Best Practices to Secure IoT Deployments
Organizations must protect their devices and networks from malicious attackers.
Everything, from home appliances to industrial controls, is becoming wired and interconnected. Yet while the Internet of Things (IoT) promises to help make lives and many business activities easier and more efficient, the technology has also opened new attack vectors for cybercriminals, spies and other troublemakers.
For IoT to live up to its potential, the medium must be made both secure and manageable. Yet, by its sheer size and scope, IoT can inflate a single security vulnerability into a complex tangle of interrelated threats.
Security is the primary reason that many businesses are saying “slow down” to IoT deployments, says Anthony Grieco, senior director of Cisco Systems’ security and trust organization. “A recent study by Cisco found that a majority of executives believe that cybersecurity risks and threats were hindering innovation in their organizations, with 39 percent halting mission-critical initiatives due to cybersecurity concerns,” Grieco notes.
While IoT has barely emerged from the starting gate, there have already been several headline-grabbing security failures. “Highly publicized IoT security breaches have made IoT security top of mind,” says Mike Tennefoss, vice president of strategic partnerships for Aruba Networks, a Hewlett Packard Enterprise company.
Best Practices for Strong IoT Security
While IoT poses security challenges on a nearly unprecedented scale, the good news is that existing best practices can often be used to address key IoT security risks. “All of the security controls and techniques that we have known about and worked with for years can absolutely be applied to the IoT space,” says Christos K. Dimitriadis, board of directors chair for ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance.
Complicating IoT security is the fact that many network sensors and related devices are small and inexpensive, have only limited memory/compute resources and often aren’t designed with security in mind. “One of the weak points that we see is that IoT vendors and the ‘things’ themselves aren’t as mature from a security and a posture perspective as they need to be,” Grieco says. He notes that most IoT developers aren’t seasoned IT technology vendors and do not necessarily think about security holistically. “As such, they don’t consider building it into everything that they’re developing and, as a result, we tend to see less mature practices when it comes to the basics of security,” he notes.
“Unfortunately, IoT in all of the forms that it can take is still an unknown, and security for the multiple devices has not been sufficiently thought through,” Dimitriadis says. “Developers need to recognize that there are long-term consequences that can occur from a failure to address security concerns early in the design and development lifecycle.”
IoT adopters can help ensure better security by taking matters into their own hands. “Existing best practices, such as network segmentation, will help take some of the security load off of these devices,” says Mark Blackmer, product marketing manager, industry solutions, for Cisco Systems’ security business group.
“External mechanisms, such as machine learning based traffic analytics, can help close the [security] gap,” Tennefoss adds.
Staying Sharp on Security
Security is a race with no finish line. There is no assurance that any particular IoT device type will be able to support future security advances. “For this reason, customers should expect to replace IoT devices on regular intervals that are based not on operational life, but rather on the expiration of security defenses,”says Mike Tennefoss, vice president of strategic partnerships for Aruba Networks.
It’s important for organizations that operate IoT networks to put on a black hat from time to time in order to identify and mitigate vulnerabilities before the real bad guys do, says Mark Blackmer, product marketing manager, industry solutions, for Cisco Systems’ security business group. “Bring in penetration testers on a regular basis, and if you can’t afford to do that, conduct red team exercises with your staff,” he suggests.
An organization always wants redundancy and resilience built into its systems, and IoT is no different, Blackmer says. “This is sound risk management, and it’s an ongoing process of identifying risk, mitigating those risks and creating contingencies.”
Managing a Huge Network Ecosystem
Most IoT devices are designed to function autonomously without backup connectivity. Secure and reliable remote management is essential to ensure faultless operation. “Strong encryption, robust authentication, compartmentalized access and other IT practices commonly used to remotely manage computer networks should also be applied to remotely managing IoT networks,” Tennefoss says.
Dimitriadis notes that there’s no fundamental difference between the techniques used to remotely manage IoT devices versus any other type of network device. “Essentially, it consists of understanding the usage parameters and the expectations for how the device will be used, applying the appropriate set of security controls and ensuring that those controls and countermeasures continue to function appropriately,” he says.
Unlike even the most widely distributed conventional networks, IoT networks present adopters with the unique challenge of managing ecosystems containing millions or even billions of devices. “Scale is the biggest challenge we’ll face in securing IoT, and it’s going to require the security community to think differently,” Blackmer says. “This means more identity- and policy-based security, virtualization and the adaptability that brings, and using the network itself to detect and remediate malicious traffic and attacks.”
Perhaps the trickiest thing about remotely managing high-scale IoT environments is planning how each device gets online and how IT teams will be able to quickly and accurately identify all of the networked devices. “Remote management is only useful if you have appropriately brought the device online in a highly scalable and secure way, with the appropriate identities associated with it,” Grieco says.
Implementing a management tool that lets IT teams know where each device exists, and can be uniquely and securely identified for reliable performance, is essential for successful IoT network operation. Yet achieving this goal isn’t always easy. Teams may lack the skill sets necessary to identify system vulnerabilities, Tennefoss warns. “Weak points may include the lack of physical security for device electronics and interfaces, inadequate security for legacy IoT devices, use of default passwords, failure to validate the trustworthiness of newly connecting devices, using a BIOS from outside the U.S. and poor encryption key and certificate management,” he says.
“Once you have this solid security foundation for remote management, the traditional systems that are used for remote management are going to have to be adjusted to focus on efficiency [and] for the necessary scale of secure management,” Grieco says.
The most useful strategy for managing complex IoT networks, according to Dimitriadis, is to draw from principles that have been honed and tested over many years. “The science of ensuring that devices, systems and applications work together in alignment with business objectives is already a well-established discipline, and leveraging those concepts [in IoT management] can be fruitful.”
Call us at 800.800.4239 to set up a consultation with a security expert.