Overlay Security on IoT Networks to Conquer Vulnerabilities

Last summer, the FBI issued an alert that warned of cyber criminals ramping up attacks on Internet of Things. Specifically, adversaries are taking advantage of weak authentication, unpatched firmware or other software vulnerabilities, and authentication credentials that can be attacked over the internet.

The proliferation of IoT devices combined with this reported increase in cyberattacks presents a nightmare of special security challenges faced by industrial enterprises that commercially deploy IoT devices. Unfortunately, it’s not feasible to replace or redesign IoT devices already deployed in the field. But by overlaying security and control measures on existing IoT networks, these organizations may just have found the key to mitigating vulnerabilities.

IoT vs. IT devices

Let’s take a deeper dive into IoT vulnerabilities and security risks, as described by the National Institute of Standards and Technology (NIST). NIST’s 2018 report “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” identified three problems faced by organizations that deploy IoT devices. 

First, IoT devices interact with the physical world in ways conventional IT devices usually do not. NIST points out that cybersecurity and privacy policies must take into account the ramifications of IoT devices making changes to physical systems and affecting the physical world. For instance, the security ramifications of a compromised device controlling a town’s water supply are vastly different from a compromised device disclosing customer records. NIST also notes that “operational requirements for performance, reliability, resilience and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.”

Second, many IoT devices cannot be accessed, managed or monitored in the same way conventional IT devices can. Because many IoT devices are on private networks or in remote locations, organizations many need to perform manual tasks when updating or protecting large numbers of IoT devices. Employees may need special tools and training, and security models may need to account for manufacturers and other third parties having access or control over devices. Obviously, manual tasks are cost-prohibitive and time-consuming for those organizations that have geographically dispersed locations that must be protected and updated.

Finally, the availability, efficiency and effectiveness of cybersecurity and privacy capabilities for IoT devices are often different from those for conventional IT devices. Special vulnerabilities require special policies and tools. NIST says that organizations “may have to select, implement and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.” Additional controls may be needed, in part, because many IoT devices were designed without security in mind or with a bare minimum of security features.

Industrial enterprises use IIoT to provide their customers value-added services such as better service-level agreements, reduced downtimes, predictive and preventive maintenance, and overall improved operational efficiencies. Without security as a foundational element of their infrastructure, their entire operation is compromised.

IT and OT Symbiosis: The Real-Life Example

Operational technology and information technology teams can work together to address both IT and IoT device vulnerabilities and ensure the security of their network infrastructures. But IT/OT symbiosis in any organization is not a natural fit.

Bayron Lopez, operational technology manager at Kilroy Realty, explains the classic disconnect between IT and OT. “In corporations, the security focus is on the main infrastructure — servers, internal email, etc.,” he said. “Physical security — access to buildings, for example — has historically been seen as secondary to all of this, and not a part of the corporate network.”

As smart buildings like Kilroy’s become more commonplace, however, IT and OT security vulnerabilities merge. “IoT sensors are great for transmitting data about building assets, such as who is accessing a building, energy usage, alarm controls or problems with climate control or lighting, but if there are network security vulnerabilities, we may not be the only ones accessing that data,” said Lopez.

Recognizing the potential security vulnerabilities for Kilroy, Lopez joined forces with the organization’s IT manager, Khanh Nguyen. Together, they found a way to overlay security and control measures on their existing IoT networks to build a more secure infrastructure — one that:

• Is protected from malicious attacks that could disrupt operations as well as malware and take-over accounts that would enable attackers to use Kilroy’s networks for malicious activities. 
• Has access controls from a single location, so access to all devices at all locations can be controlled quickly and easily. 
• Has a single pane of glass for monitoring all IIoT networks. 
• Has secure, centralized access controls for third-party technicians remotely accessing IoT devices, so that third-party access never becomes a security risk and IT administrators are never overwhelmed with managing decentralized VPN networks. 

Breached building data may have smaller-scale ramifications, but consider what would happen if IoT sensors transmitting data for smart cities or utilities were intercepted. Potential situations like this — as well as the aforementioned data from the FBI and NIST — push industrial enterprises, utilities, smart cities and the like toward an IT- and OT-friendly infrastructure that takes into account the special requirements for securing both traditional IT and IoT devices.

Ron Victor is the chief executive officer and founder of ioTium.