Why Internet of Things matters
Chris Poulin, IANS faculty member
Much like cloud, Big Data and mobility trends before it, the emerging Internet of Things (IoT) presents an amorphous concept. And as you'd expect in a promising yet loosely defined segment, marketers see opportunity, while security professionals get saddled with identifying murky threats and protecting against them.
There are four broad categories within IoT: smart home technology, industrial IoT (IIoT), wearables and transportation. Vulnerabilities within each of these categories have already been exploited, leaving enterprises open to data loss or worse.
As more and more devices get connected to enterprise environments, attack vectors multiply. While hackers may not be interested in how many steps your users take in a day, they may look to pivot from a typical wearable or other IoT device to access more critical connected resources.
In the same way that you can't defend against threats to a concept as broad and generalized as “my network,” you can't simply protect against a concept as amorphous as IoT. There are, however, some important steps security professionals should take:
Conduct an asset inventory. It sounds simple, but almost no enterprises have an accurate accounting of their systems (physical or virtualized), applications and services, owners and business cases, users and roles, and expected activity patterns.
Segment systems based on risk level. This can differ based on business needs, industry, geography, customer requirements and other factors, but a general recommendation is to separate IT systems that are managed by the organization from ICS and IoT systems. Also, isolate employee-owned devices, including wearables, on a DMZ. These should be separate network segments, controlled by enterprise-grade firewalls, strong authentication and context-based access control policies.
Implement network monitoring, augmented by intrusion prevention. While the last mile on traditional IT networks is endpoint protection, often this is not viable with IoT devices.
Use a log management system to collect all events from IoT devices. This is in keeping with knowing what's normal and what's anomalous, and also in preparation for incident response and forensics. The types of events and level of logging depend on the device, but disk space is cheap and it's better to have more information than a gap when incident response is required.
Update security policies, including supporting processes, procedures and contracts, to address all aspects of IoT. For example, only allow wearables that don't have an inherent Wi-Fi capability and forbid connecting them to corporate-owned mobile devices or computers.
Start playing with IoT devices. Many IT administrators and security professionals have little or no involvement with industrial control or IoT devices, yet without hands-on experience, it's difficult to know exactly how different types of devices work and where their vulnerabilities lie. One of the most important – and most fun – actions you can take is to set them up, poke around at the configuration and try to hack them.
IoT is still evolving, but full-scale adoption is inevitable. Burying your head in the sand isn't going to make the risks disappear. The good news is IoT presents an opportunity to learn new technologies and get your hands dirty in the process. Look at it as an opportunity to flex both your risk-management muscles, and maybe your actual muscles.
IANS faculty member Chris Poulin specializes in research related to cybercrime, cyberwarfare, corporate espionage, hacktivism and emerging threats.