Skip to main content

NSCAM: Organisational cyber hygiene and the Internet of Things

(Image credit: Pixabay)

The Internet of Things (IoT) has transformed how we live and work around the globe. From baby monitors and home security cameras to wearable fitness trackers—smart vehicles, smart power grids, and in recent years, we’re even seeing the emergence of smart cities. What was the Internet of Things is now more like the Internet of Everything if you take a moment to consider just how extensive it has become.

Since October is European Cybersecurity Awareness Month, with themes including cyber hygiene and emerging technologies, I decided that was a perfect opportunity to examine IoT devices, the security threats they pose, and ways in which organizations can take advantage of the convenience and efficiency they offer in a secure manner with a strong IoT governance strategy.

But first, let’s take a moment to set the stage and explain why such a strategy is necessary.

Experts estimate that there are over 30 billion IoT devices in use today. With the massive adoption and expansion of connected devices also comes risk. The technology powering IoT devices is still young and rather unmatured and unregulated.  

While IoT devices may have processors—and some even have human interface elements (e.g., touchscreen, keyboard)—they’re not necessarily computers. Computers can be governed by a variety of tools (e.g., firewalls, anti-malware systems) and there are a variety of mature security measures available for computers. The same cannot be said for IoT devices in circulation today.

IoT devices often have a very precise use case whereas computers tend to have a wide range of use cases. And while computers are certainly never 100 percent secured, there are far more tools and options to boost their security resilience.

The other tricky aspect to consider is that IoT devices often don’t give any tell-tale signs of misuse. And what harm could possibly result from a smart light switch or sensor being accessed? Well, you’d be surprised. From mining for cryptocurrency or pivoting from the device to others on the same network, executing DDoS attacks and distributing malware, connected devices pose a great deal of risk if they’re not managed responsibly.

Taking action

As of now, governments aren’t putting pressure on device manufacturers to include security in their design process in the form of regulatory standards. Concurrently, consumers often search for the least expensive version of the device that will still accomplish the task at the center of their purchasing decision. As government and consumer pressure isn’t an issue for manufacturers, security is perceived as a non-essential element of production. But...should it be?

While the device itself is still immature in terms of security, there are a number of actionable ways to ensure that the devices in use within your organization are managed to present the least risk:

  1. Put IoT devices on their own network. This ensures that in the event that one or more devices are breached, it will not affect your operational network directly.
  2. Catalog and track all IoT devices in use. As with every device or piece of software in use within your company, catalog each connected device and track its activities. If you’re tracking that seemingly benign smart switch, you may pick up on some unusual network communications that could turn out to be nefarious in nature. Increased communication, or communication to unknown servers, could be a good indication that something isn’t quite right.
  3. Be wary of IoT devices supporting software. Any software or mobile applications that make up the IoT device or its ecosystem pose potential security/privacy threats. Keep them catalogued. If a patch or update arises, or if a known vulnerability is identified, you’ll be prepared to act on it immediately.
  4. Equip your employees with trusted equipment. Equip employees with trusted equipment and limit use of untrusted equipment. In other words, choose trusted brands that take security seriously. That way, it’s easier to create a governance model for that device’s use. Personal devices that employees bring from home (e.g., smart watches) should be deemed untrusted devices and they should only be able to connect to a separate network. This offers a solution to employees that doesn’t pose a direct threat to your primary network.
  5. Educate your employees. Education should be relevant to the varied roles within your organization depending on the relationship they’ll have to the IoT device(s). All employees must know what IoT devices are, that they need to take care of them with updates/patches and that they cannot use them fully in the company ecosystem due to the risks they can bring. Educate technical staff operating the IoT corporate devices on the appropriate maintenance and how to spot suspicious activities. Educate network staff and provide them with tooling to help monitor those devices and limit their access the network.
  6. Limit internet usage when possible. If devices require internet access to update service, apply updates manually or define a window in which the device can access the internet and apply the update. An IoT device constantly connected to the internet increases the potential threat.
  7. Take care of your supply chain governance and data privacy compliance. Each IoT ecosystem is different. Many IoT manufacturers have their own management portals and storage systems, apps that can be used on computers or mobile devices to control or setup the devices. Those elements should be a part of your supply chain governance policies. You need to also check whether the supplier and manufacturer match your policies, if the software is trustworthy and the data complies with your own policies and with other regulations such as GDPR.

While this is in no way intended to be a comprehensive “how to” plan around IoT governance, it certainly acts as a foundation on which to build. Supporting technologies such as Bluetooth, Wi-Fi, at the new 5G network can also be entry points for exploitation. Governments have started to discuss what IoT means for governmental usage which may one day lead to policies and perhaps even industry-wide regulatory standards.

The Internet of Things is still a relatively new technology. And until consumer and government pressure is put onto device manufacturers with enough force for them to begin building in security mechanisms, the security onus is currently on the user, be that a consumer or organization. Consider the risk landscape, build a threat model to examine potential weaknesses and account for them with activities such as those we’ve covered here today.

Boris Cipot, senior security engineer, Synopsys