Tackling PCI Audit Complexity in an IoT World

There’s an old joke among security folks that goes something like this: The “S” in “IoT” stands for “Security.” Just give it a second to sink in, in case you don’t immediately get it. Few things terrify security professionals more than IoT devices.

It’s not that we’re Luddites who don’t appreciate a smarter Jetsons-like future. In fact, we’re often the nerds working on making our own homes “smart” in completely ridiculous ways. Prime example: My home’s new washer and dryer are app-enabled and they send alerts when the clothes are ready to be moved.

Here’s another example: Last year my father gave me a set of smart switches that could remotely turn on and off lights in my house. Being the security nerd that I am, I created a test lab, hooked them up, and captured the packets emanating from the switches. Lo and behold, the switches were sending my traffic to some random server in China.

My best guess is that the company simply set up a relay server for messages to avoid home networking issues. There’s nothing inherently wrong with that. Most homeowners probably wouldn’t even notice or even think about where all that traffic goes. But I definitely want to know where my data is going, who has it, and what they’re doing with it. I’m also not a fan of allowing someone else to potentially control the electronics in my house (don’t tell my dad, but I didn’t end up using those smart switches)

Are We Getting Smarter or Riskier?

For a long time, Internet-connected systems like computers, servers, and all the new phones and tablets were primarily devices operated by people. Somewhere around the early 2000s—thanks to the ubiquity of Wi-Fi and ever-cheaper cell connectivity—we somehow decided it would be a good idea to start making otherwise dumb things “smart.” Since then, we’ve seen a veritable explosion of traditionally unintelligent devices suddenly coming online.

So, you might ask, why is that such a bad thing? Well, it’s bad for three big reasons:

1. From the perspective of a manufacturer, the life cycle of a smart product can be exceedingly short, yet it will likely remain in a customer’s home for an exceedingly long time. I mean, who plans to replace a smart fridge before at least a decade or longer? The problem is, vital updates won’t keep pace over the product’s lifetime—including critical security updates.
2. With the proliferation of inexpensive boards like the Raspberry Pi, Arduino, and the ESP8266, everyone and their mom has suddenly become a smart device manufacturer. You can write perfectly good and secure code for these platforms, but speed to market and ease of integration almost always win out over security concerns.
3. Perhaps the scariest issue is that if someone hacks one of these devices, they then have a platform to launch other attacks. Getting a network request from one hacked smart fridge isn’t that horrible. But getting requests from a million smart fridges will break your network in no time flat. In fact, Amazon reportedly had to defend itself from an insanely large 3 terabits-per-second distributed denial-of-service attack from botnets composed of just such compromised IoT devices.

Where Does PCI Compliance Fit in?

So, where do these smart devices reside and how do they impact PCI compliance management and auditing? You’re likely to see them in places such as tank gauge monitoring and remote sensing. Monitoring food temperatures, keeping tabs on the level of fuel in the ground, smart menu boards, and a wide range of kiosks all contribute to the growing number of devices associated with any given store.

When it comes to ensuring tight security and PCI compliance, you should manage these devices the same way you would any other network device:

• Isolate them on their own VLANs for network segmentation (doing so will help you reduce the complexity and scope of PCI compliance).
• Implement strong firewall rules about what these devices can talk to (for instance, there’s no reason for your smart menu display to talk to your POS systems).
• Consider adding outbound egress firewall filtering and a default deny to inbound traffic.

One of the most difficult challenges comes when these devices need to talk to the “cloud.” If you look up IP ranges for the leading cloud providers and content delivery networks to whitelist, you’ll end up whitelisting what feels like almost the entire Internet. This alone should raise some concerns and force a fundamental question: Do you actually need these devices?

Sometimes the best security starts with keeping things simple. However, if the convenience, customer engagement, or business efficiency advantage of such devices is too much to pass up, at least make sure you apply the same solid network security and PCI compliance practices you do throughout the rest of your environment.

After all, the trend of adding network connectivity to dumb things is only getting started—and it will likely continue growing unless we start to see greater consequences for the poor to non-existent security on these devices. Until then, we’re still anxiously waiting to see that “S” in “IoT.”