How to Close IoT Security Gaps

Protecting IoT devices is currently one of the biggest challenges in network security.

These devices are also one of the most common reasons organizations fail network security audits. IoT security challenges are growing at a staggering pace, with Gartner predicting the IoT market will reach an estimated 20.4 billion devices by 2020. While there is no question IoT-enabled devices such as security cameras, HVAC sensors and printers deliver operational and efficiency gains, many companies are struggling to identify and secure these devices that are increasing the attack surface of the enterprise network.

What Causes IoT Security Gaps?

The root cause of IoT security issues stems from the device manufacturing design process. Most companies are designing IoT based solely on enhanced functionality and forgetting about the security requirements. So, once again, enterprise organizations are left to “figure it out.” For most companies, the network firewall is the first line of defense.  IoT devices present a special challenge for firewalls because these devices are headless. Since they don’t have a specific user to authenticate, most existing authentication protocols don’t work, so the vast majority of firewalls cannot see, authenticate, or protect these devices. This is not the only network security challenge posed by IoT devices, they also create the following security gaps:

  • IoT devices lack, or have poor, onboard security. Some devices even have PINs hardcoded into the firmware that cannot be patched or updated. Once the PIN is compromised, this is an open door for hackers.
  • There is no common operating system or security standard for IoT devices, making them difficult to secure. There are hundreds of permutations of device types, security protocols, and operating systems, most without any enterprise-grade security. Since IoT devices automatically connect to the internet to share information with manufacturers or connect to other network devices, these devices create security gaps that provide hackers with easy access points.
  • Most IoT devices lack the memory and processing power to provide meaningful security.
  • Even in IoT devices with security, most have weak authentication and authorization protocols that also cause security gaps.

In addition to the gaps caused by known IoT devices, companies also face increased risk from unknown IoT devices that are part of the growing Shadow IT challenge. Shadow IT is when individuals or business groups purchase and install new technologies without the knowledge or approval of the corporate IT group. Since IoT devices now include everything from the office coffee maker to the copier, office managers and other employees who have never had to consider network security when purchasing products, may be inadvertently adding unsecured IoT devices. With the multiple risks these devices pose to network security, and thousands of new devices predicted to enter the market in the next year, these devices cause glaring security gaps that organizations need to close.

Closing the Gaps

In the past, enterprise networks were self-contained within a well-defined perimeter. A company could build strong defenses at the network edge and be fairly confident about keeping the bad guys out and the important data safe. Today, there is no longer a simple perimeter and most firewalls cannot see or protect IoT and other headless devices. The network is accessed by a vast array of endpoints in varying locations, and companies must now support multiple non-standard devices per user, as well as a growing number of IoT devices that must be secured.

Organizations must be able to identify and close IoT security gaps without losing the productivity and efficiency gains delivered by these devices.  To do this, organizations need the ability to see all the known and unknown IoT devices that are connected to the network, as well as implement compensating control for these unsecured devices – ideally while preserving their existing security technology investments.

Fortunately, there are compensating controls that provide both the visibility and controls necessary to secure IoT devices, but this is more than we can cover in one blog. We’ll be covering this topic in more detail during Bradford Networks’ session: The Internet of Things – Operation Boon and Exploding Security Gap. We will present the latest research and step-by-step instructions on how to quickly secure IoT network gaps.

This blog was brought to you by our partner, Bradford Networks. Bradford Networks is leading the transformation of network security by providing visibility, control, and response to minimize the risk and impact of cyber threats. They are a sponsor of our annual Camp Secure Sense 2018, and will be presenting on Day 1 at 10:50 am. Head on over to the registration page to discover other thought leadership presentations exclusive to Camp Secure Sense here.

With only 33 days left, and a few spots open for InfoSec leaders, we encourage you to register ASAP.