You probably already know that IoT introduces some huge new security challenges for your IT department; along with the promise of IoT, there’s plenty of concern among businesses and pundits about what happens from a security standpoint when so many devices are suddenly added to the corporate network. What may be less known is where the threats will come from and what to do about it.
“Current IT security controls frameworks serve as a good starting point to manage some attacks and address some common vulnerabilities, but the attack vector combination is different for IoT, and enterprise security models will have to adapt to account for this,” notes Oswin Deally, vice president of the cyber security practice at advisory, Capgemini.
We’ve asked several IoT security experts where the biggest threats exist for business, and here’s what they had to say.
1. Rushed Deployments
The first area you should watch is vulnerabilities introduced during initial deployment.
“Tight deadlines and a lack of in-house knowledge, coupled with complex documentation and deployment processes, can often lead to insecure deployments,” notes Andrew McKenna, team lead for the IoT Center for Excellence at security services firm, Security Innovations.
Part of the issue is a lack of proper training among IT staff, as IoT presents several new IT challenges.
“Deploying IoT, and deploying it securely, may require a different expertise and procedures compared with the traditional skillsets that managed the deployments of the physical version of the ‘thing’ or new sensor technology,” adds Deally at Capgemini. “Business process and operations impacts must be considered and accounted for, as well as technical skills for proper configuration and digital threat friction reduction when placed in the environment.”
2. Open Devices
Lack of access protection on physical devices also is a huge security challenge for IoT that businesses should mind carefully, according to Diana Kelley, global senior security advisor for IBM Security. This includes that come with no password lock by default.
Always require password or a biometric scan to unlock or gain access to a device, she stresses. IT departments typically focus on network security when it comes to IoT, but equally crucial is device security.
Watch for devices in the field that might lack this protection and either pull these devices for models with better security or beef up other security defenses to compensate such as zone fencing around individual devices.
3. Legacy Systems
Legacy plays a role in two ways when it comes to increased security challenges. First, there is the challenge that IoT software often has a long shelf life since it is associated with devices in the field that are not frequently replaced. Second, vulnerabilities in legacy systems are amplified when combined with the newer IoT environment.
“IoT devices tend to be deployed for much longer than typical applications,” says McKenna at Security Innovation. “The higher capital cost of physical devices usually means their lifespan is longer than a typical piece of software.”
This can pose a significant security threat as these systems can remain active beyond the life of vendor support for the device.
There’s also the amplification of exposure for legacy systems that interface with IoT.
“Many of the systems that manage the plants are old,” explains Deally. “These old systems have embedded vulnerabilities due to deprecated and unsupported versions of software. Thus they are easy targets. This is increase risk to business operations. But by introducing IoT, the risk associated with the old systems increases as well.”
4. The Wrong Security Model
Televisions, door locks, lighting, signage and thermometers are not the only connected devices. Companies also are using IoT technology within the factory to gather insight about operations and production. One issue to watch is applying the wrong security model; traditional security controls don’t work in industrial settings.
“These two environments where businesses are deploying IoT are different, and companies cannot use the same techniques and controls to secure them,” says Deally. “Plants are deterministic in nature. If companies approach the security of IoT within industrial networks with traditional security controls, they will interject variability in the environment and make it less predictable and no longer deterministic. The unique characteristics of each environment must be accounted for when securing IoT.”
5. Software Updates
Updating software and applying security patches is one of the most fundamental IT security practices. With connected devices, however, vendors either are slow in patching known vulnerabilities or firms are slow applying them. This makes software updates a key security area to watch and address.
“Firmware on IoT devices can be a daunting and potentially unreliable process,” explains McKenna. “It is difficult for organizations to keep all of their IoT infrastructure up-to-date. So often they skip releases, only updating intermittently.”
One solution is automatic updates that can be pushed to devices, functionality that is critical for IoT security but too often not present.
“IoT endpoints need to have a mechanism for updates to ensure new versions and patches can be applied,” says Kelley at IBM Security.
These are some of the most important areas to watch. But they aren’t the only ones. IoT is creating new opportunities for business—but also new headaches.
About the Author
Peter Kowalke is journalist and editor who has been covering business, technology and lifestyle trends for more than 20 years. When not writing, he runs Kowalke Relationship Coaching.
Source: SANS ISC SecNewsFeed @ May 2, 2017 at 04:09PM