BACKGROUND IMAGE: verticalarray/stock.adobe.com
Internet of things technologies play an important role in helping businesses improve their bottom line, from smart inventory trackers to advanced data mining and process tracking and improvements in productivity allowing workers to accomplish large-scale tasks quickly. These benefits and more are pushing businesses toward a mad rush on IoT devices, with the goal of purchasing the technology now before it becomes more expensive down the road. However, what many businesses forget is that IoT devices are not typically secure. In fact, they are designed to remain cheap and lightweight, which makes them difficult to manage once they are connected to the network. There are several reasons why IoT devices create a visibility challenge, some of which can be solved by referencing the below-mentioned tips and others which will have to wait for regulatory enforcement (that seems likely in 2018).
Avoid inventory oversight
One of the main and more obvious reasons that it’s so difficult to see IoT devices is that many IoT devices aren’t registered in IT inventory records or catalogues. There are horror stories of hospital employees physically checking each room daily to make sure that each device is accounted for, creating significant room for human error. Even IT professionals can forget to add an IoT device, like a smart coffee machine or HVAC system, to the list of inventoried connected devices because the technology many not seem “important enough” to track. This level of IoT oversight is likely to cost organizations down the line — potentially cancelling out the bottom line benefits mentioned above — as they are leaving these unmonitored devices open to unwarranted access. What’s more, IoT devices are usually protected through a simple operating system and default username or password (some of which can be found online), creating ample opportunity for unauthorized access, data leaks or malicious device activity. If you think about it, these “zombie” IoT devices are like the Terminator that you can’t turn off.
These risks and more can be easily eliminated by maintaining a current and detailed inventory of all network-connected devices (or even those not connected, but present in the office or factory). The inventory can be automatically updated once a device connects, with the help of a mobile device management or network access control technology, and manually verified on a monthly or bimonthly basis. Understanding your IoT device inventory shouldn’t be an annual event; the more you know about the devices on your network (or near your network), the better your organization will be able to effectively respond to IoT security breaches, which lately are increasingly common events.
To know thyself, first know thy device
Technically, IoT devices have been around for decades (because really, the term refers to any device that can connect to the internet), but in practice, the IoT devices that have the most value for today’s businesses remain a mystery. The seasoned IT professional will be well-versed in the IoT technology available on today’s market and may be tasked with suggesting devices that should be adopted by the company, but even they know that each device comes with its own challenges.
Most IoT devices are known for their low CPU, minuscule memory and unique operating system (that often needs to be studied from scratch). Many IoT devices are “protected” by factory-derived usernames and passwords that are rarely changed. Furthermore, these devices are designed to connect to the wireless network, and most won’t function at all without a connection. These challenges make discovering and managing the devices a significant challenge, especially if they aren’t being accounted for as part of IT inventory. To track their presence on the network, IT teams need dedicated visibility tools with a price point that outweighs the relative low cost of adopting the IoT devices themselves. As a result, many IoT devices are given free reign over the network and can’t be seen in regular endpoint or vulnerability scans.
You may be thinking that the answer to this challenge lies with the device manufacturers. Indeed, this thinking is correct, but due to a lack of regulation on IoT security, manufacturers are only now starting to realize that a lack of security presents a barrier to implementation. Therefore, it is upon IT professionals themselves to start discovering and managing the devices with the goal of establishing a baseline of normal behavior that will help them identify imminent threats. This can be achieved with a network visibility tool that provides insights into the device, which port or area of the network it is connected to and which data it has access to. In addition, security administrators should set network policies that control access for IoT devices, particularly for data-sensitive areas of the network. Finally, make sure that you know every about the device and the manufacturer. Though many IoT devices cannot be patched, some manufacturers now issue firmware updates that should be installed whenever possible. These updates help prevent hackers from gaining access — which can be relatively easy to achieve once the credentials for access have been discovered through websites like the Shodan network and others.
When in doubt, segment it out
Another reason that it’s difficult to see IoT devices on the network is because they are grouped in with all of the other connected devices on the network, such as BYOD, mobile, laptops, PCs, printers and more. In fact, they may not even be “grouped in” or assigned a specific group/role-based policy due to their ubiquitous purposes — be it a kitchen appliance, connected security camera or heating/cooling system — leaving them free to roam around the network. No one user or group of users is assigned to manage the device (data collection may be automated), so responsibility for ensuring the device’s security status and authorized areas of access is left up in the air. The result: IoT devices become free agents that can be easily turned to the side of hackers and other malicious actors. The numerous distributed denial-of-service botnet attacks of late are the best examples of how hackers can manipulate a feeble IoT security policy to gain access to corporate data or even shut down operations entirely (see the attack on Dyn).
With a combination of forces out of security’s favor when it comes to IoT, the best solution is to segment. The segmentation process begins with conducting a thorough inventory of devices: which IoT devices are in use, by which employees and for what uses. Also assess the nature of their connectivity: Are they connected to the VLAN or LAN networks? Do they need to access to more than just an internet connection to perform their functions? And how do these devices transmit their data (in what form)? Answering these questions ties back to the importance of knowing the device in use and its functionality. Once all of the ducks are in a line, it’s easier to start segmenting.
A suggestion for segmentation is not to group all connected devices together, but rather specify certain categories, such as infrastructural devices, data-collecting devices, organizational devices, and maybe even wearable devices. By understanding the unique functionalities of each device, it will be easier to create a network security policy that can serve their purpose and maximize their results. Another idea is to ask technically minded employees to monitor a certain IoT segment that they work with on a regular basis. This will not only help them collect better data and manage their technology needs, it will emphasize the importance of securing and managing the devices. Segmentation can also be useful in the unfortunate case of a breach by allowing for rapid remediation that involves quarantining or entirely blocking access for those devices from the network.
As the economic advantages of IoT technologies become increasingly clear, and as device manufacturers aren’t required by consumer protection laws to integrate security features, now is the time for enterprises to focus on gaining complete IoT visibility. It starts with understanding the inventory of connected devices and ends with segmenting those devices into areas of the network with limited access according to their needs. While many businesses and even consumers feel helpless in the hands of device manufacturers, rest assured that there are readily available and relatively simple ways to achieve the level of visibility you need.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.