Foundational knowledge in how CISOs must view corporate security is a major threat presented by IoT devices.
Device security is lagging in IoT — which means distributed devices increase an organization’s attack surface. Whether they’re enterprise or consumer devices, if they’re connected to your network, they’re a threat.
In this post, we’re going to look at a few reasons why IoT security is often neglected:
No IT Involvement
Historically, many IoT devices fall outside the traditional scope of IT security. Take the case of IP cameras used in a video surveillance system, where the physical security team typically manages their devices and runs on a network provisioned for them by IT that is segmented away from the corporate network.
Because there is no threat to the corporate network (and, therefore, corporate assets), there is no IT involvement. As time goes on, the physical security team adds new devices to their network, ending up with IoT devices from several vendors, of different vintages, and requiring unique methods to secure and manage them.
IoT security, because of this complexity, has often taken a backseat to IT security. This is why hackers find IoT devices such attractive targets; often they are unmanaged, distributed, and away from the attention of IT security professionals.
Compliance, Privacy, and Regulatory Requirements
On top of the IoT device security vulnerabilities, there is a growing need to ensure that these IoT devices are able to meet compliance, privacy, and regulatory requirements. Many industries have recently added compliance requirements specifically on the IoT devices used.
A recently proposed update to the TIA 942 Data Center standards (to address edge data centers) adds in requirements for IoT devices to have passwords, firmware, and certificates updated in a timely manner, cabling and other connectivity analyzed for security, and expands reporting to include operational metrics like uptime and data retention compliance.
In addition to industry-specific compliance standards, IoT devices are also subject to broader regulations like the European Union’s GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA). In fact, the first fines levied under GDPR were for misuse of an IoT device (IP cameras). Especially as these devices can broadcast location, device information, and user information, there must also be the ability to easily report on the compliance of these devices.
Traditional methods don’t scale with distributed IoT, especially given that there may be several manufacturers of devices, each with their own dashboard and methods of viewing and exporting data — what at Viakoo we refer to as “Console Madness.”
Overcoming IoT Security Challenges
Given these challenges what should CISOs do, given that the “IoT for CISOs” playbook is still being written?
Looking at current best practices, there are clear starting points to getting on top of IoT device security:
- Support programs that discover, identify, and manage IoT devices on the network.
- Provide the security update and patching enforcement that device manufacturers can’t.
- Ensure you can’t be spoofed on a device’s identity.
- Keep devices as updated and secure as possible, but also secure the other side of the connection: the cloud, your network, etc.
Defining Ownership of IoT Security
The problem we hear most from CISOs is not guidance on what needs to be done, it is who should be tasked to do it and methods for how they should do it. Unlike IT security, where the tools and methods are well known, for IoT security there are new processes and procedures that must be created. Compared to traditional corporate IT, distributed IoT devices exist at a much higher scale.
There are often 10x or more the number of IoT devices than servers, and to manage passwords, firmware, and certificates there must be automated methods to deploy, verify, and report on these device-level changes.
In addition, the organizational boundaries between the CISO, CIO, and Operational Technology (OT) leadership varies across organizations and requires an agreement across each of them to ensure each gets what it needs:
- The CISO needs to be able to mandate IoT security and control the risk.
- The Operational Technology team must have automated tools that can be easily deployed.
- The Risk and Compliance function needs a database of record and reporting methods to address audit requirements.
Your Organization’s Largest Uncontrolled Risk
In summary, at a foundational level distributed IoT devices are one of the largest uncontrolled risks that an organization faces.
The volume and sophistication of attacks against vulnerable IoT devices is growing, based on the success hackers are having with this line of attack.
Getting in control of IoT device security requires assessing automated methods to manage device security (passwords, firmware, and certificates). Moreover, it may require the CISO to coordinate efforts across the IT and OT parts of the organization to ensure solutions are applied and are auditable.
Ready to assess your IoT Security?
In our whitepaper we’ll discuss why loT devices are often easy targets for savvy cyber criminals, different attack surfaces and vectors bad actors frequently pursue in loT security attacks, and how to protect your logon credentials, safeguard against firmware vulnerabilities, use digital certificates and data encryption, and more to improve your IoT security defenses.