The Internet of Things grows more massive with each passing year, as devices gain internet connectivity and impart new convenience on our lives – and in many cases new novelty. No matter if the “thing” in question is a manufacturing robot or a Brita that automatically reorders filters upon expiration, if it can receive instruction from and send data to the greater internet, then there’s an IT guy somewhere worrying about how it may expose his or her network.
This goes double for IT personnel in companies that make good use of IoT for work purposes, but bad use of IoT security by neglecting to factor in the network’s exposure. Addressing this idea is now part of IT’s list of responsibilities, and when creating a plan for how to walk the line between trusting IoT and being wary of it, multiple factors come into play. Thankfully, this part of the job is getting easier.
IoT is useful for countless industries, and its benefits far outweigh security risks in any circumstance. In healthcare, for example, IoT data is used to more deeply understand what conditions patients are in, and how practitioners should respond. Internet-connected devices that record patient outputs such as heartbeat, blood pressure, blood sugar levels and other biological metrics feed their data to centralized IT systems, telling hospital admins where frontline staff are most urgently needed, and how.
But IoTs vital role in cases like these is also its weakness. IoT boosts mobility in many business environments, so much so that security is something that it has always grappled with as an afterthought. For businesses, the advantages of IoT have meant securing these devices is a second step, and the world is slow to wake up to the careful security deliberation that IoT requires. Ransomware, for instance, used to be hardly considered a credible threat to networks.
Ransomware attacks on IoT devices were long thought of as low-value for hackers and therefore not a pertinent worry for IT, given that these devices had little to no information on them (mostly in the cloud). There are also so many types of IoT devices that the economics of hacking them doesn’t work in the hacker’s favor – it’s too expensive and not worthwhile. Besides, even those hacked would likely never pay the ransom, because IoT devices aren’t known for having screens that relay information (like a ransom note).
However low-value IoT devices used to be, they’re now ubiquitous and hold a lot of importance for critical business functions. Security implications have changed as well, as hackers have changed their strategy, and no longer seek to crack the devices for their data but to interrupt these functions and create urgency and the risk of lasting damage.
Take for example the IoT controller that adjusts how much of certain ingredients are added to drugs, an IoT-connected pacemaker, or a hacked power grid controller that determines electricity consumption for a small town. The ability to power these down or alter with their settings is dangerous enough to justify a ransom.
Traditionally weak entry points on IoT devices need to be shored up if we want IoT benefits to continue to outweigh its risks. However, most of the time patching is on the manufacturer, and low prevalence of hacks thus far has prevented manufacturers from acting with urgency, so companies using IoT devices are often unprotected from within and without.
The internal awareness isn’t there yet, with many IoT connections unencrypted when connecting to the network, offering hackers a way inside when the device relays to or receives info from the internet.
In the split second it takes for the device to grab data, hackers can slide in undetected and set up shop in an undefended company’s network. Hijacked or rogue IoT devices were present in over 46% of companies this year, according to a report on “shadow IoT” devices found on their corporate networks, demonstrating just how prevalent this dangerous exploit is.
Fortunately, most of the issues stemming from IoT come from how invisible they are on the network, and how unrestricted their permissions tend to be. IoT devices are easily discoverable by hackers, even using public resources like Shodan, so they must be at least this visible to internal IT teams as well.
The key to allowing IoT freedom to participate in the network but also to respect its boundaries resides in some of the components of a single solution – Secure Access Service Edge – which was introduced just last year and seems nearly purpose built for IoT.
SASE is a cloud-based networking and security product, unified in its functionality and present on the edge of an organization’s network. A foundation of SASE is software-defined networking ideas, which are more inclusive to a variety of devices connecting to the network because there is no hardware setup required, and cloud nativity to easily match the infrastructure of any ecosystem.
When an IoT device connects to the network, it will be easily visible in the cloud admin panel, but more importantly this identification also empowers IT to set identity-based access policies, which limit the extent to which specific parts of the network are exposed to these endpoints.
Enforcement is also about security and not just about how much attack surface is laid bare to IoT devices. Pushing all networking through a centralized, software-defined system also enables IT to demand all network connections happen through encrypted tunnels exclusively, so any IoT device (or company laptop, or mobile phone) that isn’t encrypted cannot connect to the network in the first place.
It also helps IT layer even more security on top of IoT devices, even solutions like SSO, so that password management across thousands of devices will finally be feasible (and safe).
The combination of visibility, network access restriction, and security enforcement for IoT devices gives SASE a winning use case, and it’s already making headway. Internets, whether world wide webs or “of Things”, are deep and murky. Companies pushing for maximum interoperability can be free to brave the IoT waters confidently with SASE to help them stay on course, and avoid the icebergs lurking out there for us all.