How big is the Internet of Things (IoT)? Gartner forecasts that by 2021 there will be over 25 billion connected devices. Securing that therefore becomes an issue best not delayed.
In 2016, Gartner forecast that by 2020, 25% of cyberattacks will come from Internet of Things (IoT) devices. With Bring Your Own IoT (BYIoT) is becoming a reality, mostly unbeknownst to the IT team, it becomes increasingly important that the CIO, CISO and the rest of the IT team be brought up to date with their knowledge of the potential threat of IoT operating unsupervised behind the enterprise firewall.
In 2019, Jeffrey Wheatman, research director at Gartner, recommended that IoT and OT-IT convergence be included in an organisation’s data protection strategy. “These technologies are bringing new opportunities, as well as new risks and challenges,” he commented.
Four points to remember
Speaking to FutureIoT, Itzik Feiglevitch, product manager for IoT Cyber Security at Check Point Software Technologies listed four key points that must be part of any discussion concerning IoT and security:
- There is a huge number of IoT devices living in the enterprise, potentially as few as four devices per employee, in addition to security cameras, fax machines, smart elevators, light sensors, etc.
- Many of these IoT devices are unmanaged and invisible, with no cyber protection in place
- Many of these devices are connected to the Internet, some are connected insecurely to the Internet
- IoT devices are very easy to hack into with many not having even basic security protection in place, based on legacy software
Because these are connected to the enterprise network, and are connected to the internet, becoming easy entry points for hackers to use to penetrate the enterprise.
Differing views of IoT security
There is a prevailing awareness (or lack of awareness) around IoT security.
Feiglevitch concede that in recent years there has been an increase in requests by IT for security solutions that address specifically cyber vulnerabilities related to IoT. There is also greater awareness of security incidents as a result of IoT devices connected to the network infrastructure.
He noted that IoT adds an extra layer of security complexity to an already stretched IT and security team.
“Suddenly IT and the CISO office have to deal with unfamiliar protocols like SCADA, Zigbee, MQTT IoT, CoAP, DDS, AMQP, LoRaWAN, Sigfox, and many types of operating system that those devices are based on. It becomes quickly understandable that security managers, already dealing with servers, networks and desktops, do not want to deal with these many new they don’t understand,” explained Feiglevitch.
To complicate an already complicated story, who owns the responsibility for overseeing the security of these unchecked, unsupervised devices?
Key questions CIO/CISOs must ask
Feiglevitch says the CIO or CISO must first create a checklist of all IoT devices that are have access to the company network infrastructure. It is important to have visibility of what is sitting inside the network.
“What type of devices exists, how do they connect to the network, what protocols are they using, what data traffic is flowing between these devices inside the network,” he suggested.
Next is to understand the risk exposure that each device introduces to the network. From there, a strategy must be put in place to block access to these devices by external sources, as well as blocking access for those devices that do not need to have access to the corporate network.
“You will also have to come to terms to the idea that perhaps some of these devices have already been hacked and thus expose the network to potentially malicious parties. We need to identify these, isolate them, prevent them from compromising the network and other devices in the network,” explained Feiglevitch.
Security IoT
Check Point’s Feiglevitch goes further to discuss with FutureIoT how to add IoT devices into the company’s existing IT security architecture. He cautioned that in all likelihood, the existing security solution will not be able to secure all the IoT devices in the network.
“Mostly because these security solutions are not designed to handle IoT,” he opined.
That said, there are a number of options for organisations to bring these IoT devices into the company’s security blanket. “First you need to deploy an IoT discovery agent into your network which will track down all these devices that are running hidden inside your infrastructure. Use a risk analysis tool to determine the risk level that each of these devices. You can then add software to help you manage those IoT devices,” elaborated Feiglevitch.
Checklist
Watch the video above as Feiglevitch lists out what he believed are five basic checklist that all organisations must tick as they go through the exercise of reigning these unmanaged, invisible IoT devices, and bring some order, and better security posture to the enterprise.
First published on FutureIoT
