Knowledge What is Zero Trust (Security Measures for IoT) at Overseas Offices? Points to Realize

First, let us discuss representative security issues related to an IoT system and IoT devices which are part of the IoT system.

One security measure for a company that has offices abroad is to visualize all the devices connected to its networks. However, the rapidly increasing number of IoT devices are often arranged in a physically distributed manner, and in many cases - especially in companies with overseas operations - the people in charge often do not know where these devices are. It is even more difficult to manage IoT devices when including those at overseas offices, especially recently with many companies expanding into Southeast Asia. Unlike with regular IT devices, a unique hardware identifier is sometimes not assigned to every IoT device because IoT devices are usually produced in large quantities.

In general, tools that collect data through monitoring of devices are divided into two types: agent type and agentless type. An agent is an application for collecting data, and an agent-type tool installs an agent for each monitoring target to transmit the data collected by the tool. However, some IoT devices do not have a sophisticated CPU, so it may be difficult to install an agent on such devices. Therefore, if an agent-type endpoint security solution is used, installing an agent may not be possible.

One of the major issues related to IoT systems is that they are vulnerable to attacks from the outside. The reasons are as follows:

• IoT systems are basically operating 24 hours a day, 365 days a year.
• Easy to exploit vulnerabilities (OS/application version upgrades and/or periodic password changes are often not done)
• Sufficient maintenance work is not done because many IoT systems are used in unattended environments at overseas offices.
• IoT systems are frequently left for a long time while connected to a network.

Along with the spread of IoT systems, the number of attackers who exploit such vulnerabilities is growing.

Because, overseas, an IoT system is sometimes set up in a public space, there is the possibility that a third party may manipulate it illegally or physically attack it. There is also the risk of information leakage through theft or loss of the device. You are especially at increased risk prioritizing continuous operation of the system (availability) and omitting an authentication function.

IoT devices are often set up in remote locations, requiring proper operation and management. With the increase in remote work, there are many cases where monitoring of the status of IoT systems/devices and management, including necessary maintenance, are carried out remotely. However, sometimes there is a failure to take sufficient network security measures at employees' homes or at overseas offices. Moreover, it is difficult to have complete control over BYOD (Bring Your Own Device), so access to a system or data within the company can present a security threat.

This section introduces some examples of IoT-related security incidents that actually occurred in Japan and abroad.

In August 2021, a US security firm announced the existence of CVE2021-28372, a vulnerability that affects over 83 million IoT devices including CCD cameras. If this vulnerability is exploited, users will be exposed to risk of, for example, theft of their network camera images and unauthorized access to their home devices. In response, Mandiant requested users to minimize online connection to the network cameras.

In December 2020, a US security firm discovered a vulnerability called Amnesia33 in multiple open-source TCP/IP stacks. Furthermore, Forescout and JSOF announced a vulnerability called NAME:WRECK in April 2021. It is said that one million to several million industrial and consumer devices using TCP/IP stacks with this vulnerability can suffer damage from, for example, DoS attacks.(*2）

In October 2021, some agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency (EPA), and Federal Bureau of Investigation (FBI), jointly released a cyber security advisory on the grounds that many continuing cyberattacks on the water and sewerage industry had been occurring. Because of the ransomware attacks on and unauthorized access to water and sewerage systems, the ability to provide clean drinking water to local communities is now under threat. The acceleration of online routes for system control through the introduction of IoT systems provides more targets for attack and raises concerns about increased risk.(*3）

Zero trust is a security model that is gaining exposure in the modern world of higher security risk as the number of IoT systems increases. Based on the assumption of not trusting anyone or anything, zero trust promotes the idea that we should control all resources and access both inside and outside the company.

In recent years, the data and systems that an organization needs to protect have diversified to being inside and outside it due to the spread of cloud services and remote work. Zero trust is a solution for ensuring security and ensuring flexibility. While it is attracts attention for overseas offices, it is also an effective security model for IoT.

Perimeter control security model  is a security model that distinguishes clearly between the inside and outside of a network to control access from the outside. This model has been adopted in Japan and abroad for a long time. Based on the assumption that in-house networks are generally secure, access from the outside is strictly controlled by setting up a firewall or VPN (virtual private network) at the interface with the Internet.

As mentioned earlier, however, we now gain additional access to in-house systems both from inside and outside the company due to an increase in the use of cloud services and remote work, both in Japan and abroad. Moreover, it is difficult, with respect to IoT devices that are often distributed physically, to clearly distinguish between what is inside and outside an in-house network. Therefore, the perimeter control security model is not a perfect solution to completely eliminate threats.

The zero trust security model, on the other hand, does not have the notion that in-house networks are secure, so it controls all resources without trusting them. While the perimeter control security model is effective in specific scenarios, zero trust is a more flexible security model that can be also used for IoT security and meets modern global security requirements. 

SP 800-207 Zero Trust Architecture (Japanese only), released by the National Institute of Standards and Technology (NIST) in 2020, is one of the guidelines for the basic concept of zero trust. The seven principles of zero trust shown in this document are as follows:

1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy - including the observable state of client identity, application/service, and the requesting asset - and may include other behavioral and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization is dynamic and strictly enforced before access is granted.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Based on these principles, zero trust provides a global, strategic approach for better cyber security on the assumption of not trusting any resource or access, and verifying all of them.

In general, IoT devices are dispersedly around the world and communicate with one another inside and outside of networks. For this reason, it is difficult to ensure good security when using the perimeter control security model. To control all access, IoT devices need to be brought under the umbrella of the zero trust model. Zero trust is also effective as a measure for IoT devices that cannot be managed fully by a company.

This section describes concrete approaches for implementing zero trust.

To implement zero trust, it is important to visualize all of your IoT devices, wherever they happen to be around the world. By accurately knowing what devices are connected to the networks and grasping which devices play what role, it should be easier to identify unknown devices and unauthorized access attempts. Introduction of tools suitable for the IoT system, such as agentless-type tools, should provide a key to effective operation of the security system.

Risk assessment involves properly evaluating the risk to each device and user. Be sure to take into account a variety of information, such as device and user authentication information, application of security patches, configuration errors, and abnormal traffic, from several perspectives to calculate the risk score, and permit or deny each access attempt appropriately based on the score.

In zero trust, you must securely authenticate every device and user, and strengthen ID management to prevent impersonation and unauthorized access. Try to achieve robust ID management by, for example, adopting multi-factor authentication. Also remember that one of the basic principles of zero trust is to assign minimum access rights to each device and user. Limiting the scope of access enables you to restrict the attacker's movement even if your system is compromised by a malicious attack.

Segmentation of networks restricts communication between devices and prevents the damage from spreading if an attack occurs. Security can be strengthened further by using perimeter control security model  such as a firewall and an intrusion detection/protection system. 

Zero trust requires continuous monitoring and maintenance. For IoT systems that are running, abnormal access and indications of an attack can be detected early by always monitoring the systems and analyzing logs. This is especially important for companies that operate globally through their overseas offices.

In addition, you need to keep the security up to date by periodically applying patches to the devices and systems. Because it is difficult to carry out all of these tasks manually, we recommend introducing a tool that can consolidate device security.

Finally, let us describe points to watch out for when introducing zero trust security for IoT systems.

The zero trust security system should be improved through trial and error in daily operations. There are no absolutely correct answers, so you need to change your approach if necessary according to the company's requirements, budget, and situation. Therefore, do not pursue perfection from the beginning. Get off to a small start instead. It is important that you proceed with the project gradually while minimizing risk in such a way as to start the project with a single overseas office and expand it to other overseas locations step by step.

The first step to realizing zero trust is to visualize your current situation with respect to the company's IoT systems, IT assets, access management, network configuration, and workflows at its overseas offices. In this way, you can draw up a suitable plan and choose the right tools.

When you introduce a zero trust security system, you are bound to incur some costs, such as introducing tools for each overseas office. Because you will bear heavy risks if you cut corners on security measures, look on the cost as an investment. Security is a long-term strategy that is directly linked to the company's image and sales at the global level, so it is crucial that you get support and understanding from others in the company.

Zero trust is a security model that is effective for solving security problems with IoT devices and systems, which are becoming increasingly complex, at overseas offices. Companies that expand their business globally should be able to improve their reliability both in Japan and abroad through implementing zero trust with a full understanding of the idea and its implementation method in regard to IoT.

KDDI can help you implement a zero trust security system by employing a variety of security solutions including networks, IT asset management, and user authentication. Why not contact KDDI to discuss how to strengthen your security governance globally, in Japan and abroad.