The challenge of managing and securing IoT devices in the enterprise [Q&A]
Internet of Things devices are making their way into more and more areas of our lives. But while they offer many benefits they also present businesses with a problem when it comes to managing and securing them.
An ever widening range of devices now have connectivity that may be off the radar of company IT and cybersecurity teams. We spoke to Roy Dagan, CEO of SecuriThings, to discuss the issue and how enterprises can tackle it.
BN: What are the major challenges companies face with managing and securing IoT devices?
RD: Managing the stack of IoT devices in a large organization is a huge challenge today. From access control systems to cameras to building management systems, organizations often have a multitude of connected devices -- thousands, sometimes tens of thousands -- running on various networks with no way to ensure they are operational and secure.
To add to the complexity, the devices often come from different vendors with different firmware versions, and integrate with a number of third-party systems. This puts a lot of pressure on operations teams to ensure that each individual device is running properly, secure, and up to date with the latest firmware/software. And most of this work is done manually today, which can't scale for large organizations and therefore is a strain on resources.
This ends up putting organizations and their operations at risk, and drives up maintenance costs.
The bottom line is there's a solution for virtually every IT use case and problem out there. By contrast, there’s been a lack of investment in similar software standards for IoT.
BN: Who's responsible for managing/securing physical IoT devices in an enterprise? Is it IT, security teams?
RD: Traditionally, IT departments have been responsible for the purchase, deployment, and management of IT devices and systems. However, IoT devices -- more specifically, physical security devices and their associated management systems -- are largely procured by physical security teams. That’s because these devices are generally related to the activities involved with managing technical and physical support for high-security areas, security equipment, and security systems. Physical security teams’ duties involve the installation, use, and maintenance of security equipment, such as IP cameras, access control devices, video management platforms, building management functions, and more.
While the operational management of these devices may at times fall under IT’s responsibility, these devices are often left by the wayside because IT and physical security teams have no practical way to monitor and maintain them from an operational and security standpoint. Company security policies for other IT devices may include automated password rotation schedules, firmware upgrades, and certificate management -- but these standards are not typically in place for IoT devices.
For example, an organization may require an IoT device to have a password rotation every 90 days, with the password made up of at least 14 characters that include uppercase letters, lowercase letters, numbers, and special characters. Now imagine scaling this activity for a fleet of thousands of devices across multiple management systems, without an automated process.
Interestingly, we're also seeing the rise of a practice called IoTOps within organizations that have a large IoT footprint. IoTOps encompasses all operational teams that are accountable for the deployment of IoT devices, their availability and their cyber security. These teams are responsible for monitoring the device status, directing technicians, defining and implementing organizational policies, resolving operational issues, overseeing upgrades, and more. We can categorize the capabilities required for IoTOps in three buckets:
- Cyber security
- Operational management
- Automated operations
These capabilities are critical for IoT-based organizations and for the IoT teams within these organizations.
BN: What best practices can companies adopt to rein in their IoT physical device stack and ensure devices are security and operational?
RD: First, gain full visibility into your device ecosystem. Nearly two-thirds of organizations lack insight into their device stack. This will help speed up issue identification, time to diagnose and resolution time. It’ll make it clear to physical security teams which devices are up and running, which are down, which devices need updated firmware, and more. Without this basic information, it’s impossible to efficiently maintain, update, and secure devices.
Second, ensure an optimal firmware path is being utilized to avoid introducing any vulnerabilities. IoT devices can stop functioning and/or become vulnerable due to outdated firmware versions; they are more susceptible to failures and security breaches
Third, ensure passwords are rotated on a regular basis, and that it's part of company policy. Many companies will keep factory set passwords, which creates an entry point for bad actors. The reality is IoT devices can become vulnerable due to default, short, shared and unchanged passwords, making them more susceptible to a security breach. To mitigate risk, organizations should implement a password rotation policy. Any devices non-compliant with the password policy should be immediately identified so physical security teams can rotate the passwords.
Fourth, track your devices' end of life to plan ahead and upgrade and replace as needed. End of life doesn't always mean the devices don't work, however. It can mean that there are better models available or simply that the device is no longer supported by the manufacturer. Whichever is the case, it's important to understand what that means for your specific devices and act accordingly. Having outdated equipment can introduce vulnerabilities into your IoT device ecosystem.
Lastly, practice knowledge sharing within your teams and introduce ongoing training programs.