The Internet of Things (IoT) promises benefits for companies, including rich supplies of data that can help them more effectively serve their customers. There’s also a lot to be worried about.
Because so many devices, products, assets, vehicles, buildings, etc. will be connected, there is a possibility that hackers and other cyber criminals will try to exploit weaknesses.
“In IoT ecosystems, where myriad device types, applications and people are linked via a variety of connectivity mechanisms, the attack vector or surface is potentially limitless,” says Laura DiDio, principal analyst at research and consulting firm ITIC.
“Any point in the network — from the network edge/perimeter to corporate servers and main line-of-business applications to an end-user device to the transmission mechanisms [is] vulnerable to attack. Any and all of these points can be exploited.”
As a result, IoT security ranks as a big concern for many companies. Research firm 451 Research recently conducted an online survey of more than 600 IT decision-makers worldwide and found that 55% rated IoT security as their top priority when asked to rank which technologies or processes their organizations considered for existing or planned IoT initiatives. The very nature of IoT makes it particularly challenging to protect against attacks, the report says.
What can enterprises do to strengthen the security of their IoT environments? Here are some suggested best practices from industry experts.
Identify, track, and manage endpoint devices
Without knowing which devices are connected and tracking their activity, ensuring security of these endpoints is difficult if not impossible.
“This is a critical area,” says Ruggero Contu, research director at Gartner Inc. “One key concern for enterprises is to gain full visibility of smart connected devices. This is a requirement to do with both operational and security aspects.”
For some organizations, “this discovery and identification is about asset management and less about security,” says Robert Westervelt, research director of the Data Security Practice at International Data Corp. (IDC). “This is the area that network access control and orchestration vendors are positioning their products to address, with the added component of secure connectivity and monitoring for signs of potential threats.”
Companies should take a thorough inventory of everything on the IoT network and search for forgotten devices that may contain back doors or open ports, DiDio says.
Patch and remediate security flaws as they’re discovered
Patching is one of the foundational concepts of good IT security hygiene, says John Pironti, president of consulting firm IP Architects and an expert on IoT.
“If a security-related patch exists for an IoT device, that is the vendors acknowledgement of a weakness in their devices and the patch is the remediation,” Pironti says. “Once the patch is available, the accountability for the issue transfers from the vendor to the organization using the device.”
It might make sense to use vulnerability and configuration management, and this would be provided in some cases by vulnerability-scanner products, Westervelt says. Then do the patching and remediation. “Configuration management may be an even bigger issue opening weaknesses than patching for some enterprises,” he says.