Keeping endpoint IoT devices is still an uphill battle for many IT departments, and cybercriminals know it. How can you protect your edge?
For the past five years, pundits have lauded the benefits of zero-trust networks, observability and other IT that can secure the enterprise and its edge.
SEE: Don’t curb your enthusiasm: Trends and challenges in edge computing (TechRepublic)
As more Internet of Things technology gets deployed, buttoning down security at the device level remains a major challenge. Here are six IoT device security challenges and what you can do to address them.
Top 6 IoT device security problems and their solutions
1. IoT device makers don’t prioritize security
IoT is vulnerable to security attacks because many IoT device manufacturers fail to install adequate security on their devices. Many of these devices have been developed by startup companies that are focused on getting their offerings quickly to market, even if security and governance are skipped.
This rush to market coincides with the fact that the IoT device space has also been largely a commodity-driven market. In this environment, it’s tempting for corporate purchasing and IT departments to opt for least-cost solutions where security is an afterthought.
Solution: RFPs issued to IoT vendors should include a specific section on security. What types of security come with these devices? How often is security updated? Is security easy to configure? Have devices been tested and/or certified for industrial-strength security?
2. IT forgets about device security checks
IT faces constant pressure to get projects up and running quickly. In the IoT world, projects can be as simple as installing temperature sensors in buildings or as complex as outfitting and installing an entire manufacturing production line with IoT.
As these installations progress, IoT devices are tested for functionality and integration, but there is a tendency to overlook the security defaults on each device. Since IoT device makers typically set very low levels of security on their devices, a failure on IT’s part to check and adjust device security can inadvertently lead to easy targets for cybercriminals to penetrate.
Solution: IT should develop a formal IoT installation procedure that includes checking security settings on incoming IoT devices and then calibrating device security settings to company standards before any IoT devices are deployed in production.
3. Lack of IoT visibility
According to Armis, 67% of enterprises in North America have experienced an IoT security incident, but only 16% of enterprise security managers say they have adequate visibility of their IoT devices.
With malware and ransomware attacks on the rise, this lack of visibility can result from IoT devices being installed by end users and others without IT’s knowledge, or it could result from installed devices being moved from place to place.
Solution: Asset tracking and management software should be installed on the network. This software tracks all IoT endpoints. Asset tracking software can also discover whenever an endpoint device is added or subtracted on the network and then alert IT.
4. Device software updates are not timely executed
Security updates occur continuously for almost every type of IoT device that an organization uses, so keeping track of security for a myriad of different smartphones, cameras, sensors and routers can be daunting. You don’t want to miss updates, because most updates are patches for security vulnerabilities that IoT vendors have found.
Solution: IT can automate the device software update process with commercial software that does this task. Security updates — and any potential adverse impacts they might have — must be promptly reviewed and planned for by IT before any automated updates are triggered, as software updates can inadvertently introduce new software bugs that can impair network and device performance.
In this way, IT can be prepared for whatever fixes or intervention might be needed for the new update, or it can determine to wait until the update software gets corrected. The goal in all cases is to ensure that security updates to edge devices are installed quickly, safely and without causing disruption.
5. End IoT devices are improperly used or lost
With more employees working from home or in the field, there can be a tendency for employees to get careless with their devices. Millions of smartphones are lost each year, according to rocketwise. When smartphones are lost or misplaced, bad actors can acquire these devices to steal data and intellectual property.
Solution: Encrypt all data that is stored on a smartphone or other IoT device with storage capability. Make these devices “thin clients” that process data but only store the data on the company cloud.
6. Physical premises are left unsecured
As more IoT moves to the edges of enterprises, it’s up to end users to make sure that this IoT is physically protected and secured.
In manufacturing plants, the risk is that robots and other automated IoT are not left out in the open when they are not in use so that anyone can physically access them.
Solution: Locked cages should be constructed for the storage of physical IoT equipment in edge environments when the equipment is not in use. Only authorized personnel should be given the access codes for these physical cages.
This physical asset security is very similar to what you would use in the corporate data center. IT should ensure this level of physical lockdown security is in place because of the data center and sensitive asset protection experience that IT has.