For widespread deployment, Internet of Things (IoT) devices have to be relatively inexpensive -- and this, in turn, could mean some security shortcuts. Likewise, in the rush to deploy IoT devices, security can get overlooked. These are reasons why IT should be proactive and involved in IoT deployments, getting the business to consider possible risks associated with the introduction of IoT devices and heading off shadow IoT implementations.
IoT security requires both a macro and micro view. This view has to be global and holistic, including not only the devices themselves but the networks connecting them, the management platforms, and relevant compliance and regulatory standards.
A strong IoT security posture includes strict identification and authentication processes, whether you're using industrial or consumer IoT devices. Because your IoT data will likely traverse the Internet, you need to ensure your data is encrypted, and you need to make sure your management platform can support the IoT devices you expect to deploy.
If you decide to deploy edge computers at or near the IoT devices, investigate whether those edge computing devices provide the security control that the endpoint IoT devices may not contain. You may also want to implement applications in the edge computers. In other words, evaluate the edge computers against the attack surfaces and vulnerabilities as well as the endpoints.
Finally, you need to consider whether your business is meeting relevant compliance and other regulatory mandates for your industry relative to how it transmits and stores IoT.
Attack Surfaces and Vulnerabilities
The Open Web Application Security Project (OWASP) has compiled a long list of IoT attack surface vulnerabilities that should be useful if you're looking to deploy or implement IoT technologies. The list includes 17 attack surfaces, including hardware, storage, networks, interfaces, applications, APIs, authentication, and authorization, and specifies 131 vulnerabilities across them.
This vulnerability list can be a good starting point, but no checklist is exhaustive. We can always find something else based on experience. Here are some suggestions to follow when considering and deploying IoT devices:
- Ensure your passwords, both local and remote, are strong and require multifactor authentication. Never use products that have hard-coded passwords, as attackers can easily use them. Govern permissions that you delegate for accessing these devices, and implement privileged access management.
- Don't make assumptions about the security characteristics or privacy policies of the controlling applications. Avoid using devices that have poor security and privacy capabilities. Connect the IoT devices on a separate network that has its own monitoring capabilities and sits behind firewalls.
- Turn off any capabilities on your IoT devices that you don't need. These extra capabilities could be mechanisms used to bypass controls and security processes. The physical access of the device should block intrusion -- meaning, you should eliminate buttons for resets or changing ports and passwords. Avoid automatic connections via wireless networks. You may want to implement network device isolation to prevent device infiltration.
- If you aren't blocking incoming traffic, ensure that the software ports that allow remote control configuration are appropriately restricted. Employ encryption wherever you can. If encryption isn't available, don't allow that IoT device onto the network. Consider deploying a VPN.
- If updating firmware or software requires a manual process or has to be done locally, don't buy those products.
- Be sure to remove IoT devices when they reach end of life and are no longer updatable or secure. You also may have to turn them off when you have to replace power sources as well. Ensure the replacements meet your policies and processes.
Related articles: