IoT Security Challenges: Focus on Features, Not Security
The immense growth of the Internet of Things (IoT) has opened up unique business opportunities and enabled operating models in a variety of industries and use cases. Although there are different estimates, Gartner Research predicts that there will be over 25 billion connected IoT devices by the end of this year. These devices enable exciting new use cases in a wide range of industries – from automotive to healthcare – and deliver business results and operational efficiencies that were previously unattainable. However, this explosive proliferation has unintentionally increased the attack surface and exposes companies to a variety of IoT security risks. In the first half of 2021 alone, there were 1.5 billion IoT attacks (source: Threatpost.com ). Modern security models such as Zero Trust ensure that the business and operational benefits of the IoT are not negated by the increased risk of using this type of equipment on a large scale.
Palo Alto Networks explains how this can be implemented in the best possible way.
One of the constant challenges in securing the IoT lies in the nature of the devices themselves. The device manufacturers focus on form and function, and attach little to no importance to the actual safety of the device. This has made the IoT a popular target for attacks, as hackers exploit these vulnerabilities using a variety of techniques. To make matters worse, the usual endpoint security controls that are usually connected to user devices, such as an endpoint agent or strong authentication, are not possible in the world of IoT. This combination of the increasing number of these devices and the low or lack of integrated security makes the lack of security control options an even bigger problem when it comes to the overall risk to the company.
Applying Zero Trust to the IoT: Starting with Visibility
Another challenge related to IoT security, according to Palo Alto Networks, is simply the lack of visibility for IT security teams. Since many IoT devices are custom-made devices such as security cameras or MRI devices, these devices are usually used by the plant or manufacturing teams with little or no coordination with the security managers. Without adequate visibility, security checks cannot be carried out, which makes it impossible to reduce the associated risk.
Comprehensive visibility should be “step 0” in every company’s approach to applying Zero Trust best practices to their IoT infrastructure. Once a profile has been identified and created, each device should also be assessed for overall risk based on a number of criteria, from the vulnerability to the type of access to other resources such as critical applications and data. This visibility and risk assessment will determine the overall strategy for Zero Trust best practices and security controls, such as “least access” privileges. Many companies use the IoT security solution from Palo Alto Networks to gain comprehensive insight and secure their IoT infrastructure.
Application of “Least Access” controls
One of the cornerstones of a zero trust strategy is the concept of “least access”. This means allowing only the right amount of access to applications and resources that a user, or in this case an IoT device, needs to perform its task on the network. For example, a security camera should only forward video traffic to a specific destination, such as a security center or a storage server. Similarly, an MRI machine in a hospital should only communicate with the infrastructure that supports the storage and display of medical scans. Any device should not go to the Internet, except in the rare case that it needs an update, for example, a firmware update from the manufacturer. This “least access” approach mitigates a variety of threats related to device compromise and restricts lateral movement and other malicious activities.
The last point in applying Zero Trust to the IoT is continuous monitoring. Once visibility is achieved and the “least access” policies are in place, continuous monitoring of the devices is crucial to detect if a device has been compromised and behaves in a way that deviates from the typical behavior. Fortunately, given the mostly static nature of today’s IoT devices, this is relatively easy to do. As dedicated devices on the network, IoT devices should have static access requirements and a predictable behavior pattern. Given these characteristics, tools that provide behavioral baselining and analysis are the key to identifying when a particular device has become “renegade” and deviates from its business purpose within the company.
Zero Trust as a Business Enabler
If done right, according to Palo Alto Networks’ experience, Zero Trust offers the opportunity not only to increase security, but also to reduce overall complexity by redesigning security to meet modern digital transformation initiatives. When applied to the incredible growth and opportunities offered by the Internet of Things (IoT), unique business and operational benefits can emerge, while at the same time managing much of the risks that this new infrastructure entails.