The Internet of Things (IoT) is all around us—from baby monitors and home security cameras to smart vehicles, smart power grids, and even the emergence of smart cities. In recent years, the IoT has, and continues to transform how we, as individuals, live and work.
Last year’s National Cyber Security Awareness Month (October) theme included a heavy focus around connected devices and emerging technologies. And while the campaign has ended, the need to raise awareness and improve the security maturity of IoT devices persists. This article will highlight the ubiquity of IoT devices, the security threats they may pose, and ways in which organizations can leverage their value, and to do so securely with a robust IoT governance approach.
Why is an IoT governance strategy necessary?
The Internet of Things is fast becoming the Internet of Everything. Experts estimate that as of 2020 there are more than 30 billion IoT devices in use around the globe. And with this massive adoption and expansion of connected devices comes associated risks. After all, the technology powering the IoT is still both immature and largely unregulated.
Where computers tend to have a wide range of use cases, IoT devices are often designed for very specific purposes. And while computers are certainly never 100% secure, there are far more tools and options available to boost their security resilience than there currently are for IoT devices.
What makes the IoT security landscape even more complex is that there are generally no tell-tale signs of IoT device misuse. But there’s no harm that could possibly result from a smart light switch or sensor being accessed ... or is there?
You may be surprised. For instance, if a malicious actor is able to monitor the use of that seemingly innocuous smart light switch or sensor, they may be able to read patterns around when a particular home’s residents or office’s tenants are and aren’t present. And that would be good information to know if planning a robbery.
Such devices can also be used for mining cryptocurrency.
An attacker may even be able to pivot from the device accessed as their entry point into the network, moving to other devices on the same network. This could potentially lead them to successfully gaining access to sensitive or personally identifiable information, presenting an opportunity to execute a DDoS attack or to distribute malware.
Thus, internet-connected devices can pose a great deal of risk if they’re not managed responsibly.
Ensuring organizational devices present the least possible risk
As of now, governments aren’t putting much pressure on device manufacturers to include security in their design process in the form of regulatory standards. At the same time, consumers often search for the least expensive version of a device that will still accomplish the task at the center of their purchasing decision. As government and consumer pressure isn’t an issue for manufacturers, security is perceived as a non-essential element of production.
But, that doesn’t eliminate the risk.
Device manufacturers responsible for developing the software powering IoT devices should ensure that secure development practices and Security by Design principals serve as the foundation of every software development process.
Additionally, the use of static application security testing (SAST), software composition analysis (SCA) and interactive application security testing (IAST) should be applied in order to keep the whole ecosystem safe. The reason being that even the smallest security hole in an IoT device or connected technology (e.g., mobile application) could lead to a whole host of potential exploits.
While device security remains in a rather immature state, there are actionable ways in which IoT devices in use within a home and/or organization can be managed to present the least risk. Some of those strategies include:
- Keep IoT devices on their own network. That way, if one or more devices are breached, it won’t affect the operational network directly.
- Catalog and track all IoT devices in use. Catalog each connected device and track its activities. When tracking even that seemingly benign smart switch, organizations may be able to pick up on some unusual network communications that could turn out to be nefarious in nature. Increased communication, or communication to unknown servers, could be a good indication that something is wrong.
- Don’t ignore supporting software. Software or mobile applications that make up the IoT device or its ecosystem pose potential security/privacy threats. Keep them catalogued and if a patch or update arises, or if a known vulnerability is identified, organizations will be in a position to act on it immediately.
- Limit use of untrusted equipment. Choose trusted brands that take security seriously. That way, it’s easier to create a governance model for that device’s use. Personal devices that employees bring from home (e.g., smart watches) should be deemed untrusted devices. Such devices should only be able to connect to a separate network. This offers a solution to employees that doesn’t pose a direct threat to the organization’s primary network.
- Educate employees. Education should be relevant to the varied roles within the organization depending on the relationship they’ll have to the IoT device(s). All employees must know what IoT devices are, that they need to take care of them with updates/patches and that they cannot use them fully in the company ecosystem due to the risks they can bring. Educate technical staff operating the IoT corporate devices on the appropriate maintenance and how to spot suspicious activities. Educate network staff and provide them with tooling to help monitor those devices and limit their access the network.
- Limit internet connectivity of devices when possible. If devices require internet access to update service, apply updates manually or define a window in which the device can access the internet and apply the update. An IoT device constantly connected to the internet increases the potential threat.
- Don’t neglect supply chain governance and data privacy compliance. Each IoT ecosystem is different. Many IoT manufacturers have their own management portals and storage systems, apps that can be used on computers or mobile devices to control or setup the devices. Those elements should be a part of an organization’s supply chain governance policies. It’s important to also check whether the supplier and manufacturer match your organization’s policies, if the software is trustworthy and the data complies with internal policies and with other regulations such as GDPR.
Pandemic impact and what’s ahead
While this is in no way intended to be a comprehensive “how to” plan around IoT governance, it presents a foundation on which to build. Supporting technologies such as Bluetooth, Wi-Fi, at the new 5G network can also be entry points for exploitation. Governments have started to discuss what IoT means for governmental usage which may one day lead to policies and perhaps even industry-wide regulatory standards.
Interestingly, the landscape has shifted dramatically with the onset of the global pandemic. Many organizations had no choice but to make security concessions as employees transitioned to remote work earlier this year. Security and operations teams worked diligently to establish a plan to secure devices under these new conditions while also facing a dramatic rise in successful cyber-attacks, as seen by the constant headlines of successful ransomware attacks—as but one example.
But among the chaos, it became clear that the vast majority of development teams were already prepared to transition to a fully remote work culture. In fact, remote work for development teams is nothing new. Through collaboration tools, remote repositories, etc., innovation continues. And with security tooling that can plug directly into development environments, security is quite literally being built into software as it’s being coded. Change is constant. And as development velocity increases, it’s hyper important for security to be infused into the process as the Internet of Everything continues to grow. This is the way forward in order to build sturdy, reliable, secure software that powers the IoT and beyond.