Providing security around Internet of Things (IoT) devices has always been hard, but upcoming 5G rollouts are going to complicate IoT security far more.
For starters, IoT means two things to CISOs and CSOs. First, the IoT devices need to be protected from attackers trying to take over the devices and then use it either as a convenient backdoor to your network or to actively use it as an attack tool. Specifically, it would be an attacker that your systems will initially identify as a trusted ally. That’s a bad combo.
Due to a wide range of reasons (some evil, some merely employees unintentionally violating policies and procedures), most CIOs and CISOs have very limited visibility into IoT devices. To state the obvious, you can’t protect what you don’t know about and it’s harder to fight an attacker who has taken over a trusted device that neither of your teams knew existed.
Let’s talk internal policy problems. We continue to get frequent reports of departments that are not used to interacting with IT or Security much—think Facilities, Building Operations and Maintenance as the most obvious examples—but are buying IoT devices. Facilities, for example, may have a multi-decade history of buying and installing door locks without checking in with Security or IT, and Maintenance likely has a similar history when it comes to purchasing lightbulbs. When lightbulbs and door locks morphed into IoT devices, many of those departments didn’t change their purchasing procedures and they often didn’t even do any testing.
The Nature Of IoT Devices
Add to that the very nature of IoT devices. Most are coded to communicate with their mothership, for innocuous things like code updates or patches. Those communications are typically unmonitored. Even worse, some of these IoT devices have independent antennae, which allows the devices to perform two-way communications without it appearing on even the strictest systems tracking the LAN and WAN. The antennae allows the devices to fully bypass your network. Think cyberthieves could perhaps make use of such powerful devices?
Even worse, a hijacked set of IoT lightbulbs could exfiltrate data without anyone noticing, by making minute changes in the bulbs’ brightness in a specific pattern that someone in the parking lot—watching predetermined windows—could capture and later analyze.
That Which Is Seen Versus Unseen
This brings us to the seen/unseen reality. Devices that IT/Security is aware of get treated like a trusted unit with network privileges. And devices that IT/Security does not know about get ignored completely. From a security standpoint, both situations are equally potentially disastrous, just in different ways.
On top of all this, enterprises have to deal with the ever-present Shadow IT nightmare, where workgroups and even individual employees/contractors will get tired of waiting for IT to act and will independently go and purchase consumer-grade IoT devices and will use the devices without anyone’s knowledge/approval.
Then there are always the unintended IoT glitches. A major British financial institution recently was performing routine penetration testing and happened to be examining one network. It accidentally hit on a trigger URL and all of the building’s locks dropped into the open position.
IoT Device Age
Another issue is the age of an IoT device. Many IoT manufacturers will abandon IoT devices after about 4-5 years of performance. At that point, they no longer get security updates and are absolutely ripe for an attacker to find and take over that unit. Once orphaned, those devices sit in your network forever—or until someone in Security/IT discovers them, hopefully before the Bad Guys do.
The best way to deal with all of these IoT issues is to apply the Zero Trust model to anything and everything in the network. Then apply a continuous authentication model to establish a norm—the activities and communications represent each device’s pattern for safe operations. But the system then continuously tracks those devices and flags any deviations in behavior.
Even if the IoT device is passive and silent for an extended period, eventually it will try and do something, which is when it will be detected by a continuous authentication system fine-tuned to watch for IoT devices.
5G IoT Issues
As difficult it is to master security with IoT devices, the upcoming 5G rollout is going to make it even more challenging. As 5G rollouts hit different geographies, it will enable far more communications with remote areas that today have severe communication challenges. By being able to extend bandwidth to these locations, a dramatic increase in the number of data centers is expected, with each one needing protection from/for tiny IoT devices. Consider what it will mean for your enterprise when today’s 10,000 devices per square mile becomes hundreds of thousands—or more—for that same footprint.
Then there are hardware considerations. 5G speed is going to make many current devices run hot. More specifically, its chipsets/CPUs are likely to not being to stand that much heat.
IoT enterprise systems can be dealt with from a security perspective, but it’s best to put the new monitoring systems into place today—to try and get ahead of the next disaster.