Step 3: Investigate the State of IoT Usage within Your Organization

Never believe what you’ve been told or your own assumptions. You need to find out for yourself what IoT devices are already in use within your environment. It’s dangerously naïve to assume there aren’t any in place already. Just like standard IT security risk assessment, you need to be aware of your assets, controls, and potential vulnerabilities before proceeding further. It’s likely that this discovery process will entail a mixture of scanning, interviews, and project reviews. Since IoT devices are often manageable over a network interface, you should be scanning for shadow IoT on service ports for Telnet, SNMP, MQTT, FTP, HTTP, HTTPS, and SSH. IoT devices often collect and transmit data, so you should also watch for outbound transmissions from unexpected devices. This kind of scanning is not a one-off event but an ongoing part of security hygiene—not only to ensure that no unknown IoT devices are introduced, but also to make certain that policies and standards are being enforced.

Step 4: Fence It All In

Once you know what you’ve got and what your organization is using, it’s a good idea to wrap network controls around the IoT systems. This is especially important as IoT systems—with their myriad remote management and data transmission methods—may have a much larger attack surface than your other computing systems. A typical IoT system is probably going to have a stripped-down Linux operating system with a minimum viable custom application running on it. These kinds of systems are going to have security shortcomings. Despite having standards and requirements for IoT, the security team may still find itself being forced to accept weaker IoT systems onto their network because of business requirements. This is where we need to look at adding controls, beginning with network access control.

Any IoT system that doesn’t absolutely need remote connection from outside your organization (and very few devices actually need this) should be network-segregated away from the outside network. It is extremely rare that anything on the Internet should be required to touch your IoT devices. This segregation can be done with VLANs, network access control lists or, best of all, firewalls. For any IoT system that needs to communicate and cross the firewall, the connection should be authenticated and verified according to the level of trust you place in it. Basic levels of trust can include:

1. Unknown and completely untrusted IoT device: We don’t know what this is, but we assume It’s not good, so we’ll segregate it away until we learn more.
2. Discovered but not verifiably trustworthy IoT device: We know what this is, but we still need to check its software and make sure it’s appropriately hardened and patched.
3. Verified trusted for specific functions: We know what this is, what state it’s in, and what it’s supposed to be doing. We’ll let it perform its approved functions and only those functions.

Step 5: Monitor and Watch

As with any other significant activity on your networks, all IoT connections should be logged and reviewed for suspicious activity. Make sure you are monitoring which IoT devices are talking to what or whom outside of your organization, and what information and commands are flowing back and forth. Depending on the nature of these data flows, you may discover you need addition controls such as Transport Layer Security. Logs should be made any time a system is moved from one trust level to another as these are security-noteworthy events. Logs should also keep track of your inventory of IoT systems, which is a useful metric to track and share.

Conclusion

In general, IoT represents a whole new IT security paradigm, as well as an exponential increase in potential threats. Getting a handle on the problem within your organization is a necessity—and the sooner the better. Begin by communicating the problem to the organization. Then find and fence off how the IoT systems communicate based on how much trust and confidence you place in them. We all need to realize the IoT is here to stay, so we need to find a way to use it with acceptable levels of risk.