IoT security policy requires comprehensive, expansive visibility
IoT is a black hole; every day it’s sucking in devices that must be secured.
But IoT is also a nebulous term. Although emerging devices are easily identified at inception, decades-old technology has become part of the IoT universe –sometimes stealthily –and must be dealt with. These devices must be properly segmented and managed from a policy perspective because they’re a gateway to an organization’s broader, connected infrastructure.
Some IoT devices represent the cutting edge of innovation. Others are part of systems that have been around for years, supporting the infrastructure of a building, campus or an entire city. Emerging IoT devices are likely to be built and deployed with security in mind, while more familiar hardware that now has intelligence and connectivity might get overlooked.
IoT devices are both mundane…
Multi-function printers with scanning and copying functions are an excellent example of one of the earliest iterations of an IoT endpoint, but often left out of security strategy. To improve collaboration and productivity, these devices are connected to the network without a second thought. Every employee can easily print from their workstation or scan a document to be routed anywhere in the organization.
That convenient connectivity, however, makes multi-function printers an IoT endpoint, and a popular doorway for threat actors to gain access to a company’s broader infrastructure. The good news is an IoT security policy can be a powerful tool to secure entire fleets of multi-function printers.
…and medical marvels
Even as hospitals move to electronic records with the goal of having a single view of a patient, they’re still full of connected printers, and increasingly, smart medical devices. And because they are connected to the network, they’re potentially a cybersecurity headache.
Just like every workstation at every nurses’ station and every tablet in a specialist’s hands, medical devices ranging from portable ultrasounds to heart monitors are all connected. They’re even more dangerous in that some devices are used by patients outside the facility. Today’s modern medical devices are ideal targets for threat actors who want to gain access to a hospital’s information systems.
Much like printers, the prescription is good security policy, including network segmentation. There’s no reason a portable glucose monitor needs to connect the same way patient information records and workstations do.
The mundane gets marvelous
The proliferation of a smarter buildings means whole cities and their infrastructure — from traffic systems to power grids — are increasingly comprised of millions of IoT endpoints. With all these devices connected to the cloud, organizations can study usage patterns to create even more efficient environments. An IoT endpoint is a path to a treasure trove of valuable information and mission-critical systems.
Mundane systems, such as HVAC, now have sensors to control temperature. For example, when a crowded room heats up because there’s so many bodies, HVAC knows to crank up the air conditioning. Conversely, the system is smart enough not to waste energy cooling or heating an empty room. Lighting systems are also automated thanks to wirelessly attached sensors, which — you guessed it — are on a network.
Similarly, security systems are made up of networked devices to monitor a building or entire campus. Wired or unwired, cameras as well as biometric access keypads and facial recognition sensors make it easier for doors and turnstiles to automatically open for the right people. They’re all IoT endpoints, too, and low hanging fruit for someone who just needs a small crack to enter a larger system.
Like printers, HVAC and security systems have been around for decades, and in their early days, always segmented on their own proprietary infrastructures. Advances in networking and even AI mean connectivity is a must, but how they connect and what they’re allowed to do on any network needs to be carefully policed.
Build it and the threats will come
Even on a small scale, these IoT endpoints proliferate quickly. Now imagine them as part of a bigger system, such as a smart city.
From traffic systems to parking meters, cities have become a mesh of networked IoT endpoints. Municipal power and water utilities monitor their own infrastructure and even those of residential and commercial buildings through wired and wireless sensors. This proliferation will continue exponentially as autonomous vehicles hit the road.
From technical perspective, these devices have a lot in common. Even when the functions and purposes of devices are unique, they may use the same communications protocols or the same storage media. What makes them different is how connected they must be. Do portable medical devices such as insulin pumps need to be on the same network as patient records? Does the single multi-function printer in a satellite office need to be on the same WAN as head office? Should real-time traffic systems worry about being compromised because of a water usage meter on a high-rise building?
Visibility is essential to robust security and policy management. You need to know you’ve got a smart fleet of printers on your network or dozens of connected security cameras so you can decide what they can do and what they can access. And you can’t do it manually. Not only must you establish a policy for every conceivable device and scenario, it needs to be automatically applied—you can’t expect your IT security team to keep up.
None of these systems need share a network to deliver value as an IoT device. But if you’re to properly segment these various IoT endpoints, whether it’s a mundane meter or a cutting-edge facial recognition sensor, you need to know they’re there. That starts with having a broad definition for IoT. It’s a big galaxy.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.