Every IT security professional is well aware that the Internet of Things (IoT) is going to give rise to a host of IT security issues. What many don’t appreciate is just how big an issue IoT security has already become.
There are more than eight billion IoT devices in the market today and over 20 billion expected to be deployed around the world by 2020, according to a variety of sources. More devices means more vulnerabilities. As these devices become more elaborate over the next few years, cybersecurity efforts must also intensify.
A new report released by the Ponemon Institute and Shared Assessments last month indicates that 81 percent of respondents believe unsecured IoT devices will likely cause a data breach in their organisation in the next 12 months and 97 percent say such a breach could be catastrophic.
The real IoT security issue is that cybersecurity professionals are once again chasing after an emerging class of technologies after they’ve been deployed in production. Industrial control systems (ICS) have been around for decades, but many have only recently been hooked up to the Internet and exposed to increasingly sophisticated attacks. A security breach involving an ICS platform could easily wind up costing millions of dollars – Maersk, Nissan and Renault are well publicised examples.
Unfortunately, the decision to connect something to the Internet all too often occurs without any consultation with IT security teams. Rather than waiting to discover these issues, IT security teams need to assume elements of the organisation are attaching critical systems to the Internet without their knowledge. Based on that assumption, it then behoves the IT security team to go looking for those systems.
Naturally, IoT security involves a lot more than ICS platforms. Everything from cameras to smart toys and other consumer level devices are being hijacked to create armies of bots to launch massive distributed denial of service (DDoS) attacks against specific targets. School security; hospital medical devices; building heating, ventilation and air conditioning systems; and city street lights, are all being hooked up to the IoT.
Some platforms are obviously more critical than others. IT security teams are now in a race to discover where those platforms are before anybody with much more malevolent intentions finds them first. Of course, most IT security teams are already overwhelmed combating the number of threats traditional IT applications and systems already face.
How can you protect your network?
There are a number of steps you can take to protect your network from rising IoT challenges:
1) Establish controls on the company network. The person in charge of the environmental controls and smart thermostats doesn't have to be the person who is securing them. Assign the responsibility to someone who is capable of evaluating the security of the devices, as well as how those devices will impact the network.
2) Create and follow minimum security standards. Disable the default credentials, create a new user for the device administrator. Close unused ports and disable unused services.
3) Take advantage of device security features. It may be a nuisance to take the extra couple of steps to log into a camera or a thermostat, but it's worth it to secure these devices.
4) Organise the management of these devices as much as possible. Conduct an inventory of the network and remove devices that aren’t necessary or approved. Set up the management of remaining devices in a single ‘pane of glass' if possible. Schedule recurring update checks on all of the devices and install updates as needed. Also, document and keep copies of any custom configurations of your devices.
5) Secure devices with a perimeter firewall, just like you would any endpoint on your network. Look into additional network security specifically for these smart devices, if necessary.
6) Maintain reliable backups. This is key to recovering data from a breach, such as a ransomware attack. Even if you don’t have data stored on your devices, you will experience downtime and probably some frustration if you have to reset all of your devices from memory.
Properly managing enterprise networks is critical to key business operations as more businesses adopt IoT. As these networks grow larger and more complex, it’s important to implement robust security and performance of endpoint devices.
About the author
Mark Lukie is a senior sales engineer for Australia and New Zealand at Barracuda Networks. He has over 16 years’ experience in networking, security, backup/disaster recovery, public cloud platforms, as well as systems integration. For more information, visit: https://www.barracuda.com/