Building a Security Framework for Enterprise IoT
Connected devices and the Internet of Things (IoT) promise to help enterprises and industrial organizations become more innovative, productive and cost-effective. But it’s no secret that IoT security hasn’t kept up with the pace of innovation.
A security breach of an IoT system can lead to disruption of industrial processes or enterprise operations, theft of sensitive data, threats to physical safety, disruption of critical infrastructure like nuclear reactors, dams or the power grid, or many other consequences. Organized criminals, nation-states and other external attackers make for picture-perfect villains, but employees and contractors also may be motivated to cause harm or profit improperly.
Securing an IoT system is complex. The attack surface is broader than with most other enterprise IT systems, and many of the technologies are new. Large numbers of potentially vulnerable devices are connected to different types of wired and wireless networks, and those devices continuously send data back and forth across public and private networks.
Securing IoT systems is a shared responsibility among the device manufacturers, software developers, service providers, and the businesses, industrial or public-sector organizations that buy and deploy IoT systems.
As you develop an IoT system for your organization, you also need to establish a security framework. Here are steps to get started:
- Assess the risks as part of the strategic plan. Risk varies significantly depending on your IoT use case. Get a clear understanding of the threats facing your IoT system—connected devices, networks, applications and cloud services—and how an attacker might compromise it. Determine the consequences of business disruption, breach or other malicious activity. Prioritize these risks and develop security measures based on the potential impacts. Work closely with your stakeholders across lines of business, operational technology and information technology. It’s a team effort.
- Secure the connected devices. It’s a lot easier to reduce potential disruptions in the design phase by buying securely designed devices, but it’s not always possible. Understand how much security is built into the device. It may have strong embedded encryption—or it may have a USB port, or the administrative password might be “password,” providing an open invitation for misuse and abuse. Connected devices are typically designed to be low-cost and built for a single purpose—not with security first and foremost. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. They’re often deployed where they’re physically accessible, which increases the risk of tampering. Enforce appropriate authentication and authorization for all devices. Make sure you have a reliable way to identify all devices that are connected to the network in real time, and if a device begins to behave suspiciously, have a way to immediately remove it from the network.
- Develop a plan for security updates. Vulnerabilities will likely be discovered after you have deployed the connected devices, IoT gateways and other systems in the field. You will need a way to patch devices or push out security updates. If the device cannot be updated, understand the risks of leaving a vulnerable device in place.
- Secure the connections. Consider whether continuous connectivity is necessary, given your use case and risk tolerance. Direct Internet connections may not be necessary, especially in industrial settings. Instead, the devices may connect to a local network that can aggregate and evaluate critical information. Make sure you can disable network connections when needed or enable selective connectivity. Use encryption to protect data in transit wherever possible.
- Enforce strong data security and privacy. Data from connected devices, once aggregated, can reveal sensitive patterns or hidden information. Follow best practices to protect sensitive information and maintain compliance with data privacy laws and your corporate policies. Sensitive information should be properly encrypted, at rest as well as in transit.
- Understand risks from your IoT supply chain. Know your supply chain partners—and work to understand any vulnerabilities associated with the hardware and software in your IoT deployment. This can be difficult, as IoT developers and manufacturers rely on other vendor partners for hardware and software components.
- Build on proven security practices. The good news is that you’re not starting from scratch. IoT security stands on the shoulders of traditional IT and network security. Follow security practices common in your industry as well as IT security best practices, such as a “zero-trust” model. Plan for the worst, and make sure you have a way to respond to compromises, attackers and malware. Keep in mind that IoT systems are evolving, and new protection technologies—and attack methods—will emerge. Determine whether you can upgrade your existing systems or need new devices.
We’re in the early days of enterprise IoT security, and a lot of innovative work is happening in the public and private sectors. The Industrial Internet Consortium published a cross-industry security framework that details vision, experience and best practices. W3C has created a Web of Things Security Framework. The Open Web Application Security Project (OWASP) also provides resources to the IoT community understand the issues so they can make better security decisions. The Department of Homeland Security has also issued guidance for securing IoT systems.
Stay tuned! We’ll go into greater detail on security for devices, connections and data in subsequent blogs.