And yet, they form the basis of many critical business functions, from sensors on manufacturing equipment to smart trackers on transport vehicles, from shelves that can detect low stock to your personal smartphone. IoT devices are being added to wider IT estates at a staggering rate, with current predictions placing organizational adoption of IoT at 48% in 2018. What can organizations do to support good security practice when IoT devices are in use?This article will take a closer look at:
- Why current IoT device design is inherently insecure;
- What organizations should consider when adding and connecting IoT devices to their corporate infrastructure, and;
- How the proliferation of IoT devices across corporate networks presents a security challenge that can – with the right processes in place – be effectively managed.
So, why aren’t IoT devices more secure?
A few reasons:
IoT devices aren’t standardized
Unlike, say, Microsoft – which provides a standardized and consistent environment – IoT devices run on a variety of different Linux kernels, each of which are purpose-built and have limited storage space, memory size and computing power. This makes it difficult to install security software or an endpoint monitoring agent.
IoT devices reside on customized firmware
IoT device manufacturers customize their firmware to their own specification, often outsourcing firmware development to a third party. This means that any monitoring agent would have be passed on to the third party for integration into the firmware, which might also cause instability issues within the IoT device itself. This is again down to the wide gamut of Linux kernel usage – different kernels will have different quirks and feature support, and many IoT devices are not designed with firmware upgrades in mind.
The road to securing IoT
There are many ways in which future IoT devices can be made more secure. Designing them with security in mind, having the compatible hardware specifications, and using a suitable operating system kernel that is compatible with an endpoint agent would be a start. Even better, they could be designed to perform automated integrity checks and record the status to a server.
However, while many larger technology manufacturers are currently sharing plans for how to secure future IoT devices, at the time of publication no one has yet made a public commitment. So, how can companies provide security for devices that are inherently insecure?
Considerations when adding IoT devices to your network
In the absence of direct monitoring, there are a number of actions that organizations can take to manage IoT device security.
1. Always change the password
It’s so simple, and yet so often overlooked. But most IoT devices are compromised through default credentials – or lack of authorization completely.
2. Know which devices are on your network
The age of BYOD (bring your own device) creates better convenience for employees, but – in many enterprises – can put thousands of unregistered devices on your corporate network. Doing an audit of personal devices or creating a separate WiFi network for non-corporate devices is one way around this.
3. Deploy threat hunters for log and network analysis
At its core, threat hunting is the process of actively seeking out potentially malicious activity on an IT estate. It relies on the intuition and savvy of experienced people who channel the attacker mindset in order to predict and prevent an attacker’s next movements. Threat hunters can be deployed to monitor the IoT doors through which a threat actor might enter, including logs, network data, cloud servers, and more.
4. Have a tried-and-tested incident response plan
It is widely accepted that, for most organizations, being compromised by threat actors is not a case of if, but when. Having a plan for how to respond to all eventualities regarding a breach – including isolation, investigation, and remediation – is essential to mitigating the damage an attack can cause.
Above all, perhaps the most potent approach to tackling IoT device security is to remember that they are essentially small, rogue assets that are easily carried into an office and plugged into a network. Acknowledging the inherent risks posed by these devices takes you a long way into protecting yourself against the threats they pose.