To describe securing an IoT network as “monumental” is a huge understatement. There are so many factors influencing IoT security, and as the volume of connected devices continues to increase, so does the complexity in managing and securing the network. One of the biggest concerns expressed to us by organizations looking to address the end-to-end security of their ecosystem is identity and access management (IAM). Here are a few key factors to consider when devising an IAM strategy for IoT networks.
IAM is not just for people
Identity and access management is a part of IT that is often viewed as a means to control human access to network and company resources. However, this need to control access to resources also includes devices and applications. Like with people, the legitimacy of their need to connect must be verified, along with to what resources they are requesting access.
The imperative to closely regulate IAM exponentially increases with devices out in the field or other remote locations, which could be exposed to potential tampering or may occasionally receive maintenance or monitoring on an infrequent basis. If hacked, these devices can be used to infiltrate a network and either corrupt data or steal it. The potential for damage that these devices can cause must be limited, which means controlling their access. Closing this vector for attack is particularly paramount for those operating industrial control systems and critical infrastructure.
Usernames and passwords
Botnets like Mirai thrust changing default usernames, passwords or other device configurations to the forefront of conversations. This is a simple but effective way of adding another layer of security to the IoT ecosystem and a mandatory best practice. Fortunately, manufacturers are starting to include prompts to change login credentials when a device or sensor first connects to a network during configuration.
Also, once reconfigured with new passwords, those login credentials will need to be stored in a secure enclave. There is little point in locking something up if you’re going to leave the keys out on the table.
One of the main challenges with IoT is the volume of unsecure devices getting connected. These often inexpensive, constrained devices can be used as entry points to the network, and it is critical to ensure their identities are correctly verified. We are coming to a stage where communications service providers are starting to require that only certified devices are allowed to be connected to their networks. One such initiative is the CTIA cybersecurity certification program launched in August 2018.
Not just for operating systems on the second Tuesday of the month, system managers must also make sure that devices are patched as software updates become available. A very popular method for cybercriminals to gain access to an organization is to exploit vulnerabilities in the software. When an update becomes available, it’s an announcement to hackers about a weak spot in a device. It then becomes a race against the clock to patch it before a criminal decides to use it as an entry point. It is important to make sure that software patches are sent securely (encrypted and data integrity checked) and to the correctly identified device.
Being secure also means being prepared
Enterprises and service providers have to accept a hard truth: no IoT network or service will ever be able to be completely secured. They are simply too big and complex, which equates to vulnerable. This does not mean that stakeholders aren’t accountable for ensuring they have made every effort to increase security end-to-end and follow the guidance of frameworks, like NIST, including its recommendations for IAM.
The best thing for an organization is to be prepared. Have a response plan in place. Don’t focus on building a network to be impenetrable, but rather one that is robust and resilient enough to withstand an attack and maintain some level of functionality, versus being taken down by an advanced and persistent threat. The ability to minimize the damage is what matters, and observing strong IAM practices will help.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.