Getting a grip on enterprise IoT security

The modern enterprise landscape is awash with IoT devices. From connected printers, smart TVs in the boardroom, smart lightbulbs and climate control systems and building security systems, the volume of connected devices in the workplace is steadily growing.

Unfortunately, that traffic from these devices often contains sensitive information that can be intercepted or can hide malware designed to compromise networks or deliver a devastating payload. We are also seeing a trend where vulnerable IoT devices, such as cameras and security systems, are being hijacked, injected with malware and used as cyber weapons and massive IoT botnets to attack other devices or knock businesses offline.

Diving into the world of enterprise IoT security can be eye-opening. Consider that most IoT devices were not designed with security in mind — many of them are headless (do not have a traditional operating system or even the memory or processing power required to include security or install a security client) while an alarming number have passwords hard-coded into their firmware. The result is that many IoT devices cannot be patched or updated.

And even when security software can be installed on the IoT device, the software is often cobbled together from commonly available code or is untested, meaning that most installed security tools can be circumvented by exploiting a wide range of known vulnerabilities. Other security vulnerabilities include: 

• Weak authentication and authorization protocols.
• Insecure software.
• Firmware with hard-coded backdoors.
• Poorly designed connectivity and communications.
• Limited to no configurability. 

These issues are so widespread that it is estimated that 70 percent of the most commonly used IoT devices contain known security vulnerabilities. And when they are comprised, most IT organizations admit they are unlikely or highly unlikely to be able to detect the event before it impacts systems and data.

For those looking to purchase connected devices and attach them to the internet through their enterprise network, then, we recommend a multi-phase approach to security.

1. Learn (discover)

Before you buy a device that will connect to your network, it’s time to start asking some tough questions and hammering out your approach to enterprise IoT security.

Questions to ask include: Does this device really need to connect to my network? If so, what applications and devices will it be able to see and connect to? Do we have a way to isolate this device or manage its connection platform?

While most organizations are prepared to secure access through their wireless access points, consider how you will secure devices connecting through alternative methods:

• Stationary IoT devices, such as HVAC, security systems, card readers or printers are usually located inside the network perimeter and are often hard-wired directly into a network port, bypassing most traditional perimeter controls.
• Mobile IoT devices use a variety of methods and protocols to connect to the network, including popular methods like Bluetooth and a wide variety of RF protocols, including 6LoWPAN, ANT, DASH7, EnOcean, ISA100.11a, MiWi, NeuRFon, WirelessHART, WiSUN, LoRaWAN, Sigfox and Z-Wave.
• IoT devices don’t just connect to the network. They can also create their own ad-hoc networks, allowing them to generate and deliver more robust data. It also means that an infection can spread quickly through an IoT network.

Next, research these devices with an eye towards enterprise IoT security. Are there known vulnerabilities? Many connected devices include vulnerable software or backdoors that make them potential targets. Can they be hardened, patched or updated? Can you add passwords? Can they be fixed or easily replaced if a vulnerability is detected? How will you know? Google is your friend here.

2. Segment

Networks need to be configured to identify and provide limited access to IoT devices connected to your network. Segmentation allows you to restrict and monitor IoT devices, the kinds of traffic they generate, the applications and resources they can access, the amount of time they can be connected online and the places on the internet they are allowed to go.

Other options include: 

• Buying separate wireless access points so IoT devices run on a different network from your PCs and laptops.
• Setting up a guest network for visitors or new IoT or BYOD devices. Look for access points that allow you to restrict access, set up separate firewall rules, inspect traffic and monitor guest behavior. 

3. Protect

Networks and devices are often compromised because users who buy and deploy these devices are simply unfamiliar with how to secure them. Here are a few tips for your enterprise network.

• Keep an inventory of all the connected devices on your network, including their manufacturers. Most attacks are successful because devices are running outdated software or operating systems. Then set up a routine to check each of these devices and applications online for updates. IoT devices can be difficult to track for vulnerabilities. Browsers like Google allow you to set up automated searches to alert you when news or updates about a device are found.
• Keep your antivirus and anti-malware software updated and run it regularly. Also, remember that no software is 100% effective, so set up a regular schedule, say once a month, where you use a second or third security solution to scan your device or network. 

As we consider purchasing IoT devices and connecting them to our networks, we need to remember that the conveniences they offer include risks. Cybercriminals are determined and informed of the latest trends and technologies, and they know how to exploit them. This is why we need to take the time to educate ourselves – and our employees – about the potential cyber hazards of the modern workplace.