Implementing zero trust with the Internet of Things (IoT) – ITPro

admin on July 27, 2023 Leave a Comment

Taking a zero-trust approach to security is pretty much the standard by which organizations are measured these days. It means no user can be on the network without being authenticated and continuously validated.

We think of users as people. But users can also be things. And these internet-facing things Internet of Things (IoT) devices can be as much of a cyber security issue as people. Actually, they can be more of a security issue.

Organizations rely on IoT devices to help them keep operational on a day-to-day basis. There are plenty of devices that keep a business running including security cameras, printers, smart TVs, conference room equipment, kitchen equipment, and environmental sensors. These might include thermostats, smoke detectors, and ventilation systems alongside smart locks and room entry management systems.

READ MORE

The UK's IoT proposals are riddled with 'astonishing' gaps

All of these use software to complete tasks and share data with other devices, inside or outside the network. Their communication is typically automated, machine to machine, and doesnt involve a human. It may never be monitored in any way thats meaningful in a security-conscious sense.

Normally, wed consider many of these devices as the domain of the facilities team rather than the IT team, and outside the scope of the enterprise network that needs protecting. Its one of the many considerations when it comes to assessing IoT security risks.

Consider older facilities, says Abel Archundia, managing director, of global advisory and life sciences at ISTARTI. They may create or manage sensitive data yet likely have air conditioning units or cameras installed years ago in the same network. And most of these systems have no protocol to upgrade operating systems in IoT devices. The worst thing is that theyre not very complex or hard to crack.

Each of the devices attached to an organizations network presents a danger, John Linford, Security & OTTF Forum Director at the Open Group explains.

Devices inevitably have vulnerabilities through their connection to a network, he tells ITPro. With the growing use of IoT devices, a businesss attack surface expands as attacks can originate from the channels that connect IoT devices.

Its a key problem that poor security is a feature of many of these IoT devices right from the outset and they dont have to be particularly old to feature poor security. Right out of the box, they can come with default passwords that arent changed on installation, and can have a poor level of commitment to firmware updating and patching. They either lack a regular schedule, a commitment to patch whenever a fault is found or have a short period of support before dropping out of the support regime completely.

[An IoT device can] lack support for modern, secure controls like two-factor authentication (2FA), and logging and monitoring of device access and network traffic, Matt Lewis, commercial research director at NCC Group, tells ITPro.

They often lack an interface such as a screen to provide notifications about possible new software updates. And they are regularly overlooked as they appear as black boxes performing a function and are presumed to be fine if operational.

For many IoT devices, updating their firmware can require physical access, which can be difficult for say IP cameras mounted high on fences or gates.

Theres a strongly held view that it simply isnt possible to trust any IoT device, even if its equipped with automatic security updating. As a former CIO, my guidance is that preparation is the best defense, Archundia tells ITPro.

IoT devices are often just too much of a risk; theyre too much of a soft entry point into the organization to overlook them. Its best to assume each device is a hole in an enterprises defenses. Perhaps each device wont be a hole at all times, but some may be for at least some of the times. So long as the hole isnt plugged, it can be found and exploited.

Thats actually fine in a zero trust environment, because it assumes every single act, by a human or a device, could be malicious. The system, therefore, monitors and checks everything on the basis that a successful attack is always a possibility.

Linford adds its possible to limit the scope of an attack administered through IoT in a zero trust environment. Because zero trust focuses on continuously verifying and placing security as close to each asset as possible, a cyber attack need not have far-reaching consequences in the organization, he says. By relying on techniques such as secured zones, the organization can effectively limit the blast radius of an attack, ensuring that a successful attack will have limited benefits for the threat agent.

Still, the devices themselves merit plenty of attention on an individual basis. Lewis advocates a robust asset management process in which organizations take steps to track every single asset as much as possible. [This includes] subscribing to notifications from all of their tech vendors about any new software updates, and ensuring a documented process is followed to install any updates or security fixes in a timely manner. This should all be done as a periodic routine, rather than say a once a year activity.

See the article here:
Implementing zero trust with the Internet of Things (IoT) - ITPro

Related Posts
Posted in Internet Security

Comments are closed.