Home >Cyber security in the wake of connected device deployment
Cyber security in the wake of connected device deployment
21 June 2019
The number of IoT devices is growing at an unprecedented rate, showing no sign of slowing down. Unfortunately, security for IoT devices is lacklustre, to say the least, according to Karl Lankford
In the BeyondTrust 2019 Privileged Access Threat Report, 60% of those surveyed in the manufacturing sector cited that IoT devices were a threat to their security. IoT growth poses huge unknown risks to enterprises. Will businesses be able to cope in this new threat landscape? What should be their best course of action?
The security risks of connected devices
Unfortunately, security for IoT devices is lacklustre, to say the least. Connected devices are not designed with security in mind, they are instead designed to make life easy. While products like a Wi-Fi kettle or Wi-Fi fridge are indeed great additions to any home or workplace, they can be insecure by design.
The exponential growth of IoT devices and risks associated with the ever-growing ‘security perimeter’ means the attack surface is increasing at an alarming rate. As connected devices continue to be added to organisations’ networks and infrastructures, it makes it difficult to for IT teams to discover and understand the full environment. Just think how easy it is to bring in a connected device like a Wi-Fi enabled speaker to work and plug in and play.
Unfortunately, cybercriminals are fully aware of the ever-expanding attack surface and unsecured IoT devices have shown their drawbacks as we’ve seen with the attack of the Mirai botnet. Applying effective security controls and solutions, including a layered approach, is the only way to reduce the overall attack surface, otherwise more of these kinds of attacks will continue as the proliferation of these devices grows.
Mitigating the threats
Connected devices can range from complete business automation and logistics systems through to smart appliances, so to effectively support them organisations will need to secure traditional networks such as the office and data centre, the cloud, their partners and their supply chain.
To do this, organisations must consider every device that could ever feasibly reach their assets, as every one of these new connected devices and systems has a potential administrative back door that represents a risk. In the past, enterprises dealt with these administrative controls through manual processes, but the new reality of IoT means that the only way to properly secure administrative access to all systems is through automated solutions that can handle the massive scale in ways that manpower cannot.
As technology advances, it’s also imperative that enterprises don’t rush to implement new technologies, as they may contain security vulnerabilities for which many traditional industrial organisations may not be able to immediately upgrade their equipment. For example, manufacturing and operational technology can often be in theatre for an extended lifecycle for 10 years or more, meaning legacy systems underpin their operations. As a result, these businesses can often find themselves on a back foot as their systems are often unable to be patched effectively, leading to widespread threats from malicious actors.
For the most effective threat mitigation, enterprises should look to implement a Privileged Access Management (PAM) solution. This enables organisations to secure their privileged credentials, implement granular access controls for both third-party and internal users and provide an auditable history of what was accessed during any session. This not only secures access to networks and IoT devices, but also empowers IT teams to report quickly and efficiently on any potential untoward behaviour they find on the network.
IoT manufacturers are now starting to implement robust security measures within their devices. Together with a PAM solution and other security tools, we’ll begin to see an evolution in IoT security. Karl Lankford is Director Solutions Engineering, BeyondTrust