The ability to track anything — from the level of coffee left in your pot to a real-time inventory of goods in a warehouse — is compelling in any industry. With the number of IoT devices expected to reach 55.7 billion worldwide by 2025, security teams face increasing complexity and challenges in discovering, managing and securing all of these assets. Emerging data security and privacy requirements can create further complications.
Let’s take a closer look at these challenges and the IoT device asset management best practices that can help security teams overcome them.
Understanding What IoT Devices Are in Our Environments
Getting an accurate inventory of traditional devices and cloud assets is difficult enough. Add in a wide array of IoT devices with varying purposes, OS versions and highly variable lifespans — and understanding which devices security teams are responsible for securing becomes nearly impossible.
Unlike laptops or servers, IoT devices can serve a variety of purposes. The subsequent management and security priorities become complex. A sensor on a smart shelf used for warehouse inventory management is, and should be, treated differently than a connected ventilator, a temperature monitor in a power plant or a connected security camera.
Lumping IoT devices into one category isn’t useful. Instead, security teams need to understand what the device is used for, what happens if it breaks or is compromised, and how long the device should remain in use.
Identifying New IoT Devices
Once security teams have a clear understanding of what IoT devices are in their environment, the next challenge is ensuring they have the ability to identify when new devices connect to their network. New devices can show up at the drop of a hat — and they don’t always look like we expect.
Take the 2018 NASA Jet Propulsion Laboratory breach, for example. Hackers used a Raspberry Pi as an attack surface to access the JPL network and sat there — undetected — for nearly a year. Ultimately, the attacker made off with some 500 megabytes of data from 23 files, at least two of which contained information relating to the Mars Science Laboratory Mission.
Organizations need plans that account for devices and malicious intent from unexpected sources. Security teams should gather data from their network infrastructure and other sources, such as vulnerability scanners and endpoint protection solutions. This will help them understand which devices have access to the network and which are being managed from a security perspective. Then they’ll be able to identify new devices and determine whether or not those devices should be managed and protected by security tools.
Understanding Configuration Options
In addition to monitoring for unexpected IoT devices, security teams must make sure the devices they have identified aren’t at risk from newly disclosed vulnerabilities or from insecure, default configurations.
Successful exploits are frequently made public from corporate IoT devices like connected TVs and IP cameras, and from employee IoT devices like smart watches, fitness trackers, and more.
Consider the 2016 attack of the “zombie baby monitors,” where hackers exploited a whole army of household IoT devices like baby monitors, webcams and video recorders. The devices — all set with default usernames and passwords — were infected with malware and ordered to carry out distributed denial of service (DDoS) attacks on popular websites, causing multiple outages. However, attacks can also compromise devices by turning them off, intercepting live audio and video, or by siphoning any data they transmit.
The moral of the story here? The rapid shift toward remote work means that even consumer IoT devices that aren’t connected to company networks can pose a risk to enterprise security teams. Make sure devices aren’t operating with their default security settings, and can’t be easily taken over.
Knowing When an IoT Device Will Fail
Because IoT devices are typically made of inexpensive materials, they often don’t last long. The severity of a malfunctioning IoT device depends on what the device is and what it’s used for. The failure of an internet-connected insulin pump, for example, could be a matter of life or death. The same goes for malfunctioning temperature control sensors at a pharmaceutical warehouse.
While longevity depends on the device itself, it’s important to have device life cycle monitoring and reporting in place to alert when a device is about to fail.
Don’t Rely on Regulatory Requirements Alone
The recently passed Internet of Things Cybersecurity Improvement Act puts greater scrutiny on device manufacturers. The IoT act will establish security standards through the National Institute of Standards and Technology, and set recommendations for secure development, identity management and effective vulnerability and patch management of IoT devices. A similar law was passed in early 2020 in California, overseas in the U.K., and in other nations.
What do regulations mean for security teams? Holding manufacturers responsible for making devices more secure by design will lessen the headache for enterprise security teams, but regulations don’t eliminate the problem entirely. Security teams still need to identify managed and unmanaged IoT devices, apply protections when appropriate and respond quickly to potential incidents.
The only way to keep pace with the rise of IoT risks is to incorporate automation across security and IT functions. Security and IT teams should build out policies and orchestration processes to ensure IoT devices are identified and consistently secured. Consider automated triggers for the following:
- Alerting: Creating a ticket or an automated notification anytime newly identified IoT devices are found.
- Applying security controls and tools: Taking actions, like updating vulnerability scans when an unmanaged IoT device appears on a production network or when configurations change.
- Enriching data: Gathering data from third parties to see what IoT device data is available to the public internet.
- Replacing end-of-life IoT devices: When an IoT device is about to fail, inform other business units to coordinate the replacement of devices.
Security and IT teams need to rethink the fundamentals of tracking IoT assets. Those that take these steps now will be more confident in their ability to adapt to the continued widespread adoption of IoT in the future.