INTERNET OF THINGS
“So it is imperative that you take steps to ensure these devices don’t become tools or attack vectors that could be used to disrupt or compromise your critical systems.”
components (chipsets, memory, etc.)? Are they contracting their manufacturing from a trusted party? Can they provide you with a bill of materials for their products’ software and firmware? What other manufacturers do their devices rely on in their source code?
Another aspect of vetting your supply chain is determining their policies around timely response to discovered vulnerabili- ties. How quickly do they publish security patches and bug fixes? How frequently do they issue firmware and software updates? Do they offer automatic update services for their products?
Establishing a Vendor Risk Management Program can help you systematically evaluate potential technology partners and determine whether their demonstrated commitment to cyberse- curity meets your high standards.
EMPLOYING LONG-TERM LIFECYCLE MANAGEMENT
Vetting your supply chain also helps you to betters understand the interdependencies in your technology ecosystem. Knowing whether a new firmware or software release in one device or system could poten- tially disrupt integration or an API with another device or system on the network could save you countless headaches. This leads us to an- other important aspect of IoT cybersecurity: lifecycle management.
A structured lifecycle management program helps you keep track of all the technologies in your ecosystem from the time they’re installed until they reach end of life and are removed from the network. It helps you identify devices nearing their end of life, running outdated operating systems, and more susceptible to risk because they won’t be receiving future updates. This will help you plan when to replace specific devices with newer solutions that the manufacturer currently supports.
The good news is you can automate this ecosystem audit. There are several software tools from product vendors and manu- facturing companies that specialize in device management plat- forms. These platforms not only help you discover every device on your network, they also capture key information about those devices’ identity:
• Model number
• IP address
• MAC address
• Currently loaded software, firmware, and operating system • Certificate status
You can use this highly detailed look at your ecosystem to per- form a variety of maintenance tasks critical to cybersecurity and lifecycle management best practices:
• Managing user privilege levels
• Password changes
• Firmware updates
• Configuration modifications • Certificate management
One of the biggest benefits of using device management soft- ware is the ability to push out system changes, firmware updates, and new HTTPS and IEEE 802.1x security certificates to hun- dreds of devices simultaneously, rather than individually. You can quickly and easily create or reconfigure security settings and apply them to all the appropriate devices on the network. In the case of firmware updates, the device management software automatically verifies that devices are running the latest and most secure version. Knowing the current status of all your devices ensures that you can address new vulnerabilities quickly and limit your exposure.
IT’S DAUNTING BUT DOABLE, ONE STEP AT A TIME
Given the complexity of today’s ecosystems, implementing an ef- fective IoT cybersecurity plan may seem like a daunting task. But if you break it down into a series of incremental steps, you’ll eas- ily reach your goal.
Discover all your network-connected devices. You can’t protect what you don’t know is there. Develop cybersecurity baseline for all your IoT devices.
Institute password and user management protocols. Always change factory default passwords and setting before allowing de- vices to go live on the network. Institute password policies that include complex passwords and regularly scheduled password up- dates. Also, remember to change system management passwords when key administrator personnel leave your company.
Segment your devices and systems. Set up VLANs and firewalls to separate IoT devices from critical systems.
Coordinate cybersecurity efforts with your IT department. Im- plement those IT cybersecurity protocols that can be supported by IoT devices and make the most sense for how those devices are being used.
Establish ownership of updates and patches. Any systems and devices on the network that have been dormant or not updated could be vectors for attack. Make sure you’re alerted when manu- facturer release software and firmware updates, patches, and bug fixes releases. Be sure to verify that administrators implement those releases in a timely manner.
Implement a lifecycle management program. Cybersecurity isn’t a one and done activity. Your IoT device security needs to be kept current to protect against new threats. With lifecycle man- agement you can track the status of each device from time you install it until you retire or replace it. Be sure to review your life- cycle program at least once a year.
With timely oversight and consistent policies and procedures, you be able to anticipate and address a host of cybersecurity and vulnerability issues before they can compromise
your network. And that’s what managing IoT
cybersecurity is all about.
Wayne Dorris, CISSP, is the business develop- ment manager for Cybersecurity at Axis Com- munications.
24
JANUARY/FEBRUARY 2021 | SECURITY TODAY