IoT security is an often-neglected area within an enterprise’s IT infrastructure. Unfortunately, this makes these smart devices the perfect targets to breach your organization’s security defenses. Here’s a quick list of key pointers on how to secure IoT devices within your organization’s IT environment…
Let’s cut right to the chase: you need to know how to secure IoT devices within your organization (even if you don’t yet know it). Whether you’re using wireless cameras on-prem or you’ve deployed remote sensors to keep an eye on things elsewhere, every new network connection represents a potential attack surface for cybercriminals to target.
But how big of a potential problem is this, really? Let’s look at some telling industry data:
- Eclipse Foundation research shows 47% of survey respondents already have IoT on their networks. Furthermore, nearly two-in- four indicate that they plan to achieve the same within the following 12-24 months. This move toward digital transformation shows an openness to embracing new technologies.
- Fortune Business Insights’ data shows the IoT market is projected to surpass 1.4 trillion devices by 2027. This research demonstrates the breadth, reach and impact IoT security risks pose to organizations and customers globally.
In a Forbes article this month, tech thought leader and author Bernard Marr shared that while IoT has historically been recognized as a specific threat, he expects these threats to become more common, widespread, and sophisticated in 2022. And considering that Gartner’s recent research predicts that more than half of organizations (60%) will view cybersecurity risk as a leading factor in choosing business vendors and partners by 2025, it’s clear to see the importance of taking action to secure your IoT device now.
So, what can you do to make your IoT deployments and enterprise IT systems more secure in the coming year?
Let’s hash it out.
How to Secure IoT Devices to Make Your Enterprise IT Ecosystem More Secure
Nothing destroys customer trust faster than sending them an email stating that their sensitive data is compromised because you didn’t bother to secure your smart thermostat.
Having strong IoT security is not just a cyber security best practice, it’s a “must” if you value customer relationships and the security of their data. IoT devices represent an open door to your network (and other devices that are connected to it). But that’s not the only problem — these devices also serve as potential threats if an attacker gains control and assimilates them into their botnet.
As botnet drones (or “zombies” as they’re sometimes called), your devices are part of a large network of connected devices that the attacker controls. When this happens, your devices can be used to carry out:
- Cryptocurrency mining by hijacking your devices’ valuable resources,
- Brute force login attacks, and
- Distributed denial of service (DDoS) attacks against your organization and others.
With this in mind, it’s easy to see why making your IoT solutions as secure as possible as quickly as possible should be one of your top cybersecurity priorities.
This guide aims to provide a quick overview of the steps you can take to make your network and general IT environment more secure by mitigating IoT security-related vulnerabilities.
1. Continually Monitor Your Network & Perform Regular IT Audits to Know What’s Connected It
Your organization’s cyber defenses are like an invisible wall, and shadow IT devices represent the unseen security gaps in it: you can’t plug the holes (i.e., mitigate vulnerabilities) if you don’t know they exist.
Shadow IT is a term that describes unknown or unauthorized software, devices, and digital certificates that exist within your tech environment. According to 2021 data from Proofpoint and the Ponemon Institute, three-quarters (75%) of IoT security experts are concerned about shadow IT and view it as a “significant security risk.”
If you don’t know what devices are on your network, then it’s also likely that you don’t know who has access to them. As such, having even one insecure device on your network can lead to a world of hurt that can impact your business and customers in several ways:
- Security issues and data breaches,
- Lost, altered, stolen, or deleted data,
- Noncompliance issues, fines and penalties,
- Reputational damage,
- Lost customers relationships, and
- Financial costs stemming from mitigation, recovery, investigation and reporting processes, and
- Other financial losses from lost revenue, lawsuits, and other related factors.
To avoid these security issues and the costs associated with them, a good approach is to use every tool at your disposal to make your systems and devices more secure. This includes:
- Performing regular scans and audits of your network. If you maintain a current inventory list of devices and certificates, you’ll stay in-the-know about what endpoints and tools are touching your network and what needs to be updated.
- Using internal and external firewalls and network monitoring tools. By keeping an eye on your inbound and outbound network traffic, you’ll know who (or what) is accessing your IoT devices and other IT systems.
- Setting up device access permissions. This ensures that devices receive specific permissions for applications and systems they’re authorized to access.
- Implementing other security measures that we’ll cover in the following sections.
2. Use IoT Device Certificates to Secure Your Devices and Sensitive Data
It’s no secret that bad guys love data, and your IoT devices represent a wealth of useful and actionable information they can use. While having access to all of the information that smart devices afford is great for you, if those devices aren’t secure, then it can spell disaster because that data can fall into the wrong hands. One way to make your device and its data transmissions more secure is to use public key cryptography. (More on that in a moment.)
Research from Paolo Alto Networks’ 2020 Unit 42 IoT Threat Report shows that 98% of IoT device traffic is insecure, meaning that any personal or confidential data can be intercepted, read, or modified by unintended parties in transit. But what kinds of information can be exposed via these unprotected connections? Here are a few quick troublesome examples:
- Access credentials,
- Remote monitoring systems data,
- Live feeds from personal and corporate wireless camera systems,
- Medical data from patients’ personal devices,
- Other types of personal or confidential data.
To avoid this issue, install a valid IoT device certificate on every connected device and ensure all communications are fully authenticated and encrypted.
What Is an IoT Device Certificate?
We recently published an article that was a deep-dive on the topic of PKI device certificates. We’re not going to get into the nitty-gritty of all that here. To quickly recap:
- These certificates are also known as a type of PKI digital certificate because they rely on public key infrastructure (PKI) technologies and processes.
- Device certificates are digital certificates that tie your organization’s identity and manufacturer information to IoT devices.
- PKI IoT certificates create a unique, verifiable identity that helps you ensure that only your legitimate devices connect to your network and other resources.
- These certificates also use cryptographic processes that protect your devices’ data integrity while it’s in transit.
So, what does all of this mean in terms of benefiting your organization? Using a PKI device certificate for IoT:
- Prevents bad guys from infiltrating your network by fraudulently connecting in disguise as one of your legitimate devices, and
- Helps you ensure that your authentic devices connect using secure, encrypted connections.
- Keeps important data from being intercepted, stolen, or modified in transit.
Using IoT Certificate Management Also Increases Visibility of Devices on Your Network
A common PKI certificate management best practice is to use a certificate management tool to track and monitor all of the digital certificates that exist within your network and IT infrastructure. By installing a PKI device certificate on each IoT component before deployment, you’re creating another way to keep track of your devices.
In addition to staying abreast of when certificates are set to expire, using a device certificate also helps you:
- Know where and how all of your PKI certificates are being used, and
- Stay informed about which devices are connected to your network and where they’re located.
3. Avoid Using the Manufacturer’s Default Access Credentials for Device Management
A common (yet bad) practice many IoT device manufacturers have historically done is issue default access credentials to their products. These are typically hard-coded usernames and passwords that may be used during development and testing, for users’ device setup/admin purposes, or while performing updates.
While this practice isn’t necessarily a bad thing while limited to these dev and testing environments, it can be bad news when those credentials are still in place when the devices are deployed in end-user organizations’ IT environments.
“The network interface provided by IoT devices may provide external internet connectivity to would-be attackers. IoT device manufacturers also typically leave default access credentials in place for the devices they ship. These two conditions together leave enterprises vulnerable and prone to unauthorized remote access attacks.”
4. Segregate Your IoT Devices from Critical IT Assets by Keeping Them On a Separate Network
One of the biggest mistakes companies make is connecting their devices to their main critical network. While this may seem like a good idea, it’s actually dangerous. If there’s even a single vulnerability in one of those devices, which is likely, then cybercriminals can exploit it and use it as an open door to your network. And once they’re on your network, they can move laterally to other endpoints by searching for other vulnerabilities they can use on your network.
Keeping your IoT devices off your main network serves as a bulwark to prevent attackers from gaining access to other critical systems that are connected to it.
5. Update & Patch Your IT Systems and Devices Regularly
Rolling out updates and patches to fix vulnerabilities is how most manufacturers keep their products secure over time. This is true for firewall software companies to IoT device manufacturers alike. But when it comes to IoT devices, not all companies bother following through with this crucial security function. Once their devices hit the market, if they don’t bother releasing patches, it means that any discovered vulnerabilities will serve as weaknesses within your IT environment that cybercriminals can exploit.
This is why it’s important to choose IoT devices from manufacturers that are known for having a serious stance when it comes to security. When researching devices and manufacturers, be sure you check to see whether they support their products with regular updates.
But another critical aspect of updating and patching is using them. While it’s important for manufacturers to release those patches to fix security issues, those updates won’t do you any good if you don’t bother applying them.
Applying IoT Device Patches Is Like Wearing a Seatbelt to Avoid Injury…
To better understand the benefits of good patch management practices, let’s consider how automobile safety has evolved over the years. For decades, passenger vehicles were developed without seatbelts. Over time, manufacturers realized that lack of restraint served as a vulnerability when it came to driver and passenger safety, so they added airbags and seatbelts to help “fix” the issue. (The exception here are mass transit vehicles such as buses — many of these vehicles don’t have seat belts.)
But if you don’t bother using the seatbelt when you’re driving or riding in the vehicle, even though using a seatbelt is required by law in many places, the safety device won’t do you any good. This same concept also applies to patching IoT devices. In this scenario:
- The seatbelt represents a device manufacturer’s patch release. If you choose not to use the seatbelt (i.e., apply a software or firmware patch to your IT systems), then it’s not the manufacturer’s fault if you sustain an injury that the seatbelt could have prevented.
- Much like wearing a seatbelt, not wearing a seatbelt and not applying patches can both earn you an expensive fine. In the IT security industry, applying software and firmware updates to your systems is both a common security best practice and compliance requirement. Much like how you can get a ticket for not wearing a seatbelt, you also can face substantial fines and penalties for noncompliance.
Final Takeaways on Securing IoT Devices
If you’ve made it this far, we hope you’ve found this resource useful. While this article is in no way comprehensive, our hope is that it at least serves as a starting point for planning how to secure your organization’s IoT devices.
The main takeaway is that if you’ve not yet taken steps to secure your IoT technologies and networks, there’s no time like the present. The longer you wait, the more your organization and customers are at risk to cyber attacks, data compromise, and broken trust. Not only do you face percussions in terms of noncompliance issues and related financial losses, but this damage may be irreparable and cost you relationships with some customers indefinitely.
Please be sure to share your thoughts and other tips for how to secure IoT devices within enterprise environments in the comments below…