper-V or VMware’s ESXi. Alternatively, businesses can purchase a preconfigured server from a number of vendors, ready to activate and install in their networks. If organizations choose to set up their own physical or virtual sensor, Microsoft provides a list of requirements that cover different sizes of OT network, with options for monitoring entire networks, specific sites, and individual production lines.
Once in place, a sensor can continuously monitor the traffic in an OT network, watching for suspicious activity and storing packet captures. This allows security teams to use the console to search for suspicious activity, looking at network traffic history to determine if, when, and how devices were compromised. There’s an added bonus from tools like this: it can help identify misconfigured hardware that might be affecting a network and production performance.
Integrating with Sentinel to automate security
The Microsoft Sentinel option for Defender for IoT lets businesses make IoT hardware part of their security operations center, allowing security teams to use familiar tools and dashboards to protect operational systems as well as IT platforms. Security analysts will be able to identify threats that span the business’s entire infrastructure, helping avoid lateral moves from compromised IoT hardware into the rest of the network.
Integrating the two platforms is simple enough. Sentinel now includes a public preview release of a Defender for IoT solution package. This can be deployed with a couple of clicks, streaming data from IoT tools into Sentinel. The package includes predefined rule sets to help identify incidents as well as playbooks that automate many incident response strategies. It’s all wrapped up in a dashboard that helps visualize IoT systems in the context of the overall IT and OT environment.
SEE: Top industrial IoT security solutions (TechRepublic)
The big advantage of this integration is the single-pane-of-glass view into all security incidents. This can be filtered to identify specific IoT issues and then used to highlight the business impact of an incident.
Microsoft is planning to add mapping tools to this, so security teams can link IoT hardware to specific locations, which can help triage incidents by identifying important locations; a threat in a drill site, for example, no matter how isolated, will be much more critical than an issue in an office HVAC system. This allows them to deploy engineers effectively, especially when IoT hardware can be deployed across the planet.
Once the combined service is running, users are able to click through from Sentinel dashboards into the Defender for IoT tooling for deeper analysis of specific incidents. At the same time, security teams can use Sentinel’s investigation graph tools to explore the causes of an incident, helping determine what is happening in the network and what techniques a bad actor is using to attack devices.
One useful concept for IoT security is the idea of “crown jewels.” These are the devices that run high importance services and where any attack will have not only an impact on the IT infrastructure but also on critical operations. This is another concept that helps triage incidents, elevating responses where necessary and helping ensure operations continue, even when the network is under attack.
Sentinel’s playbooks are an important tool, as they let security teams script and automate responses to incidents, raising alerts to device owners and allowing them to start investigations alongside more traditional security approaches. This lets IT security quickly identify false positives, helping train Sentinel’s machine learning tools.
Reducing IoT security risks with Microsoft Defender
Tools like these are going to be increasingly important as more and more businesses start integrating existing OT platforms with the rest of their IT estate. It’s easy to dismiss devices like these as “simple,” without considering the impact a security breach might have on a business, where it’s not just a matter of data loss but one where production facilities are disrupted and physical plants are damaged.
Using Defender for IoT along with Sentinel can help reduce risk significantly, providing missing insights and identifying issues before they become a compromise.
Discover more about IoT with these recent features: How IoT is automating warehouse operations and the top five ways industrial IoT differs from IoT.