The Internet of Things (IoT) is a hot topic in the industry today. Advanced network capabilities combined with low-cost sensors and devices are making it possible for businesses to benefit from large ecosystems of smart machines.
These networks need effective protection from breaches, malware, hacks and other cyber risks. Securing any industrial or corporate IoT network from such threats is no easy task, even when all of the devices are correctly inventoried, categorised and centrally provided.
But this challenge is made even greater when you consider all of the different devices that employees or suppliers may unofficially add to and use on the network. This is known as the ‘shadow IoT’ and it can cause businesses some serious problems.
IT managers need to be able to identify where the holes or weaknesses in the network might be. Of course, they may begin by asking, “Where and how do employees connect unsecured technology?” But that is just the start. They also need to know, “What can be done to ensure the integrity of networks when such a wide range of smart and IoT devices are potentially being used?”
First, let’s take a look at the scale of the problem.
Employees regularly connect personal devices to company wifi and other networks, and this in itself can cause security issues if mobile certificates aren’t properly managed. But with the lower costs and greater availability of IoT products, smart devices are now being connected and used more regularly than ever.
Gartner predicts there will be over 20 billion IoT devices in use by 2020. Employees are regularly setting up their own equipment including smart speakers and TV screens, or even IoT-enabled coffee machines, fridges and microwaves, all of which will be accessed across the corporate network.
Similarly, external contractors and consultants visiting your offices might ask to hop on to the company wifi to share information, or perhaps connect smart speakers or a wireless projector during a presentation.
These situations leave IT unaware of what is being used on the networks they are trying to protect. In a 2018 study by 802 Secure, Inc&it was found that every single organisation surveyed had found “rogue” IoT devices that were transmitting data to other networks, individuals and the cloud. Examples include misconfigured wireless printers, wireless USB thumb drives connecting to computers both in and out of the corporate network, or even unsecured CCTV cameras.
In addition, 90% reported having shadow IoT networks that were operating separate from the main enterprise infrastructure and oversight. This lack of supervision makes these devices susceptible to attacks, and increasingly the weaknesses are being exploited.
Generally, very basic devices IoT security protocols are simplistic, standardised (particularly in terms of login credentials and machine identities) and unable to withstand most forms of serious attack.
Significant vulnerabilities have been found in smart home systemsand in many common IoT security camerasfor example. This has led to a big increase in IoT breaches in recent years and many experts believe these will only get more common in the short- to medium-term.
One of the major forms of attack is the IoT botnet—a situation in which an attacker remotely accesses and co-opts a group of smart devices and computer systems in order to carry out illicit transmissions to other systems on the internet. This is also known as a 'thingbot'when just the smart devices are concerned.
Botnets multiply the attacker's available computing power, enabling them to send vast amounts of spam that can bypass filters or carry out Distributed-Denial-of-Service (DDoS) to disrupt systems and networks.
On a much smaller scale the most significant security vulnerability is remote access. This may be just an annoyance where a smart light switch or plug is concerned, but could lead to major problems if security cameras or sensors used for manufacturing are compromised. And if an attacker were to access healthcare equipment, such as a cardiac sensor, the potential results are immediately dangerous.
So with such a serious attack vector, how do we secure it?
There are a number of steps that can be taken to prevent a shadow IoT from proliferating at your company, and to secure what devices are currently in use. As usual, when it comes to enhancing network protection there is always a balance between security and efficiency; employees need to be able to do their jobs without being overly limited due to restrictions imposed by IT. Nevertheless, here are some practical steps that can be taken:
Firstly, it is important for IT to know what networks exist, how they are being used and what is connected to them. This requires a sophisticated approach to machine identity managementable to cope with the volume of IoT machines being added and data exchange that the IoT can bring.
IoT networks use different frequencies and access protocols to traditional wifi, intranets and other company networks. You can’t necessarily rely on legacy security approaches to ensure they are secure.
Effective management also plays an important role. The 802 Secure, Inc study discussed above also found that 32% of companies didn’t have somebody designated to be responsible for managing IoT risks. Ensure you assign oversight of IoT networks to specific stakeholders so there’s a clear workflow.
This workflow will need to extend from purchases through setup and to operation and obsolescence. Involving experienced IT staff at all stages, with access to an effective device identity management system, will help employees acquire and use IoT devices safely.
Your staff will always find creative ways to work around network restrictions or policies, often unintentionally. But make sure you regularly communicate the potential implications of exposing the company’s network as many people genuinely don’t know that connecting certain devices is risky.
Ultimately the best way to secure the shadow IoT network is to eliminate it all together. This is about employee behaviour and corporate policy rather than cybersecurity, but IT has a strong case to make if all machines are being properly tracked and secured.