July 21, 2021

Answering the Important Questions About IoT and Cybersecurity

We’ve reached a place in which IoT touches virtually everything in our entire existence — not only our home and work lives but our utilities (smart grids), hospitals (smart health monitors), military (smart weapons), and municipalities (smart cities) — to the point that we take this ubiquitous connectivity for granted.

But we shouldn’t.

Why? Because we drop the term “connected devices” routinely without ever really thinking about what this connectivity means. By their very nature, IoT devices connect to third-party service providers, the cloud, and/or mobile services. Thus, every time we welcome a new IoT product into our houses, we’re bringing these external parties into our homes. Every time we acquire an IoT system for our employers or customers, we make these external parties a de facto part of a protected environment.

And that’s when things can go very wrong. As a textbook example, look no further than the recent compromise of connected camera device and service provider Verkada in which hackers successfully targeted more than 150,000 of the cloud-based company’s cameras, including those installed in Tesla factories and warehouses, gyms, hospitals, jails, schools, and police stations.

The uncomfortable truth here is that much of the IoT universe was not designed with security in mind. IoT devices now account for one-third of all infections — double the number from 2019. Subsequently, cyber adversaries increasingly view these devices as low-hanging fruit with weak passwords, unprotected network services, and an overall lack of hardening.

So, as an IT executive, how do you respond? Like any major initiative, you start with a strategy. We recommend you build this strategy by answering the following questions:

**How much of this is actually supporting our systems?** You can’t protect what you don’t know. A comprehensive inventory of where IoT exists in every place where your people are getting the job done — even remotely — will map out a complete view of your IoT footprint.

**Who owns it?** It’s quite possible that an organization’s facilities department may have ordered an IoT-enabled elevator or heating, ventilating, and air conditioning system upgrades without notifying the cybersecurity team. Obviously, the facilities people are not primarily interested in security. They are graded on their roles’ own cost-effectiveness, performance, and return on investment metrics, which might be met faster with more connected and modern equipment. To ensure such installations do not introduce unmanageable risks, you should develop a formal set of procedures that requires cross-departmental coordination.

**How will we track it all?** You monitor your network, applications, and devices. Your nontraditional IoT devices should prove no exception. You should not set it and forget it because many IoT endpoints do not keep logs or restrict network communications. Conduct continuous log and network monitoring of IoT devices, just as you do for servers, laptops, and workstations, to track their activity and the data they’re sending and receiving, while readily detecting deviations from standard endpoint profiling.

**How extensive is our third-party risk?** As indicated, the risk level of your third-party IoT services now represents your risk level. Get together with these providers to inquire about their security policies and practices and assess whether they are sufficiently proactive and vigilant. Pay close attention to things like the handling of credentials and whether you can configure service providers’ platforms to adequately encrypt your data. Understand that there are going to be trade-offs such as third parties and embedded cloud services that offer powerful uptime and deployment advantages. It is much easier to subscribe to a cloud-backed camera platform and install the devices versus comparing and buying a disparate camera, recording, and storage components and figuring out how to manage and maintain them by yourself. However, these providers are fundamentally economies-of-scale businesses that may not suit every unique requirement. Cyber risk management is about identifying what the trade-offs are and whether they are acceptable or deal-breakers.

**Are we implementing CIA steps?** In this case, CIA stands for…

* **C**onfidentiality: Only users with permission can read the data to keep untrusted parties from gaining access.
* **I**ntegrity: Only users with permission can modify the data, so untrusted parties can’t do so as they attempt to exploit it.
* **A**vailability: Users with permission can always access the data to make it relevant and valuable in the first place.

**Do we need to bring in a partner?** Ultimately, you may realize that you can’t do all of this on your own. Fortunately, you can partner with a managed detection and response provider to monitor your network around the clock and take action in real-time after identifying suspicious or malicious activity. Beyond intercepting attacks in real-time, this type of monitoring can help proactively identify blind spots and policy compliance gaps that IoT transformations introduce into your networks and operations, helping you make sure new connectivity through mergers and acquisitions, facility modernizations, or remote workforces is not stretching your organization beyond its defenses.

As with most technological breakthroughs, there is no going back from the IoT. It’s not going away and will only grow more universal as a presence in our lives and within the enterprise. By addressing these questions, you can take essential steps to ensure you reap IoT rewards while taking risks in stride.

*Original post from Landon Lewis:* [https://www.pondurance.com/blog/answering-the-important-questions-about-iot-and-cybersecurity/](https://www.pondurance.com/blog/answering-the-important-questions-about-iot-and-cybersecurity/)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.