How can IoT organisations and their partners ensure device-level security is optimised?
There are two important ways companies can optimise their device-level security – monitor the devices and protect the network. When dealing with devices, organisations must be diligent. Keep an eye out for vulnerabilities to apply the latest patches as early as possible. The best way to protect yourself from exploits is to reduce the time between the exploits being ‘discovered’ and you being patched against them.
When it comes to the network, malware looks for a beachhead and then works to spread internally. To prevent this, IT teams must make sure each and every IoT device only has permissions to communicate with the devices it needs to. Segment your network through software-driven policies and tighten those policies as much as you can.
What do you see as the key threats?
A key threat is the IoT market itself. Small IoT devices are relatively cheap to develop, which has created a burgeoning ecosystem of start-ups developing ‘things’ on a daily basis. Even though we have been talking about IoT for years, this is still a relatively new market that has yet to shake out into the main players. Many of the manufacturers we see in the market today will either have moved on to newer ‘things’ or disappeared from the market entirely. The real risk is that these devices will remain in use -sometimes because we forgot they were there – vulnerable to exploits and un-patchable because there is nobody developing the patches.
Another potential issue is in company behaviour. IoT devices often fall under the purview of OT (Operational Technology). There is a tendency in OT of ‘if it isn’t broke then don’t fix it’ and the 24/7 world of OT means there is never an opportune moment for downtime for updates. This extends that time between the vulnerability being discovered and being patched against it.
Finally, most organisations do not know 100% what is connected to their networks. BYOD has a part to play in this, but the low cost and ease of implementing IoT devices have led to individual LOBs (Line of Business) going it alone, so IT is never in the picture. In addition, the historical complexity involved in micro-segmenting networks means there are not enough barriers to prevent exploits from spreading internally. This is a toxic combination of not knowing what’s on your network and then not being able to stop an exploit spreading.
What are the challenges and realities of this – how can a balance between cost, complexity and security be achieved?
The challenge for a lot of companies is that they are not starting from the best place. Many have hard segmented, single vendor, configuration driven networks built the same way they have been for 20 years. The prospect of a costly forklift upgrade to move into this new world is financially unappealing.
It requires a different mindset to embrace these changes. That said there are some practical steps in order to protect your business. Firstly, know what’s on your network – If you know what’s out there you can make an informed decision over what is allowed and start to restrict access. You also need to embrace open standards. Part of the reason many organisations have not made this move before is because they were tied in proprietary standards that required everything to be upgraded.
Finally, companies must create a collaborative partnership between IT and the LOBs. Avoid LOBs ‘rolling their own’ by understanding their different needs and applying security policies and tools to all needs.
Discussion about this post