Ask any enterprise security practitioner and they'll tell you that security in IoT devices, like any new technology, is a big challenge. One area where the internet of things presents a particular security challenge, though, is in understanding and dealing with the scope of the challenge: the variety of use cases, situations and devices included under its broader umbrella. Specifically, keep in mind that security in IoT devices potentially can include anything from the IP-connected television in your conference room to intelligent sensors used on the production floor to operational technology (like industrial control systems at a utility) or clinical devices (such as imaging devices or biomedical devices) for a healthcare provider.
Time to get tough
As you might imagine, each of the above-listed situations can have a potential impact on your organization's security: The television could be an entry point to your internal network; the shop floor's sensors and other equipment could contain information of value to a competitor; the industrial control system could have a cyberwarfare implication (such as an attack on critical infrastructure); and the clinical devices could have patient health and safety impact. Ensuring that those devices are fielded according to a secure configuration is important -- and it's equally important that they stay that way over time.
Obviously, device manufacturers can and should ultimately play a critical role in this: as technology matures, as standardization emerges, and as regulators and policy-makers evaluate their role, there is potential for increased maturity down the road. As a practical matter in the meantime, though, security pros in the enterprise need to ensure their organizations stay protected.
This can be a tough nut to crack for a few reasons. First, unlike hardening a general-purpose operating system (such as services, desktops or even BYOD devices), the specific configuration of a given IoT device may be less directly modifiable by an end user. Moreover, even where configuration options do exist that influence the security in IoT devices, a security professional may not be organizationally equipped to make sure this is done. For example, there may not be a clear delineation of responsibility for who specifically is responsible for the security configuration. Lastly, because of the diversity of potential devices, "one size fits all" guidance can only go so far. For example, the specific configuration changes or security countermeasures you'd employ on a television will be vastly different than those you might employ for a humidity sensor used in agricultural applications. This means that the decisions you make about hardening IoT devices must of necessity be done on a case-by-case, device-by-device basis.
Three key steps to security in IoT devices
There are a few things that organizations can do to help develop and enforce a hardened configuration for the IoT devices they field. The following simple steps can provide significant value from a security standpoint to help ensure a robust configuration over time.
The first step is to establish a process to identify new devices coming into the organization. There are two components to this:
- Identification/discovery/inventorying of new devices
- Integration of devices into a broader asset management approach
For the first, the discovery side of the equation, adopt a "belt and suspenders" approach. Specifically, use existing data sources, such as vulnerability assessment information, to help discover devices on the network that you might not expect or already know about. At the same time, build relationships with business and other teams to identify initiatives that involve bringing in specialized devices, business automation scenarios and other use cases that would necessitate special-purpose devices that you might wish to protect.
Integration of devices into your broader asset management approach, the second component, involves clearly demarking and establishing areas of accountability and responsibility for keeping devices protected, configured appropriately and in their optimal configuration from a security standpoint. In other words, ensure that it is someone's job to verify that these critical steps happen. In some cases, it might best be a job for the IT organization, but in other cases, the business teams or even third-party-vendor support personnel might best be suited for this task. Whatever is decided, assigning a point of responsibility will ensure that appropriate action is taken. It is also helpful to marry this information with the inventory information that you are capturing in the first step. This means that circumstances might dictate on a device-by-device basis who the responsible party is; ensure that this information is retained and tied to inventory.
The next key step is to do the legwork to understand the model for the IoT device security. Include mechanisms such as security configuration parameters that the organization can set. Again, this will be a device-by-device exercise. Since it's conceivable that the responsibility for ensuring the security of the devices in scope is distributed among different teams, it's helpful to document expectations and objectives about security goals. The scope of this documentation can be both technical guidance to teams that have responsibility for oversight of securing certain devices, and the documentation can also address areas of security-related considerations to include in procurement activities, cases in which the security team might be only tangentially involved. For example, guidance can address requirements or guidelines for application testing techniques the device manufacturer uses, use of a trusted execution environment, requirements for encryption (both of data in transit and data at rest) and so on.
The final suggested step to hardening IoT devices may sound trite, but keep in mind that the value of protection mechanisms addressing the rest of the network increases in value in light of IoT. This means that an essential step in limiting possible attacks on IoT devices is to get the rest of the house in order. Ideally, the savvy security practitioner will be doing this anyway, but IoT can provide additional impetus to do this well. Putting your security house in order includes testing activities such as vulnerability assessment, penetration testing and application security testing. It also includes "detective" controls (e.g., IDS), enhanced authentication and the like.
In short, the final step in hardening IoT devices is to use all the normative countermeasures in your toolbox for ensuring an overall robust security posture.
Learn how the spread of interconnected devices affects data security.
The many implications of pervasive sensing on IoT security
IoT fears spawn new IoT services
Who owns all that IoT data?