The internet of things (IoT) is more real every day as companies aim to connect assets, products, facilities and other “things” via the internet — and gather all sorts of data related to connected objects.
As IoT becomes more mainstream, organizations need to take steps to ensure that connected devices and the information they store and transmit are safe. That means securing the data, applications and networks that make up IoT infrastructures.
“The threats are everywhere,” said Laura DiDio, principal analyst for Information Technology Intelligence Consulting. “This may be stating the obvious, but in IoT environments and ecosystems where people, devices and applications are all interconnected, the ‘attack vector’ or ‘attack surface’ is potentially unlimited.”
Threats can come from any number of sources — careless users, opportunistic hackers, the network perimeter, the applications or physically insecure devices, according to DiDio.
“Enterprises must be vigilant and must also consider the security of all devices and points on the network,” she said.
The network edge or perimeter is a particular focal point of IoT security. But organizations shouldn’t focus exclusively on one area, DiDio said. “Every device, application, endpoint and human attached to the IoT ecosystem must be considered a potential entry point,” she said. “Businesses and their IT departments must consider the overall network and assess the threat levels associated with various equipment and applications.”
Careless end users constitute a major threat to IoT security. Vulnerability may increase substantially due to negligent IT departments and C-level executives who don’t include IoT security in their budgets and get their IT managers properly trained and certified, DiDio said.
“Security cannot be an afterthought, or tacked on in an ad hoc fashion,” DiDio said. “It must be built-in.”
Companies must perform due diligence and collaborate with their vendors, resellers and service providers to ensure that all new devices and applications incorporate the latest security mechanisms, she said.
Before provisioning or deploying any device or application, a company should ensure it is secure by design and in use, and that data are secure in transmission and in storage.
“Organizations cannot think of IoT as just a bunch of interconnected devices strung together like multiple strands of Christmas lights,” DiDio said. “Enterprises need to re-engineer security to support IoT.”
For example, security protocols must be modified to support IoT applications. Open standards in Internet Protocol Security, known by the acronym IPSec, can be used to ensure secure communications using public key exchange protocols like Internet Key Exchange, according to DiDio. But doing so can have a downside.
“This can adversely impact the performance and reliability of IoT devices and unwittingly make the organization more vulnerable for pernicious DDoS [distributed denial-of-service] attacks by overloading CPU capacity,” she said.
Businesses should check with their vendors and IoT security professionals. “Failure to upgrade and re-engineer IoT ecosystems with the appropriate security protocols and controls is a big mistake,” DiDio said.
Here are four key practices DiDio recommends for strong IoT security.
- Take inventory.Know what people, devices and applications are on your network. That includes the various versions of software that users have installed on desktops, notebooks, tablets and smartphones.
- Regularly review and update computer security policies.The business case should always precede and drive the technological aspects of computer security. Organizations should construct and/or update existing security policies and procedures involving all aspects of the business. Security policies and procedures should reflect the current business climate and incorporate clear guidelines that reflect the latest cyberthreats.
- Enforce cybersecurity policies and procedures.Make it clear that the corporate cybersecurity rules are not made to be broken. The organization should construct a clear, concise list of the penalties associated with various infractions. These should include a sliding scale of actions the organization might take for first, second and third infractions. Failure to comply with the cybersecurity policies might involve actions ranging from a warning to termination — or even criminal prosecution.
- Construct a cybersecurity-specific operational-level response plan. Every organization should have a detailed plan to respond quickly and efficiently to cyberattacks. There should be a set of detailed policies and procedures that govern how the company’s internal stakeholders will work together to respond to issues.
“The sheer size, scope and complexity of IoT environments constitutes a security threat,” DiDio said. “IoT is a different animal. The scale of IoT ecosystems is naturally going to be more compute and resource intensive. They will, therefore, tax the capabilities of traditional security mechanisms.”
Related Reading:
