Clearly, IoT security is more important than ever before – but unfortunately, IoT security is also more challenging than ever before.
Some background: the COVID-19 pandemic and lockdown of 2020 threw all of the analyst predictions into chaos, but as the economy starts to emerge from the crisis, IT spending is once again expected to resume, and that includes the growth of the Internet of Things (IoT).
IoT is not a monolithic category but breaks down into numerous industries and use cases. Forrester Research predicts that in 2021, the IoT market growth will be driven by healthcare, smart offices, location services, remote-asset monitoring, and new networking technologies.
Much of that is being driven by the fallout from COVID-19. The explosion in remote work is driving some of this, as is remote medicine. New devices are coming out to do diagnosis for patients who can’t or won’t go in to see their doctor.
One of the key concerns related to the successful adoption of the IoT is having sufficient security mechanisms in place. This is especially important for IoT medical devices, because health care is so heavily regulated for privacy reasons.
And it’s not just securing the specific IoT devices, it’s all devices. Your connected refrigerator might not appear to be much of a threat to the security of your home if it is compromised by a hacker, but it can act as a gateway to more important devices on your home network. Then it becomes as significant as a heart monitor.
The same applies to industrial IoT (IIoT). Last summer it was revealed that Russian hackers penetrated the control systems of U.S. nuclear power plants. The consequences for such a compromise to a global manufacturing operation are considerable.
So it’s no surprise IoT security has been top of mind for IT managers for some time.
Understanding IoT – and Its Complexity
The Internet of Things (IoT) is a collection of devices that are connected to the Internet; these IoT devices are not traditional computing devices. Think of electronic devices that haven’t historically been connected, like copy machines, refrigerators, heart and glucose meters, or even the coffee pot.
The IoT is a hot topic because of its potential to connect previously unconnected devices and bring connectivity to places and things normally isolated. Research suggests improved employee productivity, better remote monitoring, and streamlined processes are among the top benefits for companies that embrace IoT.
What Should You Know About IoT Security?
There is an unfortunate pattern in technology that has repeated over the years; we rush to embrace the new and secure it later. Such has been the case with IoT devices. They often make the news because of hacks, ranging from mild to severe in their threat.
IoT security is top of mind at the Department of Homeland Security, which produced a lengthy paper on securing IoT devices. While the document is five years old and much has changed in the IoT world, many of the principals and best practices outlined are still valid and worthy of consideration.
Research from 451 Research shows 55% of IT professionals list IoT security as their top priority – and the figure is likely growing. So what can you do to secure your IoT devices? A lot, and over many areas. Let’s dig in.
1) Assume Every IoT Device Needs Configuring
When the market sees the advent of smart cat litter boxes and smart salt shakers, you know we’re at or approaching peak adoption for IoT devices. But don’t just ignore such features or assume they are securely configured out of the box. Leaving them unconfigured and not locked down is an opening to a hacker, whatever the device.
2) Know your Devices
It’s imperative that you know which types of devices are connected to your network and keep a detailed, up-to-date inventory of all connected IoT assets.
You should always keep your asset map current with each new IoT device connected to the network and know as much as possible about it. Facts to know include manufacturer and model ID, the serial number, software and firmware versions, and so forth.
3) Require Strong Login Credentials
People have a tendency of using the same login and password for all of their devices, and often the passwords are simple.
Make sure every login is unique for every employee, and require strong passwords. Use two-factor authorization if it’s available, and always change the default password on new devices. In order to ensure trusted connections, use public key infrastructure (PKI) and digital certificates to provide a secure underpinning for device identity and trust.
4) Use End-to-End Encryption
Connected devices talk to one another, and when they do, data is transferred from one point to another, and all too often when no encryption. You need to encrypt data at every transmission to protect against packet sniffing, a common form of attack. Devices should have encrypted data transfer as an option. If they don’t, consider alternatives.
5) Make Sure to Update the Device
Make sure to update the device on first use, as the firmware and software may have been updated between when the device was made and when you bought it. If the device has an auto-update feature, enable it so you don’t have to do it manually. And check the device regularly to see if it needs updating.
On the server side, change the name and password of the router. Routers are often named after the manufacturer by default. It’s also recommended that you avoid using your company name in the network.
6) Disable Features You Don’t Need
A good step in protecting a device is to disable any feature or function you don’t need. That includes open TCP/UDP ports, open serial ports, open password prompts, unencrypted communications, unsecured radio connections or any place a code injection can be done, like a Web server or database.
7) Avoid Using Public Wi-Fi
Using the Wi-Fi at Starbucks is rarely a good idea, but especially when connecting to your network.
All too often public Wi-Fi access points are old, outdated, not upgraded, and have easily broken security. If you must use public Wi-Fi, use a Virtual Private Network (VPN).
8) Build a Guest Network
A guest network is a good security solution for visitors who want to use your Wi-Fi either at home or in the office. A guest network gives them network access but walls them off from the main network so they can’t access your systems.
You can also use a guest network for your IoT devices, so if a device is compromised, the hacker will be stuck in the guest network.
9) Use Network Segmentation
Network segmentation is where you divide a network into two or more subsections to enable granular control over lateral movement of traffic between devices and workloads. In an unsegmented network, nothing is walled off. Every endpoint can communicate with another, so once a hacker breaches your firewall they have total access. In a network that is segmented, it becomes much harder it is for hackers to move around.
Enterprises should use virtual local area network (VLAN) configurations and next-generation firewall policies to implement network segments that keep IoT devices separate from IT assets. This way, both groups can be protected from the possibility of a lateral exploit.
Also consider deploying a Zero Trust Network architecture. Like its name implies, Zero Trust basically secures every digital asset and makes no assumption of trust from another digital asset, thus limiting the movement of someone with unauthorized access.
10) Actively Monitor IoT Devices
We can’t stress this enough: real-time monitoring, reporting and alerting are imperative for organizations to manage their IoT risks.
Traditional endpoint security solutions often don’t work with IoT devices so a new approach is required. That means real-time monitoring for unusual behavior. Just as with a Zero Trust network, don’t let IoT devices access your network without keeping a constant eye on them.