Connected devices and the broader Internet of Things (IoT) ecosystem promise to deliver new efficiencies for industrial processes, environmental controls, fleet management, package delivery—and much, much more. But reaping these benefits is predicated on strong security that will protect the IoT system.
Business technology leaders need to understand the risks that are unique to IoT systems, and develop a security strategy that will mitigate the risks while allowing the organization to gain promised efficiency and insight.
Here are 7 best practices to get you started:
- Know what devices are on your network
It’s not unusual for organizations to have connected devices that are neither monitored nor discovered. But knowing about all connected devices is the foundation of strong enterprise IoT security. You need real-time discovery, visibility and control over all devices, both IoT devices and traditional endpoints, and whether wired or wireless. It also means having the ability to authenticate a broad variety and large number of connected devices before permitting network access. And you need a way to continuously enforce those access policies.
- Develop a risk score for device type
Assess the risk of each type of device, balanced against factors such as business gains and regulatory compliance. Understanding the risk typically involves collaboration among line of business managers, IT managers and the security team.
Develop a risk score based on the mission-criticality of the use case, the known vulnerabilities of each device type, and the importance and sensitivity of the data being transmitted. Determine how you will monitor each type of device and remediate as needed.
- Conduct a gap analysis
From there, you can conduct a gap analysis and develop a plan to address the risks today and as they evolve in the future. For instance, if the healthcare biomedical team purchases new devices without evaluating them for security risk and then expects the IT team to secure them, you need to take a step back and create a new process to evaluate device security risk before selection.
- Securely manage the devices
You need to provide quick, secure, and scalable identity management to give customers, partners and suppliers the access they need. You also need a way to provision and update IoT devices as needed. Consider whether data is sensitive and should be encrypted, and if so, how you will manage cryptographic keys.
- Secure the connection
You need to ensure data integrity and protect service availability. Determine whether the IoT system runs on its own operational network, or if the same network also supports corporate IT traffic. Converging the operational and corporate networks creates efficiencies, but you will need additional network segmentation and protection.
Consider whether a potential compromise would affect a single device or the entire fleet, and work to limit the scope of potential threats. Devices should be micro-segmented by type to contain the potential damage if one class of device is breached.
Follow best practices for network perimeter security, including using advanced firewalls, intrusion prevention and Denial-of-Service protection. As the Mirai botnet shows, pay special attention to DNS servers and other network infrastructure.
In addition, you need insight into threats and the ability to act on that intelligence. IoT systems collect massive volumes of data, and for that data to become useful, your systems need to understand the difference between legitimate and malicious traffic coming from the sensors.
- Secure the apps and data
Follow security best practices for the monitoring and analytic applications running in your data center or at your cloud service provider. Follow data center security best practices or gain a thorough understanding of the security practices of your cloud service provider. Make sure the authentication credentials used to configure and operate the IoT deployment are strong, as stealing the administrator credentials is often the easiest way to gain access.
Make sure your applications follow a secure development methodology, and consider the overall security of APIs in particular. If you’re using open source software, choose software that’s supported by an active community. Make sure your device operating systems and other systems are upgraded to the latest version, which will help protect against malicious attacks.
- Revisit your security plan
We’re just beginning to realize the opportunity in the enterprise, and we’re in for a long ride of innovation, startups, and partnerships. As new devices are developed with improved security, it’s a good idea to plan to migrate away from any older, riskier devices. Best practices are evolving, so it’s important to revisit and readjust your security strategy frequently.