Best practices for IoT security
While the IoT presents many opportunities, its challenge lies in how to secure connected devices, networks and the data they handle. There is a risk of IoT devices acting as “double agents.” On one hand, they can bring tremendous value to an organization, but they can also be enlisted to help stage attacks. With over five billion connected devices in the world today, according to Gartner, and more than 20.4 billion anticipated by 2020, the potential threat looms large. The rapid and wide-scale adoption of connected sensors and IoT devices in manufacturing, utility, finance and telecommunications industries means that the global economy’s critical infrastructure is increasingly vulnerable.
For instance, in October 2016, hackers leveraged an army of insecure IoT devices, including toasters, to deploy a denial-of-service (DoS) attack using Mirai malware on an internet infrastructure company, infiltrating tens of millions of connected devices. The company targeted said it commonly sees distributed denial-of-service (DDoS) attacks, but that the use of internet-enabled devices is now opening the door to a whole new scale of attack.
One of the vulnerabilities underpinning this attack is the fact that many IoT endpoint manufacturers simply have not built security into their products. Controllers that operate in nearly every industrial environment lack basic security protections like authentication and encryption. Hackers just need access to the controllers to change configuration, logic and state.
Also, IoT devices typically have vulnerabilities that are easily exploited, like default passwords that never get changed, remote access backdoors meant for use by field service technicians and weak authentication. Some device manufacturers employ trusted boot capabilities, encrypting network traffic or using Secure Shell (SSH). But if they and the organizations that buy them don’t implement these protections correctly, such efforts can be ineffective.
Basics to securing the IoT
IoT security can be optimized with a disciplined process that involves equipment selection, regular maintenance and cross-functional collaboration. A trained and trusted advisor with specific expertise in implementing IoT and security protocols can guide organizations through the key steps to securing the IoT, which include:
- Selecting equipment and software with built-in security protections.
- Regularly changing default usernames and passwords on IoT devices.
- Updating IoT devices with the latest operating systems and patches.
- Implementing data encryption, network authentication and secure private networks.
And, since both the information technology (IT) and operational technology (OT) parts of an organization are affected by IoT, engineers from both of those worlds need to collaborate in setting up security policies and procedures for their applications, devices and networks.
The need for new skills
It’s important for IT and OT teams to collaborate. It’s also important to build their existing skill sets. Creating, securing and supporting IoT implementations require new skill sets as well as a strategy to refresh those skills on a regular basis. Both IT and OT need digital expertise. So, training staff members to address IoT is essential for successful digital transformation.
For instance, the converged architecture involved in IP-connected factories introduces a need for new and evolving skills that most current IT or OT professionals don’t have. As a result, individuals from each discipline need to learn the technology from the other. Additionally, soft skills in areas such as communication, collaboration and project management enable teams to work together in a more productive and integrated way.
Learning about industrial networking and application protocols will advance IT engineers’ skillsets in the digital era. Understanding IoT security technologies and being able to implement the most relevant ones for a particular organization will give IT professionals a strategic advantage.
OT engineers must shift away from the hierarchical Purdue model for enterprise control, in which information flows up from the production floor to the enterprise-level systems. Instead, they must move to a flattened IP-connected world, in which information flows through a single, physical location.
Preparing for tomorrow
As connected devices and applications proliferate, the demand for experts in security and engineering will only increase. Individuals and organizations can prepare for this exponential demand by first becoming aware of their own proficiencies in IoT and security. Learning basic principles of IoT endpoint protection is critical to successful digital transformation. Next, find training that’s needed to fill skills gaps. Certifications are highly valuable, as they offer proof of what an individual knows and how he or she can benefit the organization’s digital transformation goals. By assessing skills gaps and continually upskilling, organizations and individuals position themselves for success.