Top Four Considerations for IoT Security

Pervasive IoT

IoT devices are a part of just about every industry, including manufacturing, energy, healthcare, retail, and more. In healthcare, we see patient monitoring devices, inhalers, implanted devices, and even ingestible sensors with IP addresses; devices that literally have lives depending on them. The energy sector uses IoT devices to monitor crucial safety metrics such as pressure, temperature, and oxygen levels, as well as productivity metrics such as equipment utilization. The retail industry uses IoT to help monitor inventory and handle POS. And irrespective of industry, many physical sites will have equipment like printers, smart thermostats, door sensors, security systems, moisture sensors, and even safety equipment like smoke detectors and carbon monoxide sensors that can be accessed via a network. 

While these connected devices certainly can enhance efficiency and the user experience, they introduce risk. There are four key issues that your organization must consider to properly secure your IoT devices: 

1.Inventory Management 

It may seem obvious, but the first step in adequately managing IoT devices in your environment is knowing what and where they are. You should conduct a full inventory assessment to understand what devices are on your network, where they are located (both physically and logically), and what devices they can connect or communicate with. This is an ongoing process, not only to catalogue authorized devices, but to identify any rogue devices in your environment that have not been deployed following the approved process. “Unknown” devices are unmonitored, unmanaged, and almost certainly likely undesirable. 

2. Lifecycle Management 

While they aren’t traditional endpoints, IoT devices in your environment introduce familiar lifecycle management considerations. When looking at adding IoT devices, consider factors like what problems you’re trying to solve, the total cost of the equipment, compatibility with existing systems and services, and how the devices will be securely offboarded at the end of their useful lives. Some of the questions to address are: 

• How will these be managed? It may be onsite staff, a third-party contractor, or it could be the vendor. The primary considerations are the best practices around initial configuration and security hardening (including changing default passwords), but also include physical maintenance, vulnerability management, security patching, and upgrade cadences. 

• Who will be permitted to access or modify the devices, both physically and logically? 

• What type of monitoring will be performed? Determine what level of logging is available and establish a schedule for reviewing those logs. Ideally, those logs would be integrated with a SIEM to enable real-time monitoring, providing alerts for suspicious activity or unscheduled downtime. 

Also consider whether it’s compatible with your current network and whether the one purchase will require future purchases, further locking you into a specific vendor’s ecosystem. Finally, will the device’s requirements align with your organization’s network security policies? If a device requires you to allow communication over a port or protocol that violates your security policy, will you accept that risk or find an alternative solution? Does that communication need to be encrypted? What security standards need to be followed in order to maintain compliance? Vulnerability and risk assessments are crucial here. 

3. Network Segmentation 

Network segmentation is essential to protect your IoT devices – and the rest of your network – should the devices be compromised. How you choose to segment your network depends on your goals and the requirements of your IoT devices. The optimal solution is always to take zero-trust and least-privilege approach, granting as little access as possible for the devices to still properly function and interact.  

Your network and security teams should consult with the system owners to discuss the ideal balance between usability and security before implementation. This will help minimize the risk of these systems being a target for an attacker – either directly or via lateral movement through your network. This of course should be an additional security measure to complement your network monitoring and vulnerability management tools. 

4. Vendor Management 

The type of IoT devices your organization is acquiring will influence the relationship you have with your vendor. Your organization may also be able to vary the level of vendor involvement by purchasing specific subscriptions, service plans, or professional service hours. For example, required safety systems like smoke detectors and carbon monoxide sensors may be something your organization opts to have the vendor install and service. In some cases, the vendor may even require they be the ones to perform all installation and maintenance, or else the warranty might be voided. 

In the event the vendor is responsible for installation and/or maintenance, network segmentation and security monitoring become even more important. Giving another organization access to your network, particularly devices which you may have little direct interaction with, exposes your network to additional risk. This is where security features like VLANs, firewall rules, and network access control policies become crucial to mitigating risk. Again, zero-trust and least-privilege approaches will minimize the impact of a supply-chain compromise or third-party security incident.