There are now billions of physical devices around the world that are connected to the internet, from health and medical sensors, to factory monitors, tracking systems and smart grids. By 2023, Gartner predicts that the average CIO will be responsible for more than three times as many endpoints as they were in 2018. This Internet of Things (IoT) is a core component of many digital transformation programs, but as with any technology innovation, the benefits come with a unique digital risk.
In the IoT, connected devices often produce immense volumes and varieties of data that will be used by, sent to, or stored in various other areas of an organisation’s IT infrastructure. In this way, it effectively has a domino effect across the entire risk landscape, including cyber security, third-party risk, compliance, and business resiliency. IoT security is not simply a question of “device management”. Whether it’s the additional need for discovery, identification and classification of new endpoints, further compliance checks, or updates to authentication, companies will likely need to transform their security approach to manage IoT risks effectively.
IoT governance: how to deal with the compliance and security challenges
Here are five areas that are critical for IoT end-to-end security:
1. Visibility: You can’t secure what you can’t see
The first step to securing IoT deployments is making sure that each individual endpoint can be discovered, identified, and classified. Security teams need to be able to see which endpoints are present at an IP address, and then detect specific information about the device, such as where it was manufactured, its model and serial number, and what version of firmware it runs. This can be achieved with modern edge platforms like the EdgeX Foundry, an open-source project hosted by the Linux Foundation. By correlating this metadata with known vulnerability information, common misuse and misconfiguration scenarios, and operational strengths and weaknesses, security teams create additional granularity for tracking and reporting, which should ultimately help them mitigate risks.
2. Risk management means constant assessment
It is not enough to simply get an IoT deployment up and running and then forget about it; risk assessments need to be carried out continuously. The risk profile of the IoT changes over time, affected by activities such as adding and removing devices, changes to access policies, the discovery of new vulnerabilities, and firmware and software updates applied to devices. Third-party risks may also arise if IoT data needs to be shared between the enterprise and external service providers. In addition, as digital transformation accelerates and IoT technology matures, there will be an increasing number of regulations and guidelines that enterprises must track and comply with. Finally, it’s important to look at how the outcomes of a risk assessment impact other actions taken – for example, if the assessment uncovers a sensitive or high-risk asset, how should this impact the maintenance, update and authentication policies associated with it.
3. Don’t neglect data protection
Sensitive data, such as production information or customer records, is often processed via IoT devices. This data is subject to the same privacy controls as other data but may be overlooked or even completely isolated from control systems, causing significant risk for organisations. What’s more, this can make an organisation an attractive target for malicious actors. Finally, the integrity of data collected from connected devices is often critical to the success of the IoT project. For these reasons, it’s essential that protecting data is given the same significance as securing the devices themselves. Security teams need to consider how they will protect data at rest, in transit or in process, and risk teams must be able to manage and document this process.
How to control access to IoT data
4. Understand who is accessing devices
Protecting access to and from devices is an important part of ensuring the overall operational integrity of the connected environment. Businesses should authenticate all users to ensure they are who they say they are, can only access what they’re allowed to, and that their credentials have not been compromised. Emerging standards such as FIDO IoT can be tremendously helpful in creating the appropriate IoT identity foundation. The strengths and weaknesses of these access policies should also be reflected in the ongoing risk assessments that security teams conduct.
5. Monitoring: Using analytics to your advantage
The magnitude of IoT deployments is often an Achilles heel when it comes to security and risk, but this scale does offer one advantage – an abundance of operational data and use data about the devices. With this data, security teams can apply analytics and machine learning techniques to profile devices, baseline their normal behaviour, and detect and alert on anomalous activities and potentially compromised devices. Security teams should always consider how monitoring can work hand-in-hand with access policies. For example, when a monitoring tool alerts the security team about a potential threat, access management tools could be used to control access to the affected assets, or control connectivity to external networks.
Can we automate data quality to support artificial intelligence and machine learning?
Tackling the risks
CIOs are very aware of the need to prepare for the impending explosion in IoT devices. But as part of preparation, they must first acknowledge and then look to manage not only the initial rollout, but the wider domino effect on risk that the IoT has across their organisation. For security teams, this means taking a step beyond simply ensuring that the device is secured, to ensuring they have full visibility of their deployment, have thought about the data protection and the access requirements, and last but not least, how they will monitor for signs of compromise.