Internet of Things (IoT) devices are proliferating into unanticipated areas of businesses and personal lives. The explosion of IoT devices follows the familiar pattern of the bring-your-own-device (BYOD) movement, which has infiltrated the same spaces. What differentiates the two categories is the number of items and the cost of individual devices. But while the differences are substantial, IT can learn from its experience securing the BYOD population.
Threats Hidden in Plain Sight
The introduction of BYOD into the enterprise may have been unauthorized, but the products were typically not hidden. The smartphones, smart watches and other intelligent devices were generally used in plain sight, but the risks they posed included allowing unauthorized and unsecured access to enterprise systems through personal devices that were being used for work purposes. The fact that enterprise-level products could be put into service without IT oversight or proper security precautions took analysts by surprise. It also generated a rush to create software and services that could be installed on user-owned units and in enterprise infrastructure to reduce the threats they posed.
Similarly, these new smart products carry a variety of robust technical capabilities, such as communication and data transfer. They are also arriving without IT authorization or vetting. This time, however, they are not in plain sight: In many cases, the IoT components are embedded as part of some larger product. Most importantly, like BYOD, IoT devices notoriously lack security.
The Internet of Everything
IoT devices are often small and inexpensive components that add smart capabilities to the products that host them. Consumer products such as thermostats, smart TVs and refrigerators benefit from communications, sensor reading, and video and sound recording. In the enterprise, IoT devices such as copy machines, HVAC systems, VoIP phone systems and intelligent subsystems can be breached in under three minutes, according to a ForeScout report.
Unlike BYOD devices, which are comparatively fewer in number and generally costlier, IoT devices number in the billions and often cost just a few dollars. Manufacturers have little incentive to enable security measures in each device. Even if they did, standards for IoT security implementation have yet to be ratified.
Securing IoT Devices
You should assume that smart products currently exist in your enterprise. Here are the most important steps to take to manage and secure these devices.
- Identify which devices have communication capabilities. If a device connects to your network and sends alerts, communicates with its manufacturer for warranty updates or provides any other indication that it is using its network connection to reach outside the enterprise, add it to your list of enabled systems.
- Connect devices to your network only if there is a demonstrable benefit. If a device can function properly without a network connection or if its connection only provides marginal utility, disconnect it and test its functionality. Before reconnecting, ask the manufacturer how the product is intended to communicate and what measures have been taken to secure it.
- Create a separate network specifically for smart device connections.
- Disable Universal Plug and Play (UPnP). Do not allow automatic discovery and connection for networked devices. Make certain that any devices that request network access are reviewed for security and connected to the proper network segment.
- Update firmware where possible. Contact manufacturers for updates to their firmware and ask about procedures they have taken to add security measures to the systems you use.
The population of IoT-enabled systems in the enterprise will continue to grow. IT must act now to establish procedures to evaluate the connections and systems currently in use and add appropriate evaluation criteria to standard purchasing procedures for new additions.