Best Practices for Ensuring Enterprise IoT Network Security
From digital signage to temperature sensors, the Internet of Things continues to grow, with 8.4 billion connected things in use in 2017, according to Gartner. The business segment represented 37 percent of IoT usage that year, as companies turned to IoT for automating, remotely managing and recording data.
But along with streamlining operations, IoT has created the biggest attack surface that we have ever seen. Unlike traditional IT devices such as Macs and PCs, IoT devices do not have anti-malware programs. Instead, they often have default passwords, open hardware and software ports, no support for encryption and the inability to update firmware.
Hackers can easily locate these devices, loading malware that launches a botnet, or a network of hijacked devices. The most high-profile example of this is the 2016 Mirai virus, which infected millions of IoT devices, creating a botnet that caused outages for sites such as Netflix, Twitter and Spotify.
By 2020, more than 25 percent of identified attacks in enterprises will involve IoT, according to Gartner. Given these issues, it’s not surprising that IT professionals’ top concern with IoT projects is security, according to a “State of IoT 2018” study conducted by Spiceworks and Cradlepoint.
Here are three ways that companies are addressing IoT network security:
Creating parallel networks
One way that companies are preventing attacks is by using 4G-LTE routers to create physically separate networks for specific applications that are “air-gapped” from their secure enterprise network.
Instead of directing this network through the company’s data center, companies are directing parallel networks to public or private clouds — limiting access to valuable information and reducing bandwidth bottlenecks. If hackers gained access to one of the parallel networks, they could not pivot to another network.
For example, a bank’s digital signage would be housed on a different network than the bank’s financial data. If people hacked the digital-signage network, they would be unable to pivot from that network to the bank’s core financial network.
Adopting an ‘authenticate first, connect second’ ethos
While the internet was built on a “connect first, authenticate second” framework that prioritized communication, companies are finding that an “authenticate first, connect second” ethos works best for improving IoT network security.
For example, more organizations are adding software-defined perimeters that hide connections from the public internet. Before granting access to an application layer, the software-defined perimeter client would verify IoT device identity (pre-authentication) and user identity (pre-authorization). Transactions would be encrypted using Advanced Encryption Standard.
The software-defined perimeter is especially useful for highly regulated industries, such as telemedicine. Telemedicine typically presents several security challenges, with telemedicine carts consisting of a PC, battery power system, video conferencing and telemedicine software, and IoT devices such as digital stethoscopes.
To ensure PCI and HIPAA compliance, a software-defined perimeter hides the telemedicine network from the public, encrypts data as it travels from a secure router to a centralized cloud and authenticates authorized health-care providers. It also allows IT to remotely monitor and manage, eliminating the need for complex deployment and labor-intensive management.
The Cloud Security Alliance has found that the software-defined perimeter model stops nearly all network attacks, including distribution denial-of-service, man-in-the-middle, server query and advanced persistent threats.
Collaborating with IT, operations and outside vendors
Unlike the IoT devices that they’re isolating on parallel networks, IT managers should not try to address IoT security issues from a departmental silo. They should collaborate with other departments, such as operations, as well as outside network-solution vendors who have IoT experience and developers who know hacking techniques such as cross-site scripting and SQL injection.
Unfortunately, many IT managers are falling into a do-it-yourself trap, trying to build and manage IoT systems using only in-house resources, according to the “State of IoT 2018” study. It’s similar to the trap that companies fell into when we shifted to the cloud. While some small businesses evolved, other companies built custom solutions that were hosted in expensive data centers.
We need to consider whether legacy network infrastructure — which is often manual, error-prone and time-consuming — can meet the needs of this fundamentally different technology. IT can learn from the past and form collaborations to maintain a development framework with built-in security controls and tools to evaluate code against a constantly updated library of attack vectors.