Convenience and the drive to automate industrial control has guided the continued development of the Internet of Things (IoT). This vast universe of devices, from home weather stations and wireless routers to massive industrial control systems, such as HVAC and automated manufacturing equipment. Connected devices aim to improve efficiency, business performance, optimize decision-making, and more. These improvements, however, come with their own set of critical security concerns. Many of these issues have been realized in some of the biggest breach events of the last decade. Can you say Target refrigeration hack? If not provided with the same level of care as traditional IT infrastructure, severe risks are presented. These devices can and do offer “soft targets” for attackers. The “userless” nature of these platforms can obfuscate, undermine, and directly lead to the compromise of critical business processes.
Investment in IoT benefits business by creating value with little interpersonal conflict. Overall ease of install and use with home-based IoT makes these devices alluring. The same is true in a small office. Once IoT is operating in a large multi-location enterprise, things become much more complex. The real challenge here is similar to securing any technology, in its configuration and ongoing management. These devices require monitoring and diligent adherence to security update and patching regimens.
This can be cumbersome in the workplace. Fueled by environments with heterogenous systems, or simply put, the presence of various manufacturers creates an unwelcomed burden. The various contexts in which these devices are found can directly correlate to the number of makers. IoT can be found throughout an organization and present at many layers. This is further exasperated if consumer-ready devices are also present e.g., smart thermostats, lightbulbs, (and devices employees might discreetly bring in for individual/personal use).
These blended systems are attractive to attackers as any vulnerability in any one device can bring about a business disruption: the classic example being an aquarium heater within a casino providing a pathway to high roller databases, or in the case of the aforementioned Target breach, where an HVAC compromise led to the theft of 125 million consumer credit cards. Even as much as an active factory default password can present a risk or vulnerability for an organization. This is even scarier to imagine when the IoT and physical world overlap: self-driving vehicles, production line equipment, air quality monitoring, etc.
To manage these risks a multi-faceted approach is best. The first step is to govern the existence and operations of connected devices (you cannot manage what you do not know). Next, eliminate all default administrator credentials and device names. Security updates for each device must be performed, including end of life planning. Finally, the approach of IoT security management must be modernized. IoT devices should no longer be dealt with in a perimeter-based approach, but rather a Zero Trust model. In addition to other security basics, IoT considerations should include:
Read Also: When Security Vendors Fail at Security