Convenience and the drive to automate industrial control has guided the continued development of the Internet of Things (IoT). This vast universe of devices, from home weather stations and wireless routers to massive industrial control systems, such as HVAC and automated manufacturing equipment. Connected devices aim to improve efficiency, business performance, optimize decision-making, and more. These improvements, however, come with their own set of critical security concerns. Many of these issues have been realized in some of the biggest breach events of the last decade. Can you say Target refrigeration hack? If not provided with the same level of care as traditional IT infrastructure, severe risks are presented. These devices can and do offer “soft targets” for attackers. The “userless” nature of these platforms can obfuscate, undermine, and directly lead to the compromise of critical business processes.
Why Connected Devices?
Investment in IoT benefits business by creating value with little interpersonal conflict. Overall ease of install and use with home-based IoT makes these devices alluring. The same is true in a small office. Once IoT is operating in a large multi-location enterprise, things become much more complex. The real challenge here is similar to securing any technology, in its configuration and ongoing management. These devices require monitoring and diligent adherence to security update and patching regimens.
This can be cumbersome in the workplace. Fueled by environments with heterogenous systems, or simply put, the presence of various manufacturers creates an unwelcomed burden. The various contexts in which these devices are found can directly correlate to the number of makers. IoT can be found throughout an organization and present at many layers. This is further exasperated if consumer-ready devices are also present e.g., smart thermostats, lightbulbs, (and devices employees might discreetly bring in for individual/personal use).
These blended systems are attractive to attackers as any vulnerability in any one device can bring about a business disruption: the classic example being an aquarium heater within a casino providing a pathway to high roller databases, or in the case of the aforementioned Target breach, where an HVAC compromise led to the theft of 125 million consumer credit cards. Even as much as an active factory default password can present a risk or vulnerability for an organization. This is even scarier to imagine when the IoT and physical world overlap: self-driving vehicles, production line equipment, air quality monitoring, etc.
Managing IoT Risks
To manage these risks a multi-faceted approach is best. The first step is to govern the existence and operations of connected devices (you cannot manage what you do not know). Next, eliminate all default administrator credentials and device names. Security updates for each device must be performed, including end of life planning. Finally, the approach of IoT security management must be modernized. IoT devices should no longer be dealt with in a perimeter-based approach, but rather a Zero Trust model. In addition to other security basics, IoT considerations should include:
- Policy – set expectations and keep management accountable. Does the organization have a policy for IoT management?
- Identity Authentication – register and inventory all devices with renewable credentials. Does a record of this device exist? Are the passwords changed regularly?
- Network Segregation & Least Privilege – devices need only the level of access needed to accomplish their individual specific goals. Does the refrigerator need communicate with computers and devices on my internal network? Have I segregated this industrial IoT from business-critical information systems that may process, store, or transmit sensitive or legally protected information?
- Device Monitoring – diagnostically evaluate security configurations, assess for vulnerabilities, insecure passwords, or anomaly based behavioral alerts. Can you determine each device’s adherence to policy or hardening guidelines?
- Centralized and Continuous Updating – configure a centralized management solution to deploy security updates and patches accordingly, whenever feasible. Can you manage each and every single device manually? Is that the best use of a salary?
- Be Aware – engage in manufacturer alerts, subscribe to active resources, stay informed of IoT news. You do this elsewhere, what’s one more blog or mailing to follow?
