As a security professional I’d like you to consider the following scenario. You’re constantly adding new laptops to your organization, devices that connect to your corporate networks and will hold and transit incredibly valuable and sensitive data. All of these laptops come into your company with exactly the same password and also with administrative access that is the same for all. You hand them out to employees anxious to get going with their work, and deep in the instructions you send them you say “by the way, update the password when you have a chance”. Anyone see an opportunity for things to go wrong? Of course you do – very likely your organization will face a massive data breach within days if not hours after you’ve deployed those laptops.
Replace the word “laptop” with “IoT device” and you can see the security threat organizations are facing from their vast IoT attack surface. Virtually all organizations have a corporate Information Security policy, and all of them have requirements for changing passwords, rotating them on a regular basis, and ensuring a minimal level of complexity to those passwords. Yet many organizations view InfoSec policies as what applies to IT systems and ignore all the network-connected IoT devices, leading to where we are today – IoT devices are breached on a daily basis and can be the start of an attack that laterally moves into the heart of your organization. Here’s some ideas to help you prevent this from happening to you.
First, ensure that all parts of your organization are compliant to your corporate InfoSec policies. The operators of IoT devices should be working together across organizational lines to share and deploy best practices for making this happen, and have metrics to inform how successful those efforts are. Whether it is an IP camera run by the Physical Security team, a lighting control system run by Facilities, or a digital control system within Manufacturing, they all share the same need to have solutions that are agentless and automated and can report on the status all devices.
Second, as the old adage goes “use the right tool for the job”. Don’t try to use an IT security solution to secure your IoT systems. Not only will you accomplish your goals more quickly and efficiently, but you avoid trying to use a tool for an unintended purpose which will prove to be frustrating and ineffective. When it comes to application-based discovery, firmware patching, password rotations, or certificate management you need to use agentless solutions that are purpose built for IoT in order to address the scale that IoT devices are at within your organization.
Third, keep up to speed on industry and governmental efforts on standards and best practices. Just today the UK government put into effect a new IoT law that requires IoT devices not come with default passwords and requires changes to passwords upon installation (similar to a law passed in California in 2020). Check CISA’s Known Exploited Vulnerability (KEV) catalog which is frequently updated with vulnerabilities currently being used to attack and breach IoT devices. Also dig into CISA’s mandates to Federal civilian agencies around timely firmware patching of IoT devices and the increasing requirements of cyber security policy providers to demonstrate you are in control of IoT security.
As we are in the thick of security conference season it’s worth noting that most of them now have sessions, sandbox demos, and meetups specific to IoT security. The recent ISC West conference in Las Vegas featured several sessions specific to IoT security and governance, as will the upcoming RSA, Black Hat, and Converge conferences. These are great opportunities to learn about current best practices and discuss how other companies are addressing this. Your current service providers and system integrators are also reads to help. The past year has seen an explosion in the number and scope of managed service offerings for IoT security, providing a great starting point for organizations looking to move quickly to reduce their IoT attack surface. The increased focus on securing IoT and the availability of solutions is directly related to the risk IoT presents to organizations; don’t wait in taking action on implementing better and more effective governance over those threats.