https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


IoT Security Needs Pen Testing Approach

IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Written by Evan Schuman
  • 28th January 2021

IoT security is challenging—largely because the millions of IoT devices in the field can interact with enterprise systems in numerous ways. 

Internal systems—Internet of Things (IoT)-enabled door locks and lightbulbs in corporate office buildings, for example—as well as external ones, typically sitting at a remote site (aka an employee’s or contractor’s home more than not these days) and jumping onto the enterprise local area network (LAN) or wide area network (WAN), courtesy of a VPN piggyback.

In addition, devices can be compromised in a couple of ways: (1) the original code from a manufacturer could include bugs or malware (with or without the manufacturer’s knowledge) in it when shipped; or (2) malicious attackers can hijack a unit’s code months later with malware. Once IoT gains access to the network and often its very own IP address, it unleashes all of these security nightmares.

Even worse—and this undercuts security triage—malicious code can prompt malicious actions from devices (such as to change the chemical percentages at a pharmaceutical’s assembly line), contradicting its manufactured purpose. But insidious code might just as easily use a device merely as a network conduit, so it doesn’t matter whether it’s official purpose seems dangerous, given that its goal is to simply access the network and do damage from afar.

With all these avenues for a breach, what is an enterprise CISO or CIO to do? Having a team of benevolent “hackers”/penetration testers repeatedly review the code of every IoT device for nefarious instructions  can be cost-prohibitive. Besides, it is unlikely to help the legions of consumer-grade IoT devices sharing the home LANs of your personnel as your security team won’t typically have full access.

To Pen Test IoT Devices or Not?

Still, many argue that pen testing an enterprise’s IoT devices is critical. The questions is, How often is prudent and cost-effective? The answer to that question will vary widely from one enterprise to the next.

Steve Zalewski, the deputy CISO for $6 billion global apparel firm Levi Strauss & Co., said that he sees IoT pen testing as a no-brainer. “These are untrusted unverified devices on my trusted networks,” Zalewski said. “This is immature technology without mature security controls.”

“We have got to bring some rigor,” he continued. “The problem with IoT devices is that security is not considered within the functional capabilities of the devices 

Forrester security and risk senior analyst Brian Kime also sees IoT pen testing as inevitable, but he encourages a more limited approach. He encourages CISOs to focus overwhelmingly on what the IoT device is supposed to do and how risky that environment is, as opposed to focusing on the conduit risk, which would mean repeatedly testing every single IoT device with network access.

“Using IoT pen testing makes sense, but you need to scope [it]  appropriately,” especially, he said, “if the CISO has the luxury of dedicated red teamers or (staff) pen testers. Those broadly scoped pen tests just go everywhere, and no one really knows what to do with that.” The risk with too extensive a test effort, Kime said, is “scope creep and now you’re pen testing the whole company.”

Kime argued that CISOs look at device context and functionality. “Not every device is created equal, and not every system is just going to be that critical. The badge reader that gets into the nuclear control center (should be tested), not the one that gets into the gym. Understand the criticality of the asset.”

A recent Booz Allen Hamilton report stressed that industrial control systems (ICSes) will likely have a disproportionate impact on an enterprise’s cybersecurity, given the damage that such devices could inflict. “Current ICS/IoT environments rely on network segmentation to mitigate cyber risks. Organizations need to reconsider the structure of IIoT network setups,” the report said.

Kyle Miller, Booz Allen Hamilton’s director and OT cybersecurity practice lead, said that these ICS IoT devices can be invisible to security and IT teams. Beyond shadow IT (where a business unit will purchase the device without informing IT or security) and devices that are often ignored (such as IoT lightbulbs), some systems that enterprise has purchased for years may suddenly include connected devices. An engine, for example, might house a small IoT device that the manufacturer didn’t mention, which means the enterprise would have no reason to know it’s there.

Miller mentioned one enterprise in which the motor had vibration monitoring sensors. “They may have bought that motor without even knowing that these sensors were in there,” he said.

Booz Allen Hamilton VP Morgan Bjerke said another IoT pen testing consideration is contractual and legal. Given how enterprise IT contracts have been written, some enterprises have signed away their rights to do any testing, she said. This means that CISOs and CIOs must educate legal and contracts departments that the ability for the enterprise to do IoT pen testing is critical and that contracts must reflect that.

5G, Edge Computing Present New IoT Security Threats

Bjerke also stressed that 5G is likely to further complicate a wide range of IoT security issues. Although 5G primarily deals with transmission speed, it also can significantly increase connectivity, which makes IoT security that much more problematic. 

“With 5G, some of the controls that are already in place will become less effective because the connectivity of those devices will be expanded. It’s really going to blur the edge,” Bjerke said, adding that the typical network segmentation approach will be undermined. “It is going to poke holes in that controlled space. If (IoT devices) get into one portion, they will easily move laterally because all of the devices will be connected.”

Another 5G IoT security consideration is that 5G introduces additional protocols into the network, protocols that Bjerke characterized as “less secure because they have more clear text,” he said. “As more businesses are becoming increasingly automated and connected, 5G gives more ability for the attacker to pivot.”

Take part in IoT Security Summit this December.

Tags: Security Other Content Features

Related


  • Five Principles in a Zero-Trust Security Approach to IoT
    IoT devices have created vulnerability for IT networks, but a zero-trust security approach can lock down attack vectors. Here are five key principles.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.
  • Addressing IoT Security Challenges From the Cloud to the Edge 
    Confronting IoT security challenges requires an in-depth examination of hardware and software functionality. 
  • Eurotech explains why “security by design” must be at the core of every IoT deployment
    When it comes to the Internet of Things (IoT), good cybersecurity practices aren’t just an optional extra, like buying a fancy case for your new smartphone. They need to be built into devices from the ground-up as a fundamental building block for connected devices. Few companies in the space understand this better than Eurotech, one […]

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Securing IoT at the Edge Is Key to Safe IoT Operations
  • Building a Foundation for AI in Cybersecurity
  • Electric Grid Stability Assailed by Growing Challenges
  • COVID-19 Driving Data Integration Projects in IoT

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Europe’s First Automated Gas Station Convenience Store dlvr.it/SR45J9 https://t.co/eDJDJ7CxkI

25th May 2022
IoTWorldToday, IoTWorldSeries

Zero-Emission, Autonomous Cargo Ship Under Development dlvr.it/SR3xgb https://t.co/3oU7CrKWkW

25th May 2022
IoTWorldToday, IoTWorldSeries

Hannover Messe 2022: 5 Key Themes at This Year’s Show dlvr.it/SR3wtW https://t.co/j0fQUiU2LW

25th May 2022
IoTWorldToday, IoTWorldSeries

Can AI Help Stop Mass Shootings? dlvr.it/SR3tqK https://t.co/VxPBdajWA3

25th May 2022
IoTWorldToday, IoTWorldSeries

China has revealed an autonomous marine drone carrier dlvr.it/SR3qXs https://t.co/yMiiqeMNrZ

25th May 2022
IoTWorldToday, IoTWorldSeries

ISQ’s #UAV inspection drones will be on display at this year’s @hannover_messe dlvr.it/SR35dg https://t.co/U6QOQtMbGw

25th May 2022
IoTWorldToday, IoTWorldSeries

👀 Looking to integrate #AI into your manufacturing process? Explore how #manufacturers can begin the process of… twitter.com/i/web/status/1…

25th May 2022
IoTWorldToday, IoTWorldSeries

The U.S. Army is getting a 5G boost for #AR #VR capabilities from #5G network provider @OceusNetworks.… twitter.com/i/web/status/1…

24th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X