By now we’ve all heard of the Internet of Things (IoT) and have a pretty good understanding of what it means for both businesses and consumers. This ecosystem of embedded hardware, mobile, cloud applications, data, and the underlying networks that support them is revolutionary. Most exciting, however, are the endless applications for IoT. From personal assistance (“OK Google, add string cheese to the shopping list”), to military defense (imagine a security camera locking down a building when it spots a threat 10 yards away), the opportunities for IoT will have an immeasurable impact on every area of our lives. It’s no wonder so many enterprises, whether municipalities or manufacturing or healthcare institutions, have embraced IoT and made it a significant part of their long-term growth plans.
Of course, the pervasiveness of connected devices brings a new wave of security challenges to the enterprise. For example, we know that IoT devices can be used as a launching pad for attacks inside organizations or on other networks. In one real-world example, a group of hackers took over a host of cameras inside a network and use them to launch a malware attack. Essentially, IoT devices, whether wired in or wireless, are sometimes the perfect entry point for a bad guy.
Here are two of the top IoT security challenges and how to manage them.
Sensory and Actuating Devices
One of the amazing attributes that IoT has brought about is the ability for IT to interact with the physical world through both sensing and actuating technology. Imagine a mining company using equipment that collects data while it’s in use, then uses that data to report and influence decision making. This is happening today, and it’s very exciting.
It also opens the door to new security challenges, ranging from the compromised integrity of sensory data to the actuation of physical devices. When the data gathered by the sensory enabled IoT asset is compromised, hackers can impact the quality and meaning of data collected. In other words, they can commit acts of sabotage. If data used for decisioning making is not effectively managed, it can lead to significant problems for specific projects and entire operations. Risks associated with the ability of IoT to make changes to physical systems are also a major concern. Compromising these types of systems can facilitate attacks that impact human safety, take down production or operations, and destroy equipment.
The problems caused by these threats can be very costly and time-consuming to clean up. The key for security leads is understanding and managing the risk associated with an IoT ecosystem from procurement through operations. Security organizations should establish a process for assessing the risk associated with a particular IoT ecosystem and be able to provide a differentiated risk treatment for each piece, so something like an apple TV isn’t assessed the same as operational machinery.
In a normal enterprise, IT assets are managed largely by a centralized team equipped with the applications and expertise required for the undertaking. When you get into operational technology environments that use IoT, conventional IT teams and systems may not have the capability to manage the assets. For this reason, management of IoT assets is often handled by the manufacturers of the devices.
Third party device management requires remote access for management, monitoring and maintenance activities. Any time remote access is available, potential risks are introduced. Adding to the challenge is the fact that these devices do not adhere to normal patching and update schedules due to high demand on uptime and reliability needs. Remote accessibility coupled with unpatched or out of date systems elevates the risk profile of the environment.
It’s imperative that when choosing a manufacturer or supplier of IoT assets, you review their security protocols for the ability to integrate with your organization’s security program. Eventually, IoT manufacturers may be required to meet specific requirements for the protection of IoT devices that need remote access to manage. Until then, businesses need to do their own due diligence to understand and mitigate the gaps in IoT ecosystem capabilities.
Again, IoT environments have to be factored into traditional security environments, protocols, and management plans. Because this is new in so many organizations, entire IoT environments are being created without updating the security protocols and teams. This cannot be an afterthought. Intelligently selecting devices, knowing what’s on your network, working with the manufacturers on integrations and understanding their security protocols, should all be priorities within your plan.