Today, it is more important than ever for CIOs to manage Internet of Things (IoT) security. Recent attacks based on IoT systems have spanned from retail to critical infrastructure to typical IT environments.
To prevent IoT attacks, countries and regions around the world are creating IoT security guidelines and regulations. For example, in 2018, the United Kingdom’s Department for Digital, Cultural, Media & Sport published its Code of Practice for Consumer IoT Security (“CoP”). Other countries and regions such as the U.S. and E.U. are following up with their own regulations.
What is the security impact of IoT in my organization?
Most companies are unaware of the IoT devices connected within the enterprise, but they do have vulnerability priorities. Items with the most critical content and network connectivity, like PCs, garner the highest attention and security protection. Similarly, smart phones, wireless tablets and cellular networks also get sufficient attention. However, eventually the list stops addressing the security concerns for certain items. Something as simple as a connected lightbulb or even an employee connecting a smart fan to their computer is below the line. The company does not know that it is connected and it just takes a person with the Wi-Fi password to make the connection. However, the security impact can be considerable. Each connected thing becomes an entry point for attackers to compromise just about anything within the organization– without the necessary protection.
How can this security impact be reduced?
The first step is awareness – know what is connected. Find out what things are connected to the network. This can be as simple as performing a network scan – an inventory of what is connected to the network. It should be followed up by deciding what should be done with existing connected items and then what should occur for future connected items. For example, a machine tool that connects to the network will not be replaced but it must be secured. It is used in the business, and as CIO, its risk must be managed.
How can these IoT devices be managed?
IoT management can be performed safely so the rest of the organization is not at risk. One of the most common approaches is to connect an essential device, like the machine tool, more securely to whatever outside or inside resources that it needs to connect to. This could start with a firewall in front of the machine with specific rules identifying the limited contact points that it can be connected to or that can connect to it. Allowed connections could simply be a control panel and the machine’s manufacturer, with restricted access to all other connectivity options. Many ethernet switches and wireless access points include built-in firewall capabilities that can be used to restrict access. Built-in firewalls with appropriately applied rules could be sufficient without buying any additional equipment — just put the specific/customized rules in place. Doing so greatly reduces the risk because most endpoints on the network will be unable to interfere with the operation of the machine tool.
The next step is implementing security better and smarter in the future. This is where government regulations come into play. For example, the UK’s CoP describes 13 guidelines for consumer IoT security. An IoT white paper provides additional details and information including standards that already exist for IoT security and direction for CIOs and others. When buying products in the future, careful buyers should select products that comply with the best practices. CIOs should establish a company policy that all new purchases of IoT products must comply with the regulations, which are just common sense approaches to dealing with IoT security. With the passage of the IoT Cybersecurity Improvement Act of 2020, the U.S. government will require IoT products purchased to comply with a set of standards that NIST is developing, establishing a best-in-class security framework for others to follow.
Will the cost be acceptable?
While cost is always an issue, the measures discussed above (inventory, firewall rules ) should have minimal cost impact since they take advantage of features already built into commercial grade networking products. With the government regulations being implemented, boosting security requirements for new purchases should not have a significant cost impact as suppliers must remain competitive and comply with those regulations. The cost of not securing IoT systems would be much higher in the long run.
Take advantage of government’s IoT security efforts
Today, most companies and CIOs are unaware of the IoT devices connected within the enterprise. For best-in-class security, CIOs really must know what is being connected to their networks to address the security issues that may arise. Most existing IoT products do not comply with any of the guidelines being developed by governments around the world. They have minimum security or default passwords that provide little to no protection. However, this is changing with the new government guidelines. CIOs must make changes now to stay ahead of attackers and achieve best-in-class security.