By John Torres & Ron Chandler
The Internet-of-Things (IoT) revolution has certainly taken the “cyberspace” by storm. According to a Forbes article published last year, by 2025, approximately 80 billion devices will be connected to the Internet. To put that in perspective, approximately 11 billion devices were connected to the Internet in 2016. This figure is expected to nearly triple to 30 billion by 2020 and then nearly triple again to 80 billion five years later.
Newly manufactured devices today must be network-ready (hardwired and wireless, to include Bluetooth, Radio-frequency identification [RFID], etc.). This explosion of IoT devices has presented an uneasiness concerning information security (InfoSec), compliance and privacy within companies, as well as consumers who want to use these products confidently and ensure they are not introducing any new or expanded attack surface for malicious threats targeting their network(s) and critical information. Stories about the hacking of the Jeep Cherokee or St. Jude Medical devices have only escalated fears in the industry. Other articles highlight kitchen appliances as hackable devices to watch out for. What can be done in short order to address the risks?
Below are a few recommendations to help your IoT implementations become more risk-acceptable.
- Understand the manufacturer’s approach to security.
When purchasing IoT devices, make sure the sales or manufacturer representative can clearly outline the security precautions and disciplines they have used in creating the overall product. Conducting independent research regarding specific IoT vulnerabilities is well worth the effort as well.
- Plan and design for resilience.
If possible, make sure you segment your network by placing similar IoT devices in their own individual partition of your overall network. This will minimize downtime (due to software/firmware updates, maintenance, etc.) of your core business network as well as provide some level of resilience in case one of these devices becomes infected.
- Get your “lists” together.
You should have a listing of all your IoT devices and their associated technical DNA, such as IP address, Mac address, Operating System/Firmware version, ports open/closed and services enabled at a minimum. As many (if not all) cyber experts have said, “getting breached is not a matter of if, but when…” Having up-to-date lists will allow you or your Incident Response Team to triage, quarantine and resolve any breach-oriented issues.
- Alert on meaningful events.
One of the often-overlooked areas is how alerts are handled – whether they stem from IoT devices, HVAC, card readers or data loss prevention systems within a corporation. One of the greatest security benefits of including IoT devices within a company’s infrastructure is that it increases your ability to visualize potential risk more clearly by “combining” IoT events with other infrastructure events if done properly.
Integrating multiple types of IoT devices does not need to be an unpleasant exercise. With practical and forward-looking measures, you can position your network environment and business to be resilient to threats from the IoT layer while having a robust defensive and sustainable security posture.
Key points to remember:
- A proactive security posture will assist greatly in remediating IoT threats.
- More up-front data equals less downstream exposure.
- Layers of resilience will decrease downtime or breach potential.
- Have your workflows pre-positioned prior to an incident.
- Anticipate potential alerts before they occur.
ABOUT THE AUTHORS:
John Torres is the Chief Operating Officer for the Guidepost Solutions Security and Technology Consulting group and President of the Federal Practice, ensuring our security experts are leveraging cross-functional expertise to build best-in-class solutions. Previously, John was the Special Agent in Charge for Homeland Security Investigations in Washington, D.C. and Virginia. His background includes more than 27 years of experience providing investigative and security management for the U.S. Departments of Homeland Security and Department of Justice, including serving as the Acting Director and Deputy Director of U.S. Immigration and Customs Enforcement. John can be reached at jtorres@guidepostsolutions.com.
Ron Chandler, CISSP, is Vice President of Enterprise Solutions, for the Guidepost Solutions Security and Technology Consulting group. Ron has extensive enterprise security experience. Previously, he was the chief information security officer for a mobile banking startup within the financial services industry. His background includes more than 30 years of experience designing and implementing enterprise security systems; physical and information technology programs; and helping clients strategically build security into their corporate cultures and infrastructures. Ron can be reached at rchandler@guidepostsolutions.com.