Aaron Gette, CIO, The Bay Club CompanyMany enterprises consider IoT strategic to their future, but most still take a disjointed approach to IoT security. The state of adoption varies widely among industries with manufacturing companies investing the most in IoT, while retail and financial services are pushing the boundaries. While governments, healthcare, and utilities are moving much slower, due in part to these new systems complying with regulations, especially in healthcare. Despite the marketing dollars promoting smart cities with fully integrated IoT systems, most governments have deployed point solutions.
The biggest challenges in deploying IoT revolve around security and privacy. This disjointed approach to security however, may be due to a lack of expertise and skillset. No single approach has won out, but finding people with the right skills is another mechanism that makes IoT security a challenge. That’s a serious issue, particularly in terms of crunching all the data that flows in from IoT systems. Most enterprises have yet to take advantage of edge computing, which may be one of the most important parts of IoT.
"While self-updating devices might seem great to a facilities manager, they can open the door to two-way communications that will bypass all network security monitoring controls"
Most companies that have deployed IoT devices are using them to collect data and send it to the cloud or a data center for processing. Which may not be the best use case, deep analysis of archived data sets can provide insights, but real-time monitoring enables IoT systems to make corrective action due to failures or dangerous circumstances. This requires computing power at the edge in IoT devices. There is a direct correlation between the speed at which you can process the data and its value to the organization. Handling analysis at the edge also reduces the network bandwidth needs to move data to the cloud.
IoT devices at the edge mean potentially dealing with hackers connecting to them and managing the security exposure that brings. This presents a large and somewhat easy target as we saw with the recent DDOS attack exploiting consumer IoT devices that had default passwords in place. Gartner estimates that there are over 6 billion connected things in use, that’s a lot of possible portals for potential hackers. A large issue with these devices is that they’re not always built with security in mind, which is why they can be the back door to a system that’s otherwise guarded.
There are some simple steps you can take to keep devices secure, updating firmware on systems is crucial along with a policy for strong passwords that are cycled often. If you’re going to be connecting a large number of devices, creating a separate network for those devices that customers and employees don’t access is a must. Using some secure network practices can prevent the newly connected things from compromising other assets, so it won’t exploit other devices and grab passwords or sensitive information. Take the time to completely understand the information you’re willing to share, inventory the devices that are available to the public. If your exposure threshold is met, then it’s likely something you don’t want connected to the Internet.
IT leaders are in a tough spot when it comes to all of these connected devices. Customer experience is invaluable, so the sky is falling mentality because customer syncs a Fitbit through an edge device is not a reason to panic. IT leaders have to balance the potential risks without being over bearing, finding the right balance will be critical going forward, especially since the possible exposure is massive. There is no question that most IoT devices need better security. These threats are real and have to be addressed with organizational changes as well as policy changes.
IoT devices pose a huge security threat, as a recent DDoS attacks made very clear. However, most enterprises that are leveraging IoT have yet to realize that changes are needed. Not just IT security, but organizational changes driven by the executive team are key. Enterprises making only structural changes to the business can do little to help defend against the scenarios where many of these devices are being purchased and approved without the knowledge of IT or the CISO’s team. Examples include door locks and light bulbs bought by Facilities, or beacons installed by Operations or Marketing. There are reports of penetration testing of networks, where a hacker can exploit weaknesses prior to an attack that inadvertently opened the IoT locks of doors of a building, IoT light bulbs made to flicker, and HVAC systems heating or cooling that cause other support systems to fail.
The attack vector opened by devices that have historically never needed IT approvals requires organizational change that includes a culture that empowers all employees to think differently about their security exposure. Requiring that IT or those CISOs approve all of them is unrealistic and untenable. One enormous issue with IoT devices is that the internal communications capabilities ostensibly call home to get firmware updates. While self-updating devices might seem great to a facilities manager, they can open the door to two-way communications that will bypass all network security monitoring controls. There are other monitoring tools that can track all independent wireless signals, but with most organizations inundated with smartphones, tablets, wearables, and wireless laptops, that may not be a realistic defense strategy.
There is also the issue involving oversight when moving from standard devices to IoT devices that often means a higher price tag. While that will almost certainly drive more scrutiny, it’s oversight from the perspective of cost and not security. A business manager won’t be thinking security when dealing with seemingly innocuous items, and that is one of the most important culture things that have to change. Executives can be trained to recognize if the device has its exploits, like Bluetooth or cellular capabilities outside standard Wi-Fi. Similar to the way that organizations were required to change their security thinking when printers and scanners needed their own IP addresses, they need to change purchasing and oversight procedures to deal with IoT.
CIOs and CISOs cannot do this on their own and many executives will struggle with this kind of change unless it comes from the CEO, or the CFO who controls the approval on all purchases.
Changing approval processes and adding training can be a tough recommendation to make and uphold. The damage to your business and exposure of your customer’s data by your HVAC, door locks, and light bulbs will be much more costly.
