Consumers have fallen in love with smart devices and effortless connectivity. If you own devices like Amazon Alexa or Google Assistant, chances are you’ve fallen down the IoT rabbit hole. IoT-enabled devices allow both technical and non-technical consumers of technology to easily turn their traditional environment into a smart one. And in today’s world of IT, the laws of consumerization work almost in reverse, with consumers now frequently driving the technology and applications running in our enterprise environments.
Successful deployment of IoT devices are hindered by a variety of challenges, including power and processing capabilities, scalability and security. According to Fortune Business Insights, the IoT market is projected to increase in value by 24.7 percent by 2026. Security is often overlooked as manufacturers rush to introduce their products ahead of competitors and make profit. The rate at which new IoT technology is being introduced means there may not be enough risk-mitigation mechanisms available to protect devices and their users from hackers.
Concerned by the growing IoT attack surface, the FBI says owners of IoT devices should separate this equipment from primary devices with isolated networks. The suggestions for consumers translate to enterprise environments as well, meaning organizations with enterprise and industrial IoT devices alike must also ensure appropriate segmentation of devices based on the device type, access to resources or data and classification of that data, posture and known vulnerabilities, criticality of systems, and manufacturer best practices.
The depth and breadth of IoT, IoHT and IIoT devices on enterprise networks can be daunting. Simply finding and identifying the devices can be a lengthy undertaking in and of itself, and many organizations including healthcare rarely have robust inventories of these devices with the level of detail required to properly identify and secure them. Our network access control (NAC) packages always start with a discovery element to meet this need and consulting to help clients plan and implement appropriate access levels for IoT and non-IoT devices alike. We automate additional context to the discovery and inventory process through several means including watching ingress and egress traffic from devices within the network, and to/from the Internet for a high confidence score on what a device is.
Continuous monitoring and security management of the devices is usually the next hurdle, since many ‘light’ endpoints including the various flavors of IoT devices can be easily broken with a typically innocuous port scan. For this reason, we work with clients to build out inventory through discovery or leverage existing inventory repositories with integrations.
While traditional methods use access control lists (ACLs) or filtering to separate networks using routers or firewalls, micro-segmentation and zero trust networking are quickly becoming alternatives with more granularity and flexibility, better suited for today’s complex enterprise environments.
The FBI states that isolating IoT devices on individual networks yields the best results, and also offers additional advice on handling IoT devices:
- Change default passwords and increase password strength by creating long, unique passwords that include numbers, symbols, and capital and lower-case letters. In enterprise environments, organizations should use logon credentials with audit capabilities, most often meaning connecting to RADIUS or TACACS+ for admin user authentication, and any management protocols should be encrypted.
- Be conscious of the personal information that you allow mobile apps to collect. Many apps can run in the background of your mobile device and may access information through default permissions. Review privilege requests and reject requests that you do not understand. App permission control varies greatly from platform to platform. In enterprise environments, organizations should leverage mobile device management (MDM) solutions, which can be integrated with other security technologies for endpoint control, posture assessment, and access control based on level of security.
- Update devices regularly and turn on automatic updates for software, hardware and operating systems, if available. Again in enterprise environments, there can be some additional work or caveats with automatic updates. Domain and endpoint application admins should leverage GPOs or central policies to push organization-tested and approved updates to endpoints as soon as possible, especially when security updates are involved. For mobile and nomadic users, a centrally-managed platform can ensure the organization’s security policies are enforced even when off-network.
IoT is largely unregulated when it comes to security, but that trend is changing with recent legislation. California and Oregon are the first two states to pass requirements for IoT device security, effective January 1, 2020. Additionally, The Cybersecurity Improvement Act of 2019 was introduced by Congress in March 2019 to push manufacturers towards a security by design approach.
Though these regulations will continue to undergo developments, organizations can directly improve their IoT security strategy by conducting formal training and awareness programs as well as leveraging AI technology to identify potential security violations. As the need for IoT security grows with the number of connected devices, the best defense is a good offense. Taking a proactive approach to IoT security will reduce network vulnerability.
Carolina Advanced Digital offers a breadth of IoT security solutions including products and services for segmentation, micro-segmentation, zero trust networking and network access control (NAC) as well as endpoint security, security awareness training and a variety of integrations with your existing infrastructure and applications. Contact us today to schedule a free call with a team member to discuss your IoT project.