IT Focus Area: Security
December 7, 2017
Securing the IoT Revolution
IoT is revolutionizing entire industries. Organizations are adopting connected devices in an effort to maintain competitive advantage, generate real-time data, and create economic value. Of course, achieving this kind of impact requires hurdles to be overcome. Most notably, security. While IoT creates a variety of opportunities for enterprises in all industries, it also expands the attack surface.
The Myth of IoT
The majority of IoT devices are not designed with security as a priority. Many attribute this failure to the manufacturers, and feel they should build security into the devices from scratch. Some are even calling for the government to step in to regulate smart devices. When it comes to cybersecurity, however, this is a well-intentioned but misguided effort that doesn’t consider the challenges manufacturers face.
A lot of IoT devices are retrofitted to become connected; they were never designed from scratch to be secure. If Microsoft and Intel couldn’t secure computers from scratch, how can a company whose core business is outside of IT be expected to do that? In some cases, they don’t even have the resources to invest in security. Organizations should do all they can do to choose secure devices, but the reality is that the burden of IoT security falls on us.
In order to understand how to secure IoT in the enterprise, it is important to consider how devices are being deployed and the threats they present.
Businesses are deploying connected devices in two central ways:
1 Core business operations: Specific industries are leveraging IoT to transform how they’re doing business. Hospitals are deploying connected beds and medical devices. Retailers are implementing not just point of sale (POS) systems, but entire connected stores. Cities have sensors everywhere, from bridges to traffic lights. Hotels are realigning themselves around customer experience, using IoT data to personalize content and deliver targeted messages to guests. Airlines and airplane manufacturers are designing connected fleets, with every component of the latest jets attached to a wireless network — from the engines to the flaps to the landing gear — providing data on everything from performance to required maintenance. Even sports teams are collecting real-time data; athletes on the field use wearable sensors that collect real-time data about their movements that can be sent to physical therapists, doctors and trainers.
2 Automation: Organizations in all industries are leveraging IoT to make offices more than just workplaces. They are focusing on data collection and automation to control and collect data about everything from energy, lighting and cooling systems, to digital camera systems and security for badge readers, to printers and conferencing systems. This collected data can be analyzed and used in a variety of ways to manage and monitor the office and employees.
IoT Security Risks
The reality is that IT is not in control of IoT adoption. IT was outpaced by BYOD, and IoT is growing even faster; IT departments are falling behind, and are often forced to just let these devices connect. The risk of doing this is that each one is an endpoint that can potentially be taken over by a hacker. The devices have credentials into the network, and it doesn’t matter if there’s nothing on the device itself; it’s a gateway into your corporate and critical assets.
If adversaries compromise one of these devices, they can use it to open up full access to your network or bridge from a less secure to a more secure network. Compromised devices can also be used as part of a botnet — joining the computing power of many devices together to take entire parts of networks down. Companies have to worry about protecting the organization against distributed denial-of-service attacks (DDoS) and from their own internal devices.
*Gartner predicts endpoints of the IoT will grow at a 33% CAGR from 2015 through 2020, reaching an installed base of 20.4 billion units.
IoT is more than an IT revolution — it’s a revolution in how users approach technology. We came from a world where IT was the only place to get a device, and it would be trusted and secured by the organization. Today, users expect everything will be connected, and often don’t ask for permission. The age of restricted device usage is over. You have to be able to manage anything that is deployed.
Securing IoT Devices
Companies typically manage the devices on their networks in a traditional way. IT buys the device, gets an agent, and puts the software on the device to enable them to manage it wherever it is. This works reasonably well for computers, servers and even mobile devices, but not for IoT. IoT devices are closed in nature — even though a company owns the device, they have no ability to deploy their own security into it. Securing IoT devices requires a different approach.
Effective IoT security requires the consideration of key elements:
Objectives: Each company’s IoT initiative is different. Clear objectives need to be established before the right security can be implemented; it is important to adapt the overall security strategy to the organization’s goals.
Visibility: Discovering and classifying devices is critical — after all, you cannot secure what you cannot see. Agentless solutions that integrate with the entire network fabric are key. They can connect to all parts of the network and access all sets of data. In that way, they facilitate not only the discovery of devices, but also determine what types of devices they are (classification).
Control: Different devices need different types of controls. The first step is understanding what the device is, so you can set policies that define what the devices are supposed to do on your network, and what they’re not supposed to do. Through continuous monitoring, you can identify what they’re doing on the network and look for deviations from normal activity. If the device is compromised, the organization can alert, block and take actions based on policy.
Ecosystem Integration: The ability to secure IoT devices involves the entire security ecosystem. Take advantage of all of the other elements of security already in place; these tools can be leveraged. Firewalls can be used as enforcement mechanisms, for instance, and security information and event management systems can enhance monitoring and analytics. Bringing all of the tools in the environment together increases the ability to orchestrate visibility and response.
Is Your Organization Ready for IoT?
IoT is not an option. It is the new reality that requires digital leadership from organizations in all industries. With nearly 30 billion devices estimated to be connected by 2020, IoT is going to have a massive impact on how business is done. Organizations need to take notice of the risks inherent in the products they use, and take action to mitigate those risks. With a careful approach, you can optimize visibility and control, and realize the benefits that IoT provides.
*Gartner, Forecast: Internet of Things — Endpoints and Associated Services, Worldwide, December 29 2016