As most businesses embrace the Internet of Things for business initiatives, many are unsure how to take advantage of those new technologies securely. Alex Cowperthwaite, Principal Consultant at Security Compass Advisory, shares essential tips that will help you build a strong foundation for IoT security.
According to Microsoft’s 2021 IoT Signals report, 90% of enterprises have adopted this infrastructure, and 44% of enterprises expect to increase their investment in it. The report highlights a broad range of benefits that companies are hoping for, including quality assurance, security of cloud operations, devices, and assets, making operations and employees more productive, enhancing workplace safety, and managing supply chains.
Key Security Concerns of IoT
Though the technology is ubiquitous nowadays, almost a third of enterprises surveyed in the Microsoft report do not want to expand the use of IoT solutions due to the perceived security risks. Codebases like Mirai and Gafgyt are still active parts of attacks against the system, with compromised devices being used to steal information and perform distributed denial of service (DDoS) attacks. A compromised device can serve attackers as an entry point into internal networks and is also used to build cryptocurrency mining botnets. Ransomware is not a major aspect of the related threat landscape yet, though it may emerge soon based on its trajectory so far.
Essentials for Strong IoT Security
For adequate security in this landscape, keep these foundational principles of IoT security in mind.
1. Device Inventory
You cannot secure what you do not know you have. Keeping an up-to-date device inventory through both documented procedures for tracking devices added to the network and regular network discovery scanning can help you ensure that you know what is in your environment. Knowing what is present will help you plan updates and configuration changes and ensure that you think about everything you need to secure your holdings.
2. Account Security
IoT devices are connected to networks and therefore require the same level of password hygiene as other devices on the network. However, many enterprise users still fail to change default passwords on the devices, leaving weak and well-documented passwords like “admin” or “123456.” Botnets and attackers use these weak passwords to gain their footholds in device systems. Instead, set strong new passwords or keys, and subject them to the same security standards and credential protections as other network devices.
3. Device Configuration
New features and management capabilities on IoT devices can make tasks easier than ever. However, attackers are also taking advantage, making this their key entry or pivot point for compromising sensitive data. To minimize the chance of a breach, you need to stay aware of what features are available on each device on your network, apply tested and hardened configurations, and be ready to test and deploy new configurations if issues are identified with current ones.
4. Network Segmentation
When designing networks that contain IoT tools, consider the criticality of the data each device can access. Ask questions including what data it needs, how much it affects uptime or safety, and what risk it poses to the business if that device were to be compromised. Segregating device administration from normal data operations can prevent the most sensitive functions from being targeted by a network user. Then, as with traditional network infrastructure, segment and protect the networks on which the devices sit in a way that makes sense in light of that business risk.
Patching IoT devices can be complicated for several reasons – the number of devices, the by-design difficulty of applying patches, and the need for constant uptime for specific devices, including medical or industrial machines. Device inventory helps with this. In your inventory, you should document how to patch each device, monitor for patch releases, and schedule patch windows, just as you would with other network devices. If a device cannot be patched, segment it on a network away from sensitive data.
6. Network Traffic Monitoring
In addition to configuration and applying security controls, knowing what your devices are doing on a network is crucial. This requires network traffic monitoring. Watching traffic from the time a device is added helps you draw a baseline for expected traffic, identify ways to increase efficiency, identify anomalous traffic that indicates compromise, and take action, such as patching or decommissioning compromised devices.
7. Data Encryption
According to a 2020 Palo Alto Networks Unit 42 report that looked at IoT usage in both enterprise and healthcare, 98% of all device traffic is unencrypted. Some devices do not encrypt data, and others eschew known cryptographic standards for less-tested “lightweight” cryptography. As machines gain access to more sensitive information, ensure that credentials and other sensitive data are adequately encrypted in transit and at rest. This involves evaluating existing devices and assessing new ones for, among other things, their ability to encrypt data using strong cryptography.
8. Physical Security
Even with precautions like encryption, proper configuration, and network segmentation, physical security matters. If an attacker can reach an IoT device, they may tamper with the device, reset it, or access data connected to it. Consider locking devices with access to sensitive information away, physically blocking unused or administrative ports, and choosing devices that have strong tamper protections.
9. Penetration Testing
As with traditional IT infrastructure, you cannot know whether security controls are working as desired unless you test them. Working with a penetration tester with experience with devices can help your security posture by looking at it like an attacker would. Penetration testing will help you identify where your IoT security falls short and what you should do to prevent attacks between software vulnerabilities, configuration flaws, cryptographic issues, and vulnerable communication protocols.
Securing Your Future with IoT
The Internet of Things can increase your business’s efficiency, safety, and security, but like other software or infrastructure, it also raises security questions. This is the time to learn the security foundations and ensure that your current IoT infrastructure is not exposing your business to unnecessary risks. As your business evolves technologically, embracing these essentials for a security program can help you modernize with confidence.