Thank you for Subscribing to CIO Applications Weekly Brief
Managing the security risks of IoT devices
Steve Hanna, Distinguished Engineer, Infineon Technologies
Countries and regions worldwide are creating IoT security guidelines and regulations to prevent IoT attacks. For example, in 2018, the United Kingdom’s Department for Digital, Cultural, Media & Sport published its Code of Practice for Consumer IoT Security (“CoP”). Other countries and regions, such as the U.S. and E.U., are following up with their regulations.
What is the security impact of IoT in my organization?
Most companies are unaware of the IoT devices connected within the enterprise, but they do have vulnerability priorities. Items with the most critical content and network connectivity, like P.C.s, garner the highest attention and security protection. Similarly, smartphones, wireless tablets, and cellular networks also get sufficient attention. However, eventually, the list stops addressing the security concerns for certain items. Something as simple as a connected lightbulb or even an employee connecting a smart fan to their computer is below the line. The company does not know that it is connected; it just takes a person with a Wi-Fi password to connect. However, the security impact can be considerable. Each connected thing becomes an entry point for attackers to compromise just about anything within the organization– without the necessary protection.
How can this security impact be reduced?
The first step is awareness – knowing what is connected. Find out what things are connected to the network. This can be as simple as performing a network scan – an inventory of what is connected to the network. It should be followed up by deciding what should be done with existing connected items and what should occur for future connected items. For example, a machine tool that connects to the network will not be replaced, but it must be secured. It is used in the business, and as CIO, its risk must be managed.
IoT management can be performed safely, so the rest of the organization is not at risk. One of the most common approaches is to connect an essential device, like the machine tool, more securely to whatever outside or inside resources it needs to connect to. This could start with a firewall in front of the machine with specific rules identifying the limited contact points that it can be connected to or that can connect to it. Allowed connections could simply be a control panel and the machine’s manufacturer, with restricted access to all other connectivity options. Many ethernet switches and wireless access points include built-in firewall capabilities that can be used to restrict access. Built-in firewalls with appropriately applied rules could be sufficient without buying any additional equipment --- just put the specific/customized rules in place. Doing so greatly reduces the risk because most endpoints on the network will be unable to interfere with the operation of the machine tool.
The next step is implementing security better and smarter in the future. This is where government regulations come into play. For example, the U.K.’s CoP describes 13 guidelines for consumer IoT security. An IoT white paper provides additional details and information, including standards that already exist for IoT security and direction for CIOs and others. When buying products in the future, careful buyers should select products that comply with the best practices. CIOs should establish a company policy that all new purchases of IoT products must comply with the regulations, which are just common sense approaches to dealing with IoT security. With the passage of the IoT Cybersecurity Improvement Act of 2020, the U.S. government will require IoT products purchased to comply with a set of standards that NIST is developing, establishing a best-in-class security framework for others to follow.
CIOs must make changes now to stay ahead of attackers and achieve best-in-class security
Will the cost be acceptable?
While cost is always an issue, the measures discussed above (inventory, firewall rules ) should have minimal cost impact since they take advantage of features already built into commercial-grade networking products. With the government regulations being implemented, boosting security requirements for new purchases should not have a significant cost impact as suppliers must remain competitive and comply with those regulations. The cost of not securing IoT systems would be much higher in the long run.
Take advantage of the government’s IoT security efforts.
Today, most companies and CIOs are unaware of the IoT devices connected within the enterprise. For best-in-class security, CIOs really must know what is being connected to their networks to address the security issues that may arise. Most existing IoT products do not comply with any of the guidelines being developed by governments around the world. They have minimum security or default passwords that provide little to no protection. However, this is changing with the new government guidelines. CIOs must make changes now to stay ahead of attackers and achieve best-in-class security.