One of the biggest challenges with the Internet of Things (IoT) is the security headache that comes with it. This issue is exacerbated in the enterprise, where connected devices often control large, dangerous machines, or send and receive sensitive data.
While the IoT can bring new data and helpful insights, it also introduces new vulnerabilities into your organization. As such, it's critical that enterprises consider the security implications of an IoT deployment before moving forward.
SEE: How to secure your IoT devices from botnets and other threats (TechRepublic)
Here are 10 best practices for businesses, schools, factories, and other organizations looking to improve their IoT security.
Each new IoT endpoint introduced into a network brings a potential entry point for cybercriminals that must be addressed.
"IoT devices are likely to be built by numerous manufactures, on multiple open source and proprietary operating systems, and have various levels of computing power, storage, and network throughput," wrote John Pironti, president and chief information risk strategist at IP Architects, in a paper published by ISACA. "Each IoT endpoint will need to be identified and profiled, added to an asset inventory, and monitored for their health and safety."
Although it may sound simple, a good starting point with an IoT project is understanding exactly what connected devices are in the organization, and what they do, said Gartner research vice president Earl Perkins. However, it can be difficult to keep up with them all manually, so Perkins recommends rolling out an asset discovery, tracking, and management solution at the beginning of an IoT project.
At a basic level, IoT deployments consist of two distinct parts: A physical aspect dealing with the actual connected device and its operation, and a cyber aspect that accounts for data collection and use, Perkins said. The cyber aspect can be addressed by IT security best practices, but the physical part might not be, as it often doesn't follow the same rules.
"Knowing when and how you must secure the physical element is going to be a major focus for many data-centric IT organizations, and usually requires engineers to assist," Perkins said.
Businesses must consider the IoT devices they are looking to implement in terms of their potential for patching and remediation, said Forrester Research senior analyst Merritt Maxim. "This is important, not just for security purposes, but there may be other business requirements where the code needs to be changed over time," Maxim said. "And some devices may have limited ability to actually do patching, or the patching may involve multiple user steps and may be more complex than users are able to do successfully."
Like many other technology deployments, an IoT project will require some triage when it comes to cybersecurity. Gartner's Perkins recommends that businesses utilize a risk-driven strategy, prioritizing critical assets in the IoT infrastructure. Looking at a given set of assets, Perkins said that IT leaders should seek to assign the greatest value and risk to given assets and secure them accordingly.
Forrester's Maxim recommends performing some sort of penetration testing or device evaluation at the hardware or software level before deploying IoT devices. This could also include some sort of reverse engineering, depending on the use case, he added.
"These devices can have vulnerabilities, and you need to understand what they are before you put them out there in the hands of the public or your users," said Maxim. "Making sure that you've done some form of testing becomes important."
While this advice may seem like common sense to many IT professionals, it's important to note that some IoT devices have vendor-supplied default passwords -- used to initially configure the devices -- that are difficult to change, or cannot be changed.
"Hackers can be aware of what that password is, and they can then use that to gain control of the device," Maxim said. "Passwords continue to be the weakest link, and that's really no different in the IoT case."
Understanding the way an IoT device interacts with data is crucial to securing it. Businesses should look at data generated by their devices to determine whether it's in a standard format, or in a structure that can be easily utilized by the organization to identify anomalous activity so it can be acted on, Maxim said.
IP Architects' Pironti noted in his report that businesses should also be wary of IoT device use of nonpublic personal information (NPPI) or personal identifiable information (PHI). "This data has the potential to be used by adversaries to gain intelligence about an individual or organization as well as itself being vulnerable to exploitation," Pironti wrote.
Businesses should encrypt the data moving in and out of their IoT devices, relying on the strongest available encryption and a strategy that seeks to future-proof the organization against change.
"Crypto is only as strong as how it is implemented, and if it's poorly implemented with older protocols that are known to be vulnerable, or will be more vulnerable in the future, that's an issue," noted Maxim.
As more IoT devices offer the ability to connect multiple users to a single device, the focus of security should shift to identity-level control, Maxim said. Authentication helps an organization better understand how the user is accessing the device, and that can help business owners better understand their patterns of use to get more contextual data. It can also work to better protect them against vulnerabilities and improper use.