Addressing the IoT security challenge
By Charaka Goonatilake
We consider how best to address some of the critical security challenges around the internet of things. Businesses are subject to a number of critical market forces that are changing how they need to execute their cyber programmes. One of the biggest is that internet of things (IoT) technologies are significantly expanding and changing the surface that requires monitoring.
IoT sensors and endpoints are built into a growing range of systems, including appliances inside the office – for example, smart, IoT-based, connected office lighting systems. Gartner predicts that there will be 5.8 billion IoT endpoints this year, a 21% increase from 2019. With this asset overload, the crucial questions that need to be addressed are how businesses can overcome the challenges of discovering all IoT devices in their asset inventory, the risks they pose if not secured and best practice for protection. Let’s start with identification. Last year, Panaseer commissioned a study of 200 enterprise security leaders. When asked about the assets into which they had least visibility, IoT devices topped the list, with one in five respondents saying it was their biggest visibility challenge.
There are a number of reasons for this. First, the vast majority of traditional security controls and discovery tools just don’t exist for IoT devices. We have endpoint agents for desktops, laptops and servers, but the same concept doesn’t apply for IoT. It’s hard to find more than an IP address through a network discovery tool. Even if an IP address is found for an IoT device, it certainly doesn’t show what the device is, where it sits, what it’s connected to, whether controls are running on it and if there are any vulnerabilities. We also have to consider that an IoT device can act as a gateway to access internal and previously segregated networks. This lack of visibility results in security teams being completely unaware of the risks they pose and where they have any vulnerabilities that can be exploited by hackers. There is also the threat of physical damage, which will go unaddressed. This may not be a problem in a factory setting, but a medical diagnostic device in a hospital that isn’t working correctly could result in a loss of life.
These issues are compounded by the fact that the IoT market isn’t especially geared up for security. The onus has been on getting IoT devices to the market – security hasn’t been incorporated in the design phase. It’s still a young, nascent field and there hasn’t been time to establish processes and best practices. There have been some recent advances in standards, with the passing of a law in the UK that states all consumer smart devices sold in the UK should adhere to the three basic security requirements for IoT, but we are still very much in the infancy of IoT security.
After all, many IoT devices have not even been configured to receive or run software updates, not to mention that some devices are running on battery so they don’t have the resources to run security controls on them. So, what’s the answer? Having a good asset inventory is fundamental – every IoT device connected to the network needs to be accounted for and evaluated. If the device cannot be secured, then there needs to be a plan for its replacement, or at least compensating security controls to mitigate risk. For new IoT devices there needs to be a rigorous process, which starts with staying on top of manufacturing guidelines on how best to secure and configure the device; for example, they will normally ship with a default password that must be changed before they’re connected.
There also needs to be a process that enables for continual software updates to keep IoT devices safe from the latest vulnerabilities. Finally, there is a requirement for a holistic risk management approach to gaining visibility, prioritising and treating the risks introduced by exposed IoT, based on the business impact.