The IoT Threat Can Be Tamed with Internal Communication

Internet of Things devices have taken the enterprise by surprise. But communication and understanding can help to mitigate the rising risks around IoT

istock 812986964

The smart house today is chockful of Internet of Things (IoT) devices, from refrigerators and microwaves to thermostats and televisions. But what about the smart company? Enterprises have far more IoT devices than any residence, but of much greater concern, there's rarely a single contact in any company who knows about them all. For horror movie fans out there, this is when the spooky music starts.

But this movie can have a happy ending. Getting there requires a lot of communication and an awareness of IoT's security implications.

The IoT security problem began because of the innocuous nature of many of the IoT device's predecessors, such as lightbulbs and door locks. When maintenance or facility managers ordered those devices in years past, they never needed any IT approval, so it's understandable that they don't seek such permission for the IoT versions of those devices.

The IoT versions, however, have the ability to communicate with their manufacturers and to receive transmissions—such as patches or upgrades—from that same manufacturer. IoT devices can engage in those transmissions while riding the company's LAN, which can be tracked if IT knows what to look for. But some of these devices have their own antennae, which more easily allow communications that cannot be so easily tracked. These untracked communications can be hijacked by bad guys, making the IoT security problem clear.

Bindu Sundaresan, practice lead for AT&T Security Consulting, pointed to these devices' harmless history, and the traditionally separate functions of IT and operational technology (OT), as key reasons this threat has caught many enterprise CISOs, CSOs, and CIOs off guard.

"With the types of threats we’re seeing, IoT devices are part of the network. They’ve never been thought about from a security point of view," she says.

Companies typically view lightbulbs, door locks, or shop floor sensors from a purely functional perspective. As such, says Sundaresan, they are generally not included as part of the overall risk profile. “They were viewed purely from a functionality standpoint: 'Is it helping me perform a business function?'" she says.

This helps explain why CFOs aren’t pushing for line items for security for what traditionally have been simple facilities purchases.

"Most IoT security projects have a hard time getting funded," Sundaresan says. "There’s no sense of urgency there."

Another IoT priority is understanding the nature—and the likelihood—of data exposure from each IoT device. That needs to be a critical part of the risk assessment.

"We approach it from a data lifecycle angle," Sundaresan says. "Find out how an IoT device is working within a business process, and understand what data is going through it. Know which ones have the greatest chance of exposing your data. Not every IoT device is a data risk. Consider smart rat traps. With those, we don’t really care about that data."

Sometimes, though, direct data access is not the issue. If the IoT device has an IP address and is authorized to ride your network, it could serve an attacker as a low-security backdoor to far more crucial systems on your network. Let's not forget that the huge 2013 data breach at Target started with network access given to an air conditioning contractor.

"Start with the data conversation. Then with how the network is architected. Can [an attacker] get into the larger network if IoT is compromised?" Sundaresan says. "That’s why there are so many vulnerability scans."

Unfortunately, no single technology solution can—on its own—negate all IoT security problems.

"Any policy has to go hand in hand with IT and OT,” Sundaresan says “We see that divide quite a bit."

Closing the divide requires IT and security teams to work more closely with all departments involved in OT and IoT purchasing. Opening those lines of communication is a critical first step in identifying the potential risk of IoT – and then creating the policies needed to help reduce that risk.

AT&T offers guidance and specialization to assist enterprises with shoring up defenses and developing an IoT security strategy. Find out more at AT&T IoT security.

Copyright © 2018 IDG Communications, Inc.