The Internet of Things (IoT) is rapidly growing in scale, with the market for IoT devices being set to double in the years between now and 2021. The pervasive nature of IoT means that enterprises are inevitably drawn into both the benefits of IoT, as well as the IoT security issues. Yet, with the right strategy, enterprises can guard against the security challenges posed by IoT.
The good thing with IoT is that it can be put to work with almost any domain: healthcare, logistics, retail, insurance and banking. It helps improve decision-making, understand users better, deliver new customer value propositions, improve and optimise operations, generate income and raise the value of the business.
IoT is present in every enterprise in ways that can often be missed. A recent survey found that a third of companies in the UK, US and Germany had over 1,000 shadow IoT devices on their network on any given day.
Organisations continue to adopt IoT devices with enthusiasm, not realising that these devices are often insecure by design and provide many opportunities for attackers. This fact dramatically expands the IoT threat landscape. Moreover, many IoT devices aren’t registered in IT inventories due to poor asset management: they are part of the hidden IT. The more connected an enterprise becomes, the more security vulnerabilities may appear.
Enterprises must assume that their networks harbour IoT devices, even if making use of IoT tech is not a formal IT policy. Of course, for many companies in the fields of manufacturing, auto production and healthcare, IoT is core to their operations, and for these enterprises, IoT security is of major concern. Regardless, every enterprise should take the network risks behind IoT very seriously.
Why IoT poses a different kind of risk
In 2018, the number of connected IoT devices is expected to reach 1.2 billion. A lot of them are vulnerable and designed without security in mind. This is a huge problem that involves device manufacturers, software developers and users.
The security of IoT impacts the user experience (authentication and the use of cryptographic systems always introduces extra cumbersome steps for users), product cost (complex cryptographic operations and secure storage), as well as the development cost.
Among the IoT-specific security issues, the following three are the most common for enterprise businesses:
Challenges in cataloguing and managing devices
Many aspects of IT security rely on knowing which devices require protection. IoT poses a challenge, in that, shadow IoT aside, even IoT which is deployed with the full knowledge of IT teams can be difficult to catalogue because of the sheer number of devices involved. A single factory can contain thousands of connected sensors that all require scrutiny.
Bullet-proofing every single IoT device, when there are thousands online, can be very difficult. Updating the firmware and managing security settings on tens of thousands of devices is highly costly and perhaps simply unattainable from a logistics perspective.
Simple devices can lead to complex consequences
A small sensor may appear incapable of leading to serious harm, but wrongdoers can exploit a seemingly insignificant vulnerability to gain wider access to networks and facilities. Because a single-function IoT device (such as a sensor) rarely contains much computing power, it is easy to take the view that hackers cannot manipulate it with the goal of causing broader damage.
In fact, even a very basic IoT device can act as the first entry point into a network. Once intruders have entered a network by using an IoT device as a stepping stone, they could successfully compromise more advanced devices that offer further opportunities. IoT devices have also been used to launch denial-of-service (DDoS) attacks, which carry the risk of reputational blowback for the owners of compromised IoT devices.
IoT devices are frequently not enterprise-grade
Enterprise IT security relies on the enterprise-level security measures embedded in equipment sold for use in an enterprise environment. But many of the IoT devices on enterprise networks are in fact consumer grade, particularly where shadow IoT is concerned.
This can limit the options for controlling important security aspects such as authentication and network encryption. There’s not much that enterprises can do about this fact, and for this reason, security teams need to think of alternative methods to mitigate any risks posed by IoT.
How to protect against IoT security issues
The world is expecting to see ransomware hijacks of IoT devices in the next year. Ransomware will evolve to target connected, smart, physical devices, potentially putting lives in danger. There is a lack of minimum-security standards for IoT, and this is critical, at least for governments and strategic infrastructure. Without that standard, there is no control over the security of IoT devices on the market. As Bruce Schneier says: “Companies can continue to sell IoT devices with whatever lousy security they want.”
Awareness of the challenges that IoT poses is a good start: technology teams should view IoT devices as ‘hot’ and treat IoT accordingly to ensure that the benefits of IoT can be enjoyed on an ongoing basis.
While replacing the legacy IoT infrastructure is often not the most practical approach, one of the options is to isolate insecure devices and create an additional layer of security between them. You need to obtain complete environment visibility, establish strict access control with privileged access management, and implement security monitoring to detect suspicious events, abnormal authentication events and unexpected configuration changes. Enterprise IoT devices shouldn’t be exposed to the Internet or enabled on networks with end-user stations.
Clearly, prevention is better than the cure and enterprises can mitigate IoT challenges by checking existing security practices against the following list:
- IoT devices should be treated differently to other network devices from a security perspective. Ringfencing IoT devices and limiting the parts of your network that IoT devices have access to is a good start.
- Ensure network authentication is required for every single device. Devices should not be allowed access to gateways and network applications unless necessary. Also, ensure that strong passwords are always used and enable 2FA where possible.
- Apply network encryption everywhere, including Transport Security Layer (TLS), as this can ensure that data transmitted by IoT devices remains confidential.
- Physically block devices: if a device is not needed, turn off the power. Block ports on exposed devices as these can provide entry points.
As far as practically possible, make a serious attempt to catalogue IoT devices so that your enterprise can update firmware and manage patches.
- Watch out for IoT where it’s least expected, such as in consumer electronics like fridges and conference room TV sets. Manage the connectivity of these devices carefully, blocking network access where it is not needed.
These are just some of the steps your enterprise can take to ensure IoT devices, both known and unknown, do not pose a hazard to your network. But keeping IoT security issues under control requires a broad change in security thinking.
“It’s not just about technology. A proper IoT governance is also essential”, says Iurii Garasym, the Director of Corporate Security at ELEKS. “For instance, you need to implement a security process for adding IoT devices to your network. Before IoT deployment, consider what information is collected and shared, as well as who can access it.”
With 77% of enterprises stating in a recent survey that IoT poses a security risk, your company should seriously consider engaging a security partner that can help mitigate IoT risks. Get in touch to discuss how to minimise your IoT security challenges.
Originally published at eleks.com on September 20, 2018.