IoT Device Security in Converged Networks
July 10, 2023
Building IoT Devices to Operate for Modern IT Security Requirements
Cybersecurity has been, and remains, a hot topic for Internet of Things (IoT) device manufacturers, including the subcategory called Industrial Internet of Things (IIoT). That is the focus of Industry 4.0. It is also a critical focus for IT networks. Enterprise cybersecurity is no longer just about securing PCs and servers. IoT devices are now pervasive, and every IT security plan must account for IoT devices. Likewise, IoT security is not simply about hardening IoT devices to ensure they are not easily hacked. IoT devices must “play nice” with enterprise cybersecurity solutions.
On the enterprise side, cyberattacks are on the rise, with an increase in both the number and scope of ransomware attacks, stolen data, and other cyber-attacks. These vulnerabilities impact all market segments, from healthcare and government to banking and manufacturing. All sizes of organizations are facing a growing threat of cyberattacks. As a result, enterprise security teams are under increased pressure to secure their networks.
According to Checkpoint Research, healthcare organizations experienced 1426 cyber-attacks per week in 2022, a 60% increase over the previous year. Recovering from an attack is expensive. The cost of a data breach for healthcare organizations reached $10M per incident in 2022, according to IBM’s Cost of a Data Breach Report. Statistics in other industries show similar trends.
Existing tools and processes are failing to rise to the challenge and IT security managers are looking for new tools to protect their infrastructure without breaking the bank. They also need to ensure that IoT devices don’t create security risks or operational issues, and that these devices can be managed.
IT security requirements for IoT devices
Many early IoT devices, such as SCADA systems and other embedded devices, operated in air-gapped networks or isolated environments. While this is still true in some cases, Operational Technology (OT) and Information Technology (IT) environments are converging so many IoT devices can now operate within IT networks. Other types of IoT devices such as printers, point of sale systems, and networking devices, have always operated in IT environments. Historically, these devices operated as unmanaged devices on IT networks. Unmanaged devices are no longer seen as an acceptable security risk in most IT environments.
Corporate security is rapidly evolving with many new solutions and requirements being introduced each year. The key new requirements that IoT device manufacturers must be aware of are:
- Adoption of Zero Trust Architectures (ZTA)
- Growing adoption of Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) solutions
- Growing adoption of device scanning solutions
- Emerging Internal Attack Surface Management (IASM) and new more advanced activity scanning solutions
- Updatability of the device’s software and firmware
IoT devices that are likely to be used in IT environments must be designed with these capabilities in mind. At a minimum, IoT devices must not fail during a network scan. For some environments, they need to support corporate authentication protocols for Zero Trust Architectures and integrate with EDR/MDR solutions.
Device resilience requirements
Many organization’s security policies now require periodic security scans or penetration testing by skilled white hat hackers. Some organizations require both. Many organizations utilize scanning solutions, such as Tenable, Rapid7, or Qualys to automate recurring security scans. These solutions scan devices, along with services and applications running within the company’s infrastructure.
Scanning of some IoT devices may pose operational risks, especially in the case of IoT devices that were not designed for cybersecurity. For example, many medical devices are quite fragile. Simply scanning the devices can be enough to cause these devices to fail. Historically, the workaround has been to exclude these devices from network scans. That approach is no longer viable. Excluding devices from scans, fails to meet the security policies of many organizations. Even more problematic, these devices may contain serious vulnerabilities and excluding them from scans is the equivalent of sticking your head in the sand and ignoring the danger.
Requirements for device manageability
Adoption of Zero Trust architectures and EDR/MDR solutions are important IT security initiatives. With Zero Trust architectures, no device, service, or user is trusted by default. All access requires authentication. IoT devices need to, at a minimum, support device authentication using digital certificates to operate in these environments.
Compatibility with EDR/MDR solutions can again be achieved with support for a minimal set of requirements. Adding support for intrusion detection on the device to detect anomalies and attacks against the device is required. A Syslog client, or a similar event reporting agent, is needed to enable reporting of detected events to Security Information Event Monitoring System (SIEM).
These are minimal capabilities that can be reasonably added to IoT devices. While these features don’t represent full implementation of all Zero Trust and EDR/MDR capabilities, they provide support for baseline features to allow IoT devices to operate successfully in modern corporate networks.
Activity monitoring solutions
Next generation activity monitoring tools, such as Dragonfly Cyber’s Attack Surface Management solution, provide an alternative to device scanning. This approach is gaining popularity for internal attack surface management and has several advantages over traditional device scanning solutions that provide an analysis of the device itself. For example, traditional scanning solutions do not consider the behavior of the device while in use.
Monitoring network activity provides a much more powerful solution by capturing information on how devices operate. This can, for example, reveal situations in which weak encryption is negotiated when setting up a communication session despite the presence of a certificate specifying stronger encryption.
The data gathered by these solutions is used to provide a risk score for the network. From the risk score, users can drill down to find details on vulnerabilities impacting the risk score. Fine-grained reporting provides actionable insights to allow vulnerabilities to be addressed, lowering your overall security risk.
Activity monitoring solutions can discover vulnerabilities in IoT devices as well enterprise solutions. IoT device manufacturers must support a program for users to report vulnerabilities discovered in their devices. When vulnerabilities are found, they must provide updates to fix these vulnerabilities. IoT devices must support secure software updates to allow these security fixes to be easily installed.
IoT devices are being built with higher levels of security than we have previously seen. New regulations, such as the FDA cybersecurity requirements and NIST Cybersecurity for IoT Program are helping driving adoption of cybersecurity features in IoT devices. Similar standards and legislation have been or are being developed for other industries.
Following these guidelines and requirements is a huge step forward for IoT device security. For devices that will operate in IT networks, adding a few basic security capabilities will enable IoT devices to support requirements of the IT security teams.