This is the start of a series of articles about the Internet of Things (IoT). There is a lot of hype around risks associated with compromised IoT devices and the purpose of this series is to help executives and technologists deal with these risks in a holistic manner.
First, we should agree what IoT devices are. For the purposes of these posts I am going to define IoT devices as any device other than a computer, server or networking hardware that is connected to a network. Generally I’m looking at this from a business perspective although much of this thinking can be applied to consumer devices in and around the modern home.
Why is IoT different than the rest of the devices on my network?
Familiarity: Your typical IT department has many years of experience securing Windows desktops, installing anti-virus software and configuring the Cisco firewall that sits at the edge of a network. There are well established configuration standards, processes and experts within organizations to deal with these devices. IoT devices are often new to IT, these devices are often managed by a third party vendor or the cafeteria staff (in the case of the wifi-enabled toaster) or the building security contractor. Not only are the devices new to IT but so are the underlying technologies that power the devices. They’re often running less common operating systems, using protocols IT is less familiar with (RabbitMQ, Zigbee) and often no access is provided to the devices to IT.
The bottom line is that there is an unfamiliarity with the devices and the underlying technologies the devices rely upon. Time and training will gradually address this issue.
Visibility: How confident are you that you have a detailed inventory of all the IoT devices on your network or that your organization relies upon to some degree? How long would it take you to discover a new IoT device had been added to your network?
Even in organizations that have an awareness that IoT devices carry a set of risks these teams are often surprised at how many internet connected devices are actually in their facilities.
Addressing the visibility gap is about automated detection tools residing in your network, policies about involving IT for any device with an IP address and keeping a detailed inventory of the devices. Second only to having an inventory, the most important next step is that the inventory identifies the responsibility hierarchy for these devices.
Responsibility: I think the biggest thing that is impacting the security of IoT devices, is a lack of a clear responsibility hierarchy. If I asked you who in your organization is responsible for protecting your CEO’s Windows laptop from hackers you probably wouldn’t need to think too hard. Joe, our Chief Information Officer. Or Bill, our Network Administrator.
If I instead asked who is responsible for the security of the administration console for the IP Video surveillance camera in your front lobby, or who is the person who is confident they are in control of all the access credentials for your buildings intrusion alarm, the answer would probably take a bit more thinking.
IoT devices are often introduced by a variety of people across the organization. HR brings in a xBox and internet enabled fridge for the staff party. The facility AV tech brings in a “smart TV” for the boardroom (that just so happens to have a camera and microphone connected to an internal computer that got a firmware update --- never). The generator maintenance technician that connects the generator controller to the network for remote programming. The intrusion alarm company that supplies the workstation that you program new building access fobs with. All these are examples of devices that are connected to the network but not necessarily ordered and managed by IT.
For every device on the network it is critical to identify who is responsible for:
Approval of the device being connected to the network
Identifying the storage locations of and approval for the collection of any personal or corporate information collected by the device
Security review of the device
If the answer is the vendor, what level of trust do we have that the vendor will be doing security updates, rotating credentials when their staff leave, etc, etc.
This brings us to our next topic in the IoT Blog Series….Supply Chain Risk