Securing the Internet of Things in the Enterprise

Digital transformation is driving the growth and adoption of Internet of Things (IoT) devices in the enterprise and the trend is accelerating at an unprecedented pace. IoT device growth is far outpacing the growth of more traditional computing devices such as laptops, desktops, servers, tablets and smartphones, so much so that the number of IoT devices in use is vastly greater than the number of people on the planet and growing by the second.

The Internet of things describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet. Wikipedia

Apart from the sheer number of IoT devices, the other challenge is that a lot of these devices are being connected to corporate networks by business groups outside of the purview of IT. This creates two key problems, one that there is little to no oversight from IT departments of what is being connected to the network, why and how it is secured, and secondly, there is no single register or complete understanding of all the IoT devices connected to the network.

Technologies such as network access control and MAC address filtering certainly help to limit the ability of non-IT personnel to connect IoT devices to the network; however, many organisations eschew MAC based filtering for the increased overhead it brings and are unable to afford pricey network access control solutions from big-name vendors, given already-stretched IT budgets.

In addition to the sheer number and diversity, the complexity of these devices is also growing. Many devices are getting significantly smarter and multifaceted. For example, in 2015 a television had a wi-fi connection, a limited browser and perhaps a few built in apps, whereas today, televisions have become full blown computing devices that can be used not just as a television but also has a complete internet browser, access to hundreds of apps and voice assistants – even capable of video conferencing and collaboration. IoT devices not always being developed with a secure-by-default approach, open ports and multiple embedded operating systems can lead to many potential paths to access, control and exploit the device. The speed with which features are being added is outstripping the limited security controls within these devices, creating an army of vulnerable devices ready to be exploited.

Though many IoT devices can and do receive vendor updates, research conducted by Canonical in 2016 suggested that around 40% of consumers never consciously update their Internet of Things devices, leaving increasingly large security holes as the volume of IoT devices increases. Manufacturers can help here, by automating updates and not setting default passwords, some of the security issues associated with IoT devices can be reduced.

Threats from IoT devices in the enterprise are real. Threat actors are targeting the IoT attack surface to access the network and disrupt operations, and move laterally to access confidential and sensitive information. Organisations must ensure that IoT devices are not just protected and secured, but also ensure there aren’t other vulnerabilities within their networks through which threat actors may gain access.

How can organisations respond to the risks of introducing IoT devices into the enterprise? It is not enough to simply monitor activity on the network and investigate suspicious activity. Investigation happens after an event has taken place, whereas organisations must take a proactive approach. We would urge CIOs and IT departments to understand the risks associated with Internet of Things devices, to keep an inventory of the devices and to work to secure the devices as they are purchased or discovered. Segregating IoT devices and ensuring that robust, next-generation firewalls are in place to protect your organisation is key. Default passwords must be changed, devices with default passwords are easily exploitable, as these credentials are freely available online. Organisations must integrate IoT patching into their overall patching strategy and processes, to ensure that critical and high-risk vulnerabilities are addressed quickly, to reduce the attack surface. Secure configuration of IoT devices is also important and, where possible, organisations should apply as many built-in security controls as the vendor offers. Where organisations have concerns, they should be approaching vendors, as only by reporting concerns can they be addressed. Businesses that design devices for the home don’t always consider the complexities of the environments in which their devices will be used and are simply unaware of the security concerns of enterprises.

Taking a proactive, risk-based approach to securing IoT devices provides businesses with a greater level of assurance around the security posture of the entire organisation, supports the ongoing operations that these devices provide and helps to ensure business continuity. 

There is very little regulation or control of the way IoT devices connect to the internet, however this is beginning to change. There are a number of efforts within the UK and abroad to increase the security of IoT devices. These include the recently published European Standard 303 645, which establishes a security baseline for Internet-connected consumer devices and provides a basis for future Internet of Things product certification schemes. In the UK, the Department for Culture, Media and Sport (DCMS), as well as the National Cyber Security Centre are working on a code of practice, initiatives such as Secure by Default and Secure by Design, and a pilot IoT security certification, currently funded by DCMS.

This article was written in collaboration with my colleague Jacques du Toit. To understand how your organisation can better identify, protect and secure the IoT devices in use within your networks, please do reach out to either of us via LinkedIn for an impartial, informal conversation.