Big Enterprise IoT Device Security Considerations

  • Analysts expect the global IoT market to grow from about $212 billion in 2018 to about 1.3 trillion by 2026
  • Unfortunately, these devices often ship with security flaws, poor API management, and lack efficient ways to provide security updates
  • Special Publication 800-213 helps federal agencies understand how IoT devices can impact the network and information security risks within their organizations

IoT risks continue to rise with the shift to remote work and the increasing number of IoT devices deployed within enterprise and home networks. Findings from Verified Market Research indicate that the worldwide Internet of Things market will grow from about $212 billion in 2018 to about 1.3 trillion by 2026. Some analysts expect 70 billion IoT devices deployed by then.

These devices increase the area in which attackers can target enterprises, whether they be on the staffer’s networks working from home, on the enterprise network, or industrial devices. These devices often have their own operating systems, programmable firmware, APIs, and other ways to interact with the device and other enterprise, systems.

The more these devices become a part of the enterprise’s fabric, the more risk they entail. The more data they generate or access, the greater the risk of data theft. The more systems they control, the greater the risk of costly denial-of-service attacks. The more devices, the more potential entry points onto the network. Networks will be disrupted, systems will be disrupted, and they can be commandeered to attack other systems through compromised IoT devices.

There are tremendous benefits to these devices. They can help manage buildings better. They can help manage truck fleets better. They can help the organization measure and control system health in real-time, perhaps streamline operations, cut costs, or provide services and capabilities that weren’t possible before. In many ways, the risks are worth it.

But the risks must be managed.

Most enterprises today are seeing the drastic influx of IoT devices. They manage IO-connected printers, cameras, building heating and air conditioning systems, security systems, and more. And they need to be able to identify these devices and develop ways to manage them effectively. When it comes to IoT security, traditional endpoint security tools typically fall short.

Unfortunately, these devices often ship with security flaws, poor APIs for management, and lack efficient ways to provide security updates.

Draft NIST Special Publication 800-213

Last month, the U.S. National Institute of Standards and Technology released NIST Special Publication 800-213. According to NIST, this publication seeks to help federal agencies understand how IoT devices can impact their organizations’ network and information security risks. However, other organizations in the public sector can get just as much value from the guidance.

The paper highlights what we have been covering for some time now. Silviu Stahie detailed why IoT devices lack security, including weak, guessable, or hardcoded passwords, insecure network services, insecure ecosystem interfaces, and no secure update mechanism, and the use of insecure or outdated components, and more. While Bob Violino wrote in Bolstering Industrial Cyber Security in the Age of IoT that “Deploying strong cybersecurity measures for IT systems and networks is one of the biggest corporate priorities today.

In an earlier blog, I argued that the internet of things would require a maniacal focus on availability and security. “Enterprises that deploy and manage IoT devices will find their attack surface increasing, which is the space that adversaries attack. They’re also going to find that their business risks increase, too. What this means is that business leaders have to understand how disruptions, hacks, and data breaches that stem from the IoT can have a profound impact on how people trust, or don’t trust, a business’s brand.

The NIST document is now encouraging organizations to that and more:

Define the device’s benefit: Why is this device being deployed, what are its services, and how will it be used to improve the organization?

Understand what data it collects: Some IoT devices don’t collect confidential data, while other data types would create considerable risk if compromised. Organizations should inventory the types of data the device collects, whether Personal data, confidential organizational, or third-party data and data that details the technical environment.

How and where will the data be stored? Is it stored locally, or does the IoT service provider ship data to their or other clouds?

If the data goes offsite? Who are all of the parties with which it will be shared? “In some cases, an IoT device will only exchange data with the owner and manufacturer-owned and operated systems. In other instances, the IoT device will share data with third parties,” the report accurately states. Organizations need to understand where all of their data will be shared and with whom.

Ask whether IoT devices introduce unacceptable risks to the agency or result in non-compliance with cybersecurity requirements? The answer needs to be No. It requires a look at the device’s inherent security, where it sits in the organization, and how it can be effectively managed to mitigate such risks.

Enterprises deploy IoT devices for many reasons, hopefully, to build efficiencies, cut costs, improve the services they deliver. And as the NIST report states, one agency may purchase an IoT device to monitor environmental conditions remotely, while another may network office equipment to increase productivity. The SP 800-213 draft provides insight into the recommendations necessary for federal agencies to securely buy and integrate IoT into federal information systems. This draft document is being released with other draft IoT publications: Draft NISTIR 8259BIoT Non-Technical Supporting Capability Core Baseline, Draft NISTIR 8259CCreating a Profile Using the IoT Core Baseline and Non-Technical Baseline, Draft NISTIR 8259DProfile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government.