By now, the endless stream of content focusing on the insecurity of IoT devices has become mind-numbing. The security industry has been ringing warning bells since smart devices first started penetrating the market years ago. However, recent activity caused by massive IoT-powered botnets, like Mirai, has finally brought the conversation to a boiling point, focusing on the horrors that a lack of IoT security could generate, from taking down the internet to extortion-by-DDoS attacks, and everything in between.
Despite what you might have heard from the IoT security doomsayers, it is possible to take advantage of these internet-connected tools and be secure at the same time. There’s quite a bit of chatter around the insecurity of IoT, yet businesses are still unaware of the actual steps they need to take to shore up defenses. Here are some real-world steps that you can take to ensure your organization stays secure as the IoT wave continues across industries.
Have a policy
It’s surprising and alarming to think about the number of organizations with poor or underdeveloped policies regarding IoT. Many are not even aware of the impact IoT devices have on their networks. But IoT is inescapable; if an organization thinks it’s immune, it’s wrong.
On the bright side, developing a policy doesn’t have to be that difficult. The first step can be to limit the IoT devices allowed on your networks to enterprise-specific vendors that take security seriously and offer service-level agreements for security patches. Further, simple steps like asset inventory and management, timely update cycles, changing default configurations and vendor security assessments can go a long way to help get a strong IoT policy off the ground.
You cannot fight blindly
Visibility into an organization’s network is paramount for a strong security posture. It can be difficult to get an unobstructed view amid the constant flux caused by connected devices. While smart devices offer benefits like automation and data collection, they are also often hard to single out on a given network — especially devices with low computing power. Not to mention the confusion that can be caused by personal devices (e.g., smartphones, tablets, wearables) that constantly go on and off the network as the workers goes through their day.
This can all be changed with comprehensive solutions that allow for real-time traffic visibility, inline traffic inspection, granular policy control and even bandwidth control. As networks increasingly become more complex, blind spots need to be eliminated.
Apply smart segmentation strategies
This rule applies to most situations. If it’s too much to handle at once, break it up into smaller pieces. The same goes for securing IoT devices. Once the right visibility tools are in place, large networks can and should be broken down. Anything touching the network should be segmented by type, purpose or vendor. More than just knowing that a device is on the network, organizations need to have tight control over where they are, what they’re doing and who they’re communicating with. If the general classification rules don’t apply, focus on authorization. Devices should never be trusted unless authorized.
For even more sensitive assets, consider adding a complete air gap for these devices. Splitting networks is not enough for complete protection if they still interface with critical services. Instead, consider putting these devices into complete isolation so they cannot be used as another attack surface.
What if it’s too late?
The chances of a breach are pretty high across industries because it will always be harder to defend all assets than to find a single weak spot. If an IoT compromise does occur, be patient and follow any parameters already in place. If there’s no policy in place, assess the scope of the threat and work to contain it. This might require taking all devices offline, or walling it off from the rest of the network. If you have the resources, take the time to reverse engineer any new IoT-targeted malware so you can learn how to develop better defenses in the future. Once contained, the remediation process should ensue. This should entail reflashing the hardware, reconfiguring settings and updating the software. If it’s a broad-scale compromise, the appropriate CERT should be notified and/or law enforcement, especially in critical infrastructure scenarios. The goal is to act quickly to contain any issues and prevent them from jumping from an endpoint to more critical parts of a network.
Ultimately, the best defense is set up early and takes a proactive approach to security. Organizations cannot blindly rely on alerts or endlessly scan devices. Instead, they need to have a plan of action in place supported by smart IoT purchasing, clear network visibility and segmentation. Now is the time to begin shoring up IoT defenses.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.