The network has undergone a remarkable amount of change over a remarkably short period of time. The clearly defined perimeters of traditional networks have been eroded away by BYOD, mobile computing, migration to the cloud, IoT adoption and the new WAN edge. Of course, this sort of evolution is normal, but the process has been accelerated by digital transformation designed to enable organizations to compete more effectively in today’s digital economy. 5G and the advent of edge computing and networking promise to change things even further and faster.
No element has played a larger role in this transformation than IoT. These devices are smarter, faster and increasingly mobile. They are also present in nearly every new networking environment being adopted by organizations, from branch offices and retail stores to the core network, and from manufacturing floors to the extreme edge of the network where they mingle with user endpoint devices in collecting, generating and sharing information.
Even though these devices are woven into our larger, distributed network environments, in many ways, IoT has become its own network edge. Devices have their own communications channels and protocols, interact to accomplish complex tasks, and generate massive amounts of data while performing critical functions — from monitoring systems to managing inventory to collecting and distributing data.
They have also become highly specialized. Medical IoT and industrial IoT are just the first of a variety of IoT devices designed for specific purposes that we have now come to rely on. Going forward, they will also play a critical role in things like enabling the ecosystem and support autonomous vehicles, making smart buildings and cities possible, and reinventing critical infrastructures to be more responsive to the demands of the communities they serve.
They are also beginning to bridge the gaps between traditionally separate networks, such as IT and OT, and between personal, public and business networks. Smart appliances, alarm systems and even entertainment systems connect back to a corporate network to deliver data and receive instructions. And they are integrated into personal devices that blend private, social and business profiles and data into a single component.
Which is why the persistent challenge of IoT security requires redoubled efforts to resolve. An alarming majority of these devices remain inherently insecure — they can’t even be updated or patched, which is why they have become a preferred target by cybercriminals for things like ransomware, cryptomining, distributed denial-of-service attacks and the delivery of malicious payloads.
Given the pervasive nature of these devices, the unprecedented rate at which they are being adopted and integrated into our networks, and how quickly we have come to rely on them, security has to be a top priority.
IoT security strategies
Because IoT devices can be placed anywhere across the distributed network, operate in different environments and connect from a variety of locations, consistent IoT security requires a consistent and comprehensive security strategy:
Before an IoT device is even selected, an administrator should evaluate its inherent security settings. Devices that can be secured and patched should be appropriately hardened. Devices that cannot be hardened need to be secured using proximity controls, which means they need to be placed behind a firewall and all traffic needs to be inspected and behaviors monitored.
Once they are in place, two additional things need to be considered before they begin communicating. The first is to determine what sort of data a device will generate and the relative value of that data, and second, administrators need to clearly understand what other devices this IoT device will be able to connect to and, as a result, what resources and data it can see, access and potentially exploit.
The next step is to secure communications. The kind and amount of traffic generated by IoT devices can vary greatly. Not only can they use different communications protocols, but the devices themselves can range from only sharing essential information to being very chatty. Encrypting traffic needs to be applied on or as close to an IoT device as possible.
However, because encrypted tunnels provide an excellent way to securely transmit malware, they also need to be inspected. This requires implementing a firewall that can handle the volume of traffic that IoT devices create, has the CPU-overhead required to inspect encrypted traffic at network speeds — a weakness even the most popular firewalls are notorious for — and can implement additional advanced inspection, such as sandboxing, to detect unknown or elusive threats.
Network access control
Once IoT devices begin communicating, it is essential that they be accurately identified at the moment of network access. Network access control enables an organization to identify IoT devices to maintain an inventory of connected devices and ensure that policies meet device requirements. It can classify devices, assess them for risks and tag them with appropriate policies.
The best way to manage IoT traffic after access has been granted is by using intent-based network segmentation. This advanced segmentation strategy can automatically translate business requirements for an IoT device into a security policy that automatically determines the sort of protection an IoT transaction stream requires. IoT devices might be assigned to a segment assigned to a class of devices or functions, a segment based on level of security required or even a separate segment just for a specific device, application or workflow. When properly applied, these segments should be able to seamlessly protect any traffic generated by that device, even if it traverses multiple network environments or cloud ecosystems.
The most essential foundation for securing the IoT edge is building a flexible and integrated security fabric that is able to tie together and orchestrate the disparate security elements that span your networked ecosystems into a unified, interconnected and responsive system. This enables the effective monitoring of legitimate traffic and the checking of authentication and credentials, while enforcing access management across the distributed environment.
Such an approach expands and ensures resilience, secures and isolates distributed IoT resources, and enables the synchronization and correlation of intelligence for effective, automated threat response.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.