5 steps for securing IoT deployments
By Johna Till Johnson
IoT represents a cybersecurity vulnerability that organizations can address with five steps to create an IoT-specific security strategy. Organizations risk security when groups outside of IT deploy IoT without informing IT admins, as well as when their IoT initiative is a formal project in pursuit of defined business goals.
There are also situations where other professionals might not even recognize that they are deploying IoT technology in devices such as smart HVAC systems.
The vulnerability isn’t just hypothetical.
Hackers struck a steel mill in Germany in 2014 and disrupted control systems to such a degree that a blast furnace could not be properly shut down.
In 2012, the U.S. Department of Homeland Security disclosed that cybercriminals breached the thermostats of a state government facility and a manufacturing plant in New Jersey and were able to exploit vulnerabilities in industrial heating systems.
The majority of organizations that participated in Nemertes Research’s cybersecurity study said they currently have or will have an IoT cybersecurity specialist by the end of 2019.
Implement IoT security strategies throughout operations
IoT cybersecurity specialists should focus on these five steps to ensure IoT security:
1. Create a catalog of IoT projects. The catalog must include formal initiatives by business units and smart devices that have become part of day-to-day operations, including:
- Intelligent HVAC systems and smart building devices
- Human-machine interface devices, such as Alexa and Siri
- Legacy robotics and manufacturing systems
- Medical devices
The first step in solving a problem is to understand its scope. That’s particularly hard in the case of IoT. Even in successful organizations, approximately 8% of IoT teams admit to not knowing what IoT initiatives they have. Even if the catalog is incomplete, building it out and having a process to note whenever IT pros discover or deploy IoT initiatives will simplify the process of securing IoT.
2.Develop an IoT-specific cybersecurity strategy, architecture, roadmap and policy. Organizations with a strategy for securing IoT improve their overall cybersecurity and the chances of success in an IoT project. Organizations with successful cybersecurity strategies — where success is identified by the average total time taken to contain incidents — are 56% more likely to have IoT cybersecurity specialists. And organizations that have successful IoT initiatives — based on revenue generated, costs saved or business processes improved — are 15% more likely to have IoT cybersecurity specialists.
Surprisingly often, IoT teams neglect basic foundations of cybersecurity, including that devices should be at least password protected; passwords shouldn’t be hardwired into the device and communications should be encrypted. In many cases, vendors sell IoT systems with hardwired passwords and lack the ability to support encryption. Simply having a checklist that IoT devices must pass to be deployed anywhere in the organization can eliminate a significant percentage of vulnerabilities.
3.Budget for securing IoT. Sometimes the most effective fixes are the most obvious ones. A budget for IoT security controlled by the cybersecurity team ensures that the organization will get the right human and technical resources to solve the problem and correlates with increased overall success in cybersecurity.
4.Build a working proof of concept and enhance it often. Organizations should build a working proof of concept that instantiates all the key components of the hardware, software and automation and demonstrates how the components integrate to deliver the necessary capabilities.
5. Integrate the management of IoT cybersecurity into your existing cybersecurity dashboard. IoT systems have distinctive characteristics — such as limited computational horsepower, low-bandwidth, low-latency links and massive scale — that may necessitate IoT-specific cybersecurity management. IT pros must integrate these characteristics with the overarching cybersecurity dashboard to provide the security team with an integrated view of vulnerabilities.
Established cybersecurity vendors such as Palo Alto, Forescout and Hewlett Packard Enterprise offer IoT-specific capabilities that integrate with their offerings. Emerging vendors such as Ordr offer products focused on securing IoT that also integrate into cybersecurity dashboards.