Unapproved 'Internet of Things' Devices Cause Headaches on Sites
Tim Nottoli, Walsh Construction’s chief information officer, has seen Google’s Nest and Amazon’s Ring cameras brought onto the company’s construction sites and has dealt with every type of sensor used properly and improperly on the company’s network. But recently, he uncovered a network vulnerability inside a construction trailer that wasn’t connected to any computer system he’d encountered before.
“We actually had somebody plug in a coffee maker that was broadcasting to the internet,” Nottoli says. “The vendor they were buying it from wanted to be able to let it call home to tell them that they are running low on beans and supplies. I’m not joking, it was a vendor with a coffee maker talking to the internet.” The vendor set up the coffee maker to use Walsh’s guest network to connect online, and hadn’t thought to mention it to anyone in the IT department.
The security of IoT devices and their uneven implementation is a major stumbling block to deploying IoT initiatives for contractors. While contractors are increasingly adopting IoT devices to improve productivity, efficiency and safety, they must balance all of those rollouts with the potential of adding vulnerabilities to their network. Policing unapproved devices added on construction sites, such as Walsh’s coffee maker, takes up IT staff time and energy and keeps them from working on secure implementations.
“With humans you have to interact, you might have to explain something [like phishing],” says Jayson Street, vice president of Information Security at SphereNY, a network security firm that finds vulnerabilities via “white-hat hacking,” done to improve security. “A lot of these devices, though, they’re armed by default, or there’s no security baked into them at all or very easily crackable security.”
Devices such as IoT sensors are useful to contractors because they can provide real-time monitoring and data collection. Many contractors are keen to implement them to measure everything from installation time to the efficiency of equipment, but IT departments have to consider outside factors such as compatibility or how they affect established workflows and ease of use when deploying any new IoT tool. When implementation processes are ignored by employees or subcontractors who just bring devices to work, IT must fix the vulnerabilities they create and then educate the culprits.
Walsh’s IT approach involves containing what Nottoli calls network sprawl by regularly scanning the Walsh network, paying attention to devices that come in and then treating them one way if they’re approved and isolating them if they’re not. If a device has malware on it, or is attempting to call out to some command control system, it would get blocked proactively or Walsh’s IT department would get notifications.
The fluid workforce on most jobsites means more workers are using laptops, smartphones and approved devices over WiFi that are only there for the project, and that includes full-time employees. Subcontractors can have their own systems, requiring even more training or raising a debate over whether they can easily log on to the network. Some contractor network administrators find themselves playing a constant game of whack-a-mole with vulnerabilities, rather than rolling out new IoT initiatives.
“They think jobsites and the corporate networks are similar to what they’re used to at home, so, ‘Hey, my Ring works at home, so it should work at the office,’ ” Nottoli says. ”They don’t realize that wireless is not configured, that wireless here is more secure with certificates and dependencies on a login. So that’s, I’m going to say, mostly ignorance, and just not knowing how the process works.”
Nottoli and Pete Vallianatos, Walsh’s director of IT infrastructure, tell as many employees and subcontractors as possible that plugging in an IoT device circumvents the normal technology approval process. The person plugging it in can inhibit productivity by creating problems. Locating the vulnerable device is the equivalent of finding a needle in a haystack. An already overtaxed IT department must then prove to the employee that it’s something he or she did, not a deficiency in the overall structure of the network.
“It’s the commercial, off-the-shelf stuff, that consumer-grade product that hits our network … really, it’s been difficult for us to contain that,” Vallianatos says.
Street, the network security consultant, advises contractors to segment their networks where and when they can.
“I’m not saying you disconnect everything and then you don’t have the data,” he explains, “but why does the data to your coffee machine or your backhoe or your other equipment have to actually be on the same network as your accounting files? And your actual production network? Segmentation is something that’s been around forever, but it still seems to be elusive in a lot of environments. “
Street, who is also an infosec ranger at computer security firm Pwnie Express, says segmenting IoT devices onto a separate network—not a VLAN, but within firewalls, building discretionary rules going in and out that require compatibility—is a good strategy.
“[The devices] then can’t go and search the web, because your light bulb doesn’t need to go surf the internet,” he says.
Walsh segments its network between a guest network that most subcontractors and per-job employees use and the corporate network all full-time employees are on. It even segments it further within those two groups. Still, a balance must be maintained. Some contractors simply don’t want their project managers and other on-site staff to have to worry about network security with the pace of the projects they are running.
“[Spending a lot of time on network security] is not something that we expect our folks out in the field to have to stop and have to worry about,” says Scott
Unruh, director of security and network services at JE Dunn Construction in Kansas City, Mo. “We want them to be able to do their job to their expert ability and we’ll handle the backend for them.”
Unruh says JE Dunn has done a good job of communicating that anyone on a site must contact IT before adding any devices, but where there’s still a struggle is making project managers and others understand the intricacies of the security measures.
“If they need to put a security camera on a site, getting into the weeds of what actual requirements need to be met, as far as specifications of the device, things like that, that’s where they really rely on IT and our group to help guide them through [the selection and implementation of the device] and that we’re to properly place or secure those on the network,” he says.
Just like Walsh, JE Dunn has developed network architecture to isolate rogue IoT devices and segment its overall network. Unruh said JE Dunn’s network security department knows it can’t keep up with every device put on the market that might make it onto a site, but they can be ready for if and when a device does get compromised, “that you can’t get anywhere with it and there’s nothing you can do with it,” effectively isolating the device.
He also said the company has been able to automate much of the monitoring of its network by writing custom scripts in languages such as Python and PowerShell that interface with JE Dunn’s network admission control. These scripts can assess and respond to vulnerabilities as they crop up, freeing up the valuable time of network engineers. Unruh said the scripts can send employees who connected a now-isolated device articles and training courses about how to properly set them up, rather than requiring a in-person meeting or IT intervention to make the device usable.
“When something’s isolated, the script can make those necessary changes for the engineer, in many cases, and we do that today in a lot of areas,” Unruh says. “Certainly, we’re not perfect. There’s a lot of opportunity for us to become more productive or to make our network more productive, but that’s definitely the road that we’re going down, and that’s the way that we see that we’re going to be able to overcome all these devices getting on the network and ensuring that they remain secure.”