11 Key Enterprise IoT Security Recommendations

This is a guest article by Brent Whitfield from DCG Technical Solutions Inc.

The number of internet-connected devices expected to be online by 2020 varies wildly by source but it will be in the tens of billions. As we know, the IoT will enable businesses to capture more data for deep analysis while obtaining more granular control over processes. Combined with AI and machine learning, smart automation is an exciting prospect.

But for all that, a majority of IT professionals (58 percent) are thinking mostly about security. That's according to an in-depth study conducted by 451 Research. This is good news. Devices connected to the IoT have been recognized for a long time as prime targets for hackers and once you have read the article to follow, you will appreciate why. It may be wise to invest in some external IT consulting to help with forming and implementing new security procedures. DCG Ltd. is an example of a company providing IT consulting in Los Angeles.

The Commoditization of IT

How could the IoT undermine the security of your business? Part of the problem is a result of the commoditization of IT used in enterprises. This is where software applications, programs, services, and connected devices are packaged up to be quick, simple, and easy to use.

This can conflict with security practices because the most popular commodities tend to be low cost and easy to use straight out of the box. Having to think about changing passwords and configuring devices is an inconvenience so IoT devices tend to save customers the bother by shipping them with default passwords, open hardware and software ports, and a simplified user interface for adjusting only a minimum of settings. In addition, IoT devices are often configured to "phone home", increasing the window of opportunity for cyberattacks, and to collect far more data than they need to perform their core functions.

Since the public has been so used to ignoring security issues, there is a risk that they might unwittingly connect a personal device to their workplace's core network. For example, even syncing a fitness tracker with your smartphone is a risk if that phone is a BYOD device cleared for work use. Other devices that can potentially cause a security breach are smart speakers, thermostats, TVs, and video cameras. In truth, any device connecting to IT networks via cable, WiFi, Bluetooth, or any other means can become a weak point in your network.

The Dangers of Compromised IoT Devices

What could cybercriminals do if they accessed a connected IoT device? Three of the biggest risks include remote surveillance, cyberattack, and data theft.

Remote surveillance is clearly a risk through a video camera, particularly when port forwarding has been enabled and/or the default username and password combination hasn't been changed. However, any device with an attached mic or camera has the potential to transmit audio or visual signals to a third party. Even children's toys (e.g. My Friend Cayla) have been criticized for enabling remote espionage. Surveillance doesn't have to involve video or audio signals or even human-readable text. It can also involve transmitting raw data in the form of GPS data, system logs, and other reporting data. Cybercriminals will often find a way to exploit any type of data they can get their hands on.

A cyber attack can involve injecting malicious code into the network via a virus or some other piece of malware. A common method of attack uses ransomware to lock down a network until a payment, usually in Bitcoin, is made to the attacker. Alternatively, a blunt DDoS attack can overwhelm a network without any code being activated. IoT devices may even be connected to a botnet and used to bring down bigger companies using the combined power of a multi-device DDoS attack. It is possible for devices and networks to be part of such a botnet without anyone in the business being aware of it.

Using the IoT for outright data theft needs more sophisticated techniques than either of the above methods but it can be and has been done. For example, the infamous Target breach took advantage of poor IT security practice by first hacking into the systems of a third-party aircon company and from there accessing and stealing credit card details. Once in possession of the data, a cybercriminal can then either sell it to third parties or hold the affected company for ransom.

One of the biggest problems with IoT devices is their potential to form a "shadow IoT" network underlying a company’s main IT networks. Once IoT devices slip off the radar, they become virtually undetectable, even with the use of monitoring software.

Hopefully, this has opened your eyes to the desperate need for security to be put at the center of enterprise IT.

Here are 11 key enterprise IoT security recommendations

1. Create a Strategy

Effective IoT security has to be organized so that no stone is left unturned. This means you will need to create and document a security strategy that is tightly integrated with both your general IT strategy and your overall business plan.

Your IoT security strategy should cover all areas that utilize the IoT network. It should set out, for each situation, the security measures that will be taken and how they will be monitored and reviewed.

As mentioned above, the IoT can appear in many different forms and you must take an in-depth look at your IT architecture and endpoints to ensure you catch everything in your net.

2. Invest in Ongoing Training

Most IT breaches include a human element, so a critical part of your IoT security strategy will be setting out an ongoing training program for both existing and new recruits.

IoT training should include a topic on the dangers of a shadow IoT, which is being fueled by the aforementioned commoditization of IoT devices. If employees are connecting home devices to the company network, they could be opening the door for hackers. They need to be taught whether a device might have a limited function (e.g. a smart kettle) has no bearing on its utility as a hacking device: the smallest of windows can be enough to allow a criminal to access your business. More in-depth training might include using anomaly detection and granular audit trails to detect threats.

3. Physical Security

The most basic level of IoT security is the physical protection of connected devices. Wherever possible, sensors and appliances should be kept under constant guard to protect them from being tampered with or reconfigured (e.g. passwords being reset, etc.)

When an IoT device isn't being used, it should be turned off and the immediate area secured. Physically covering ports, cameras, and microphones will add another layer of protection. The physical security of IoT devices or groups of devices could be assigned to specific individuals or teams in your operational manual.

4. Endpoint Hardening

Staying at the device level, endpoint hardening plugs vulnerabilities by blocking high-risk ports (e.g. TCP/UDP, serial ports, etc.), unencrypted communications and wireless connections. Measures should also be taken to protect devices from malicious code injection.

5. Manage Updates

All companies should include IoT in their password management process. Where possible, IoT devices, like all IT software, should be set up to receive automatic updates to minimize the attack window between patches.

At the very least, IoT devices should be capable of manual updating with the IoT vendors on top of the latest threats. It is best to upgrade on at least a monthly basis and to avoid devices that are incapable of being upgraded or are poorly supported.

You should also ensure that the details of the device lifecycle are recorded and acted upon. For example, you should replace any device once its support period is over.

6. Organize Device IDs

It is difficult to stay in control of IoT devices if you and your IT team don't recognize them on the network. An effective way to avoid shadow IT and stay on top of threats from IoT devices is to set up an official naming convention for the devices. As soon as a new IoT device is configured on your network, use the naming rules to give it a device ID that everyone in the company can recognize. That way, any unauthorized devices will immediately jump out.

7. Use Encryption

Moving on from devices to the network as a whole, it is crucial that data is kept secure from interception both while in transit and during storage. A data audit is the first step to ensure you can account for all data within your IT ecosystem.

Ideally, only devices which support encryption should be connected to your network and you may need to set up a VPN rather than connecting over the internet. This will also give you the benefit of increased performance.

8. Segment the IoT Network

One strategy that may work for you, particularly in industrial IoT (IIoT) settings, is to use network segmentation to isolate IoT devices from your core IT network. This can be done in a way similar to setting up a guest network. This way, even if a hack should happen, it won't cross over into your core network and your IT emergency response team can cut off the affected segment and avoid the danger of a company-wide disaster.

There are various models (e.g. The Purdie Model) that can be used for segmentation. But whatever method you use, ensure that you set up firewalls and monitoring software to help profile your IoT traffic and check for anomalies.

This has the added advantage of helping you to identify and disarm sources of attack with little or no risk to your business.

9. Strengthen Access Management

If you don't already have robust access and identity management system, now is the time to work on it. Such a system ensures that employees change passwords regularly, use two-factor authentication where possible, and are only able to access the IT systems they are authorized to use for their tasks. APIs can also be included for automated connections. Even if you already have identity management in place, you should ensure it is compatible with your IoT devices.

10. Use a Commercial IoT Platform

Most of the IT professionals who were surveyed by 451 Research revealed that they planned to use dedicated commercial IoT platforms to manage their IoT devices. Although this is a good idea in principle, it is very important that IT experts do their due diligence on the companies selling these products as there is likely to be a lot of variation in quality as vendors join the IoT gold rush.

11. Keep up to Date with Online Trust Alliance Guidance

In common with many new technologies, the IoT is currently poorly regulated with plenty of guidance and advice published but little in the way of standardization. Although the inevitable merging of organizations and advice is beginning to move us in the right direction, with thousands of pages of documentation produced by dozens of global organizations, knowing where to go for advice can be a challenge.

Some of the steps listed above apply to most industries. They have come from the IoT Trust Framework published by the Online Trust Alliance (OTA). The Alliance is an initiative of the Internet Society and is tasked with providing advice for security best practice and increasing consumer confidence in IT.

In the fast-paced world of cloud computing and the IoT, such guidance is regularly updated and expanded. The OTA publishes regular blog posts featuring the latest news on breaches, security best practice, and other security-related information. Keeping current with this will allow you to update your procedures and training materials so they remain relevant.

By following these 11 tips, your company should be able to keep itself safe from the worst of the threats that compromised IoT devices pose to your IT networks. You can then relax and look forward to the many benefits that connected devices are sure to bring to your business from improved data analytics to more efficient operations.