By Wayne Dorris
INTERNET OF THINGS
Grooming the Landscape Tips on managing your cybersecurity
The explosion of IoT devices in today’s technology landscape makes a perfect storm for attackers to exploit. Just to give you a sense of scale, the De- partment of Defense (DoD) estimates that IT sys- tems in just its environment alone currently present about 10 million potential attack surfaces. When the DoD factors in all their IoT and OT devices, too, that number surges to over 2.6 billion. But it is more than a question of endpoint numbers. It’s a question of complexity.
In recent years, the push for convergence has not only moved security devices like video cameras and access control systems to the network. We’re now seeing systems like HVAC, lighting, sig- nage, and environmental sensors integrated into the landscape. We have wireless and cellular connections, cloud storage, and legacy systems, too, boosting the number of devices on any given network. This raises a growing concern that most of those IoT devices might not support current cybersecurity protocols, or even have been designed with network security in mind. Bear in mind that all these networked IoT devices reside in close interface with your IT systems. So it is imperative that you take steps to en- sure these devices don’t become tools or attack vectors that could be used to disrupt or compromise your critical systems.
FACING THE UNIQUE CHALLENGES OF IoT
While a company might standardize on a maximum of three to five operating systems for its IT systems, there are no such com- mon operating systems when it comes to IoT devices. In fact, the DoD estimates that with the billions of IoT devices on the market today, there might be as many as 90,000 different operating sys- tems in play. This makes it particularly difficult to apply the same cybersecurity controls across the entire IoT ecosystem.
Without a globally recognized IoT standard for reference, you’ll need to create your own cybersecurity baseline and checklist for
your IoT devices. That baseline begins with discovering exactly what is on your network. You may be surprised to find devices you thought were long retired still connected to the network.
DIFFERENT LEVELS OF IoT HARDENING
Depending on the risk assessment, your IoT cybersecurity plan should reflect the protection necessary for your operating environ- ment. Look at your company’s IT network security policies and see which security control sets you can also implement on your IoT devices. A general rule of thumb is to start with a minimum recom- mended level of protection and build from there as needed.
Standard protection. This includes resetting factory default settings, updating the device with the latest firmware, setting a master password, creating a client account, configuring network settings, setting the date and time, and applying encryption to onboard data storage.
Enterprise protection. This includes all the standard protec- tions plus setting HTTP digest authentication, setting domain and host names, disabling unused features and services, enabling IP address filtering, and enabling HTTPS encryption.
Managed enterprise protection. This includes all standard and enterprise protections plus IEEE 802.1X network access control, SNMP monitoring, and remote system logging.
VETTING CYBERSECURITY IN THE SUPPLY CHAIN
A vendor’s security posture has a direct impact on the safety of your systems because their systems could become an attack vec- tor into yours. Some good questions to ask the vendors in your supply chain include: Are they developing and manufacturing their own products? Do they retain full control over certifications, firmware and chipsets? Do they test for cyber vulnerabilities at every stage of product development?
If they are an OEM, where are they sourcing their critical
22
JANUARY/FEBRUARY 2021 | SECURITY TODAY
everything possible/Shutterstock.com