The Internet of Things (IoT) ranging from smart dishwashers to smart industrial lighting systems has grown exponentially within the last few years and is not expected to slow anytime soon. According to Harald Bauer, IoT devices are expected to surge from around 7 billion devices in 2013 to 30 billion in 2020. This annual growth rate of around 15-20% is taking industries by storm.
These devices might come across as benign, but, in fact, they are extremely vulnerable vectors for attacks. They increase the enterprise surface area and open more access points for attack. In early 2018, a smart fish tank, as harmless that may sound, enabled threat actors to access a Las Vegas casino's network and move laterally within it. Neglecting even the smallest IoT device that has access to the overall network can subject the entire network or networks to attack. This responsibility of securing the enterprise, and among that, IoT devices falls squarely in the hands of the senior risk management professional within an organization. This can be a Chief Information Security Officer (CISO), Chief Technology Officer (CTO) or in many cases the senior information technology leader.
The leader must support and enforce the top three Center for Internet Security (CIS) controls to exhibit some degree of network integrity. Without these three security controls or a variation of them displays extreme negligence and puts the network at an unreasonably at-risk situation.
The first control is to know what you have and where you have it. #1: Inventory of authorized and non-authorized devices. Next is #2: Inventory of authorized and non-authorized software. And #3: Implement an appropriate secure configuration of the devices prior to connecting the network. These measures will greatly simplify IoT problems as they manifest and guide the company in its future IT related decision-making.
IoT device adoption within the enterprise is becoming more widespread and therefore providing more avenues for threat actors to access the enterprise. Concerns over IoT devices do not stop at their software or hardware as companies are perpetually subject to attack from at-risk vendors with suspect supply chains. A suspect supply chain is a red alert for IoT devices since tampering can provide an avenue for attack that can cripple a network. Taking an inventory of these devices can prioritize at-risk devices while providing guidance for remediation. There is also the added benefit to managing the inventory since there is an updating ledger of overall devices connected to the network, which provides a valuable perspective moving forward regarding possible consolidation.
Software security on a device is a grave concern since it can allow threat actors to take advantage of outdated or misappropriated software. It is the responsibility of the CISO to identify all software and decide whether it is still viable or not. Questions should be directed at whether this software receives updates and patches regularly. Neglecting these measures can result in a security gap vulnerable to attack.
The process by which CISO's should respond to their newly made inventories is to plan how the company can consolidate these inventories without compromising the efficiency of the network. This plan will guide the CISO on the route of security-efficiency optimization. The plan should encompass a security posture that details tolerated risk, authorized and unauthorized inventories of software and devices, as well as how the network is configurated regarding IoT connection.
The challenge is daunting, but it is necessary. According to a recent survey 82% of 603 companies are not able to identify all IoT and operational technology on their networks. In another survey 47% of 320 cybersecurity professionals stated that they did not have measures to even detect attacks. This gap of pure ignorance can lead companies down a road of incessant attack from hidden vulnerabilities. A proper start to close the gap is to conduct a risk assessment or a penetration test to identify vulnerable devices. It will also aid in prioritizing risk as well as compliance.
Domain5 is committed to providing support to companies at an effective return on cybersecurity investment (ROIC). This support includes a part-time chief information security officer that is flexible to any small business demand large or small. Our support extends to risk assessment of current networks, information security, and compliance advise. Domain5 indivisibly recognizes the absolute necessity of maintaining cybersecurity awareness while simultaneously compensating for effective allocation of resources in any financial situation.