Top Four Considerations for IoT Security

How many IoT devices are on your network? Globally, there are an estimated 18 billion smart devices online, with that number expected to grow to nearly 40 billion by 2033. Of all those networked devices, about 40% serve as part of organizational operational technology (OT). All those IoT devices are leading to more maintenance headaches, more potential vulnerabilities and security risks – and more attacks. In fact, a 2023 analysis showed a stunning 400% growth in IoT malware attacks from 2022 to 2023, with 350+ unique malware attack payloads in evidence. 

 

 

Pervasive IoT

IoT devices are a part of just about every industry, including manufacturing, energy, healthcare, retail, and more. In healthcare, we see patient monitoring devices, inhalers, implanted devices, and even ingestible sensors with IP addresses; devices that literally have lives depending on them. The energy sector uses IoT devices to monitor crucial safety metrics such as pressure, temperature, and oxygen levels, as well as productivity metrics such as equipment utilization. The retail industry uses IoT to help monitor inventory and handle POS. And irrespective of industry, many physical sites will have equipment like printers, smart thermostats, door sensors, security systems, moisture sensors, and even safety equipment like smoke detectors and carbon monoxide sensors that can be accessed via a network. 

While these connected devices certainly can enhance efficiency and the user experience, they introduce risk. There are four key issues that your organization must consider to properly secure your IoT devices: 

1.Inventory Management 

It may seem obvious, but the first step in adequately managing IoT devices in your environment is knowing what and where they are. You should conduct a full inventory assessment to understand what devices are on your network, where they are located (both physically and logically), and what devices they can connect or communicate with. This is an ongoing process, not only to catalogue authorized devices, but to identify any rogue devices in your environment that have not been deployed following the approved process. “Unknown” devices are unmonitored, unmanaged, and almost certainly likely undesirable. 

2. Lifecycle Management 

While they aren’t traditional endpoints, IoT devices in your environment introduce familiar lifecycle management considerations. When looking at adding IoT devices, consider factors like what problems you’re trying to solve, the total cost of the equipment, compatibility with existing systems and services, and how the devices will be securely offboarded at the end of their useful lives. Some of the questions to address are: 

  • How will these be managed? It may be onsite staff, a third-party contractor, or it could be the vendor. The primary considerations are the best practices around initial configuration and security hardening (including changing default passwords), but also include physical maintenance, vulnerability management, security patching, and upgrade cadences. 
  • Who will be permitted to access or modify the devices, both physically and logically? 
  • What type of monitoring will be performed? Determine what level of logging is available and establish a schedule for reviewing those logs. Ideally, those logs would be integrated with a SIEM to enable real-time monitoring, providing alerts for suspicious activity or unscheduled downtime. 

Also consider whether it’s compatible with your current network and whether the one purchase will require future purchases, further locking you into a specific vendor’s ecosystem. Finally, will the device’s requirements align with your organization’s network security policies? If a device requires you to allow communication over a port or protocol that violates your security policy, will you accept that risk or find an alternative solution? Does that communication need to be encrypted? What security standards need to be followed in order to maintain compliance? Vulnerability and risk assessments are crucial here. 

3. Network Segmentation 

Network segmentation is essential to protect your IoT devices – and the rest of your network – should the devices be compromised. How you choose to segment your network depends on your goals and the requirements of your IoT devices. The optimal solution is always to take zero-trust and least-privilege approach, granting as little access as possible for the devices to still properly function and interact.  

Your network and security teams should consult with the system owners to discuss the ideal balance between usability and security before implementation. This will help minimize the risk of these systems being a target for an attacker – either directly or via lateral movement through your network. This of course should be an additional security measure to complement your network monitoring and vulnerability management tools. 

4. Vendor Management 

The type of IoT devices your organization is acquiring will influence the relationship you have with your vendor. Your organization may also be able to vary the level of vendor involvement by purchasing specific subscriptions, service plans, or professional service hours. For example, required safety systems like smoke detectors and carbon monoxide sensors may be something your organization opts to have the vendor install and service. In some cases, the vendor may even require they be the ones to perform all installation and maintenance, or else the warranty might be voided. 

In the event the vendor is responsible for installation and/or maintenance, network segmentation and security monitoring become even more important. Giving another organization access to your network, particularly devices which you may have little direct interaction with, exposes your network to additional risk. This is where security features like VLANs, firewall rules, and network access control policies become crucial to mitigating risk. Again, zero-trust and least-privilege approaches will minimize the impact of a supply-chain compromise or third-party security incident.  

 

 

Plan Today for a Secure Tomorrow

The variety of IoT devices on the market provides an amazing opportunity to improve your organizational efficiency and user experience. It’s essential, however, to understand that they are not simply “set-and-forget” devices. Unless these key security issues and considered and addressed, you are exposing your organization to heightened risk and potentially serious consequences. 

Whether you’re thinking of adding IoT devices to your environment, or you want to evaluate the potential risk presented by your current fleet of existing IoT devices, ISA Cybersecurity can help you make informed decisions. Contact us today. 

NEWSLETTER

Get exclusively curated cyber insights and news in your inbox

Contact Us Today

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.