As more and more companies invest their time and money in IoT devices, the more they depend on them for their day-to-day business operations. Since those devices can run infrastructure-related services like K3S or (embedded) software applications they are at the heart of the corporate IT landscape. Yet, on the contrary, the widespread distribution of those devices in decentralized locations makes things even more complicated. Often, companies depend on manufacturers when it comes to the delivery and maintenance of IoT devices. The “shared responsibility” model as we know it in the public cloud does not apply here. However, security-related aspects are vital to keep your applications and internal network secure as well as the data that flows through it. In this article, we’ll explore top IoT security aspects that pose a risk for your organization.
Insecure by default
Popular phrases like “security by design”, “privacy by design” and “security first” are common in the DevSecOps way of working which is now the “de facto” standard at companies across the world. In the world of IoT, this is not always the case. Assume that your IoT device is insecure by default since you might notice one of more of the following aspects/problem areas:
- Default usernames & passwords which do not adhere to any password policy
- Services that are exposed to the external world should not be necessary
- No automated updates of critical security aspects
- Communication over insecure connections which use outdated cryptography techniques.
- No proper user management, only admin accounts without Role Based Access Control
These are just the tip of the iceberg. There are many more aspects that also play a role in your organization as well.
Besides security aspects that are purely related to the vendor of your IoT devices, there are also several challenges you need to deal with in your own organization. Think of the following items which create additional risks:
- Lack of proper device management: IoT devices are “scattered” in your company, there is no central database of which devices are actually present, and operating, and thus that needs to be maintained. Often, there are no “official owners” of them which make it hard impossible to find a truly responsible person for them.
- IoT devices which are classified as “shadow IT” operate under the radar of corporate IT. As a result, there is no proper governance possible and these devices lead to compliance violations and other security risks which might occur without notice of the “formal organization”.
- Insufficient knowledge about IoT devices, their software, and infrastructure-related aspects lead to a misunderstanding of the various (business) opportunities and threads of these dives. Lack of technical knowledge which focuses on IoT-specific solutions leads to less secure solutions compared to more traditional applications.
- No complete risk assessment of the network and the IoT devices. Sometimes, companies think they covered this topic by assessing everything by themselves. Often it’s wise to gain a third party to bring in extra expertise. A specialized third party might find other risks and perhaps a lot more but they can also advise on a way to assess those issues to reduce the perceived security risks.
With these aspects in mind, it’s also vital to keep in mind that IoT devices might be in the field for a long period of time.
Every software application has a certain lifetime. As time passes, tech stacks are renewed when there is a need for modernization. This is all very common for applications that are decoupled from the (hardware) infrastructure on which it runs. It’s a different story for IoT devices which might stay “static” for 10 to 20 years in the field. Think of a fridge that has a lifetime of 15 years. Or an expensive medical device that should work for 20+ years before it’s replaced with a new device. Consider the following challenges which have an effect on the security of your devices.
- What happens when the IoT devices are no longer supported by the original vendor? What does that mean to the software which runs on it? Your organization should address this before buying it. Perhaps there is no solid answer at the moment you need it, then what?
- Protocols might and will change over the entire lifetime of your physical devices. An example would be the transition between internet-based protocols like SOAP messaging in the past compared to REST at present. Or what about other networking protocols like Near Field Communication (NFC), LoRA, or nRF24?
Software and protocols
- The software vendor which is responsible for security patches of the software stops their operations or hands them over to another company. What does this mean for (critical) security fixes and/or other software updates? A handover to another party often means a new contract or different policies including SLAs.
- Software on embedded devices may become obsolete or turn to legacy for which there is no support (anymore). This renders your devices more vulnerable since new technologies also enable advanced protection mechanisms which might not be available in older technology.
Taking into account the challenges of the above-mentioned list just gives you a quick overview.
It’s vital to secure your IoT devices in their respective environments. If you don’t do so your company is at risk for a disruption of your (core) operations, your sensitive data could be stolen. It can lead to financial losses or you gain reputational damage.
Independently of how long your devices last and how well your vendor supports them, it’s good to have a good IoT security plan. In this plan, you should at least address and implement the following action points:
- Have a complete overview of all of your IoT devices. Think of IoT devices in centralized locations, at partners and customers but also at homes (referencing the popularity of the Working from Home movement).
- People first: assign an administrator who is also highly skilled in the security domain. This should be a single person with a backup in case he/she is absent or unavailable.
- Think about alternative security solutions for devices that are difficult to configure and/or which offer a limited capacity to implement security steps.
- Have an update & patch policy in place and stick to it.
Networks and GPS
- Secure and monitor Wi-Fi networks and GPS-based solutions, especially if these are needed for critical services like the core business processes of certain companies (like location-based services such as manufacturing, monitoring, or reporting). Wi-Fi networks should not be enabled to let any device connect to it.
- Secure IoT Networks including the cloud. This is a vital step since IoT devices communicate (a lot) with other systems and software applications.
Since this list is never complete, also be sure to include the following topics: use strong and unique passwords plus use a strong password policy. Monitor networks and protocols associated with your IoT devices. There are already a lot of articles that deal with cloud security topics. Since IoT and cloud are becoming intertwined, it’s no surprise that this is an important topic. And last but not least: use secure data storage solutions that keep your data secure at all times. This also helps to make sure you maintain data privacy and confidentiality.
IoT device management platforms
To tackle a lot of the challenges which are already mentioned, you can utilize a so-called “IoT device management platform“. These platforms ease the burden of managing and controlling your IoT devices from a single point of view. In short, they offer capabilities like providing a complete overview of your IoT devices and handling life-cycle management of them (deploying, monitoring, maintaining & updating). Besides this, you can apply security patches to your devices and implement end-to-end security solutions. And finally, those platforms help you to improve firmware upgrades, alert and report on specific metrics (centralize them!), and help with asset provisioning. These platforms really ease the burden of a lot of manual and error-prone tasks which put a high pressure on your valuable workforce.
The usage of IoT devices in companies across the world grows. A lot of those devices are insecure by default. Companies have difficulties securing all of those devices and they also face organizational challenges in order to get them secure. Certain IoT devices have a relatively long lifetime “in the field”, think of refrigerators or coffee machines. Often IoT devices use non-internet protocols to the community with other systems. Some systems are difficult to configure to apply security best practices. These aspects pose extra challenges to bringing security to the desired level. A solid IoT security plan and an IoT device management platform help to pave the way and make it happen.