This piece originally appeared in InformationWeek.
With the arrival and deployment of faster speed and reduced latency of 5G, there is an expected surge in industrial use of connected devices. The massive growth of these connected devices increases the number of potential cyber risks. Also, beyond the security concerns, the explosion of connected assets requires IT leaders to re-think how they’re addressing connected asset management.
To begin with, discovering and maintaining an accurate inventory of device ecosystems is important to establishing a single source of truth to operate effectively and minimize IT risk. Doing so helps companies stay on top of software updates and avoid opening themselves up to unnecessary risk due to patchable vulnerabilities.
Visibility is also key to providing a holistic view of device ecosystems, while end-to-end configuration and audit and policy monitoring capability help IT leaders understand appropriate device activity and monitor risk controls.
“This is key to understanding when devices deviate from acceptable performance and security expectations,” says Ernest Lefner, chief product officer at Gluware, a provider of intelligent network automation.
Building an IoT Operations Budget
He explains that the best way to build an Internet of Things (IoT) operations budget involves understanding the end-to-end technology model and breaking down the key components necessary to grow and operate the service.
“This means breaking the service down into its key components and developing the end-to-end support model,” Lefner says. “In an IoT environment, it’s key to know who, where, when, and how each and every device will be operated and supported.”
In addition to securing IoT at the device level, it’s critical that IT teams also consider ways to secure access and secure data as it moves across the network.
Many day-to-day security concerns originate at the network level, whether it’s network configurations, software currency, firewall rules, or known vulnerabilities.
“As with IT operations, automation enables security teams to transcend the nuts and bolts of these basic security chores so they can focus on the integrity of overall processes,” Lefner says. “Automation, particularly automated networks, is a key part of managing connected assets.”
He added “hyperautomation” of networks releases IT teams from the tedious task of managing hardware and software and associated misconfigurations so they can focus on providing seamless business services.
This level of automation must utilize AI, machine learning, and robotic process automation (RPA) to contextualize anomalies, identify the relevant stakeholders, and suggest a solution.
“This allows IT teams to spend time fixing the issue instead of trying to find it,” Lefner says.
Viakoo CEO Bud Broomhead points out that because IoT devices are often purchased and deployed by a line of business (think manufacturing or facilities), they are often not tracked or accounted for by IT.
“When it comes down to it, IoT devices are often outside the control or management by IT and exist at a much higher scale than IT devices do,” he says. “Acknowledging both the management and scale of IoT devices is a critical part of forming a comprehensive IoT security strategy.”
Asset Discovery Tools
Using an asset discovery solution should help to maintain an accurate device inventory, which then is the basis for securing those devices.
Broomhead explains that another critically important form of visibility for IoT device ecosystems is understanding whether the devices are tightly coupled with other devices and applications to perform the desired business outcome.
“Tightly coupled IoT has security implications, such as when the password is updated on a device -- the application it is tied to will likely need to have that password updated in the application as well,” he explains. “Knowing all the devices through discovery and knowing the tightly coupled applications in the ecosystem are the most critical visibility factors.”
Broomhead says there are three key strategy planks for organizations to secure their connected devices: ensuring InfoSec policies are applied to IoT devices; ensuring the people responsible for IoT devices have the training and tools to secure those devices, and; ensuring there is a compliance/audit process that can address the scale issue with IoT devices.
“The case for executive buy-in is driven by organizational risk,” he adds. “The cost of a successful breach continues to climb, and as IoT devices are becoming preferred devices to exploit by threat actors."
Broomhead points out that the combination of these factors should provide a path towards senior management acting across multiple organizations to control this risk. “The CISO organization ultimately is responsible for managing risk, IT can bring in knowledge and processes, and the line of business must manage and maintain device security.”
Avoiding Blind Spots
Jelle Wijndelts, director of business consulting, EMEA, at Snow Software, agrees that the main challenge for IT teams when managing and securing IoT devices is visibility. “The ability to know what is being used, how it’s used, and by whom is imperative both from a security standpoint but also from an efficiency perspective,” he says. “If you don’t know what is being used and what data is being gathered, you can’t manage it, and it will be a blind spot.”
Wijndelts says that because there are lots of different types of IoT devices -- from WiFi to Bluetooth to 5G, organizations must prioritize which ones need to be tracked from a license/software perspective, especially because connected devices have a huge impact on the organization’s security. “Identifying which connected assets are the highest priority will help you direct your resources,” he says. “When we discuss IoT, we are really talking about data so data management must be a key component of your strategy.”
Several forms of data can be collected; however, status data is the simplest and most prevalent form collated and can be used for more complex analysis.
“Lastly, analytics is essential,” Wijndelts says. “This pillar is what makes IoT applications so powerful and useful in everyday life of individuals and organizations. Once data is analyzed and understood, this is where you find the valuable insights.”
Broomhead adds that almost all organizations will want to have automated firmware patching to minimize the time that threat actors have to exploit vulnerabilities, and they will want to ensure all devices are following corporate password policies. He further explains that some organizations will have additional security functions, such as deploying certificates on IoT devices to extend zero-trust initiatives to IoT.
“With details on how many devices, what security tasks are done to them, the cost per security task, and the frequency of security task a budget can be formed,” he says. “As usual, using automation is critical in keeping budget reasonable because the scale of IoT devices precludes performing these tasks manually.”
Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin.