08 December 2022

With billions of devices becoming connected as the Internet of Things (IoT) expands its reach across the globe, the security of these devices must be considered. Paul Keely, chief cloud officer at Open Systems, explains the moves enterprises can take to safeguard their systems

Enterprises have truly embraced the Internet of Things (IoT), with businesses the world over deploying ever more of these connected devices. From improving workplace efficiency and promoting employee morale, to increasing the performance and reliability of manufacturing operations, businesses are projected to spend over US$400 billion on IoT worldwide by 2025.

Despite their benefits however, this proliferation of IoT devices has also greatly expanded corporate attack surfaces, giving bad actors more potential points of entry into corporate networks. Compounding this, these devices often have inherent weaknesses, which cybercriminals can exploit to compromise them. A single compromised IoT device is all criminals need to breach a network and then move about laterally to find valuable data to exfiltrate.

Obviously, securing these smart devices should be a top priority given their vulnerabilities. The sad truth, however, is that few companies put the same effort into protecting their IoT devices as they do their laptops, servers and other IT assets. To understand why, it’s important to first understand the two broad categories of connected devices and their unique security issues.

IoT security issues

In the business world, IoT typically refers to devices deployed in office spaces to make them more comfortable for employees and to improve workplace efficiency. Applications run the gamut; from smart juicing machines that order their own fruit, to conference room sensors that indicate if they’re in use or empty.

While undeniably useful, such IoT applications are not mission critical. This fact, combined with how easily these devices are to install, means deployments are typically handled by facilities teams – and often by individual employees – rather than IT. It is this lack of IT involvement that leads to serious security challenges.

The problems begin immediately because the default passwords of these devices are rarely changed during installation, despite the best intentions of the facilities staff deploying them.

Additionally, most IT organisations do not know the number or types of IoT devices that have been deployed throughout their enterprise. This lack of visibility makes proper patch management extremely difficult and means that patches and firmware updates are rarely if ever implemented.

Complicating things further, many of these IoT devices may no longer be supported and many vendors may have gone out of business. Despite this however, the devices often remain active, connected, and become increasingly vulnerable points of entry for bad actors.

The IoT threat landscape is also increasingly dire now that Trickbot, a malware targeting computers and IT systems, now affects IoT devices as well. Trickbot has compromised IoT devices in command-and-control (C2) attacks, using them to attempt lateral movement to access to a network with more critical data.

OT means business

Operational Technology (OT) is the other category of connected devices and is sometimes referred to as Industrial IoT (IIoT). As the name suggests, OT is employed by companies in the monitoring and controlling of the equipment and processes that are key to their business. Unlike IoT, OT is often used in business-critical applications.
Predictive maintenance is a popular OT application, used to identify signs of failure in critical equipment so that maintenance can be performed to prevent a breakdown. A good example is a connected sensor that detects increased vibrations indicating the imminent failure of turbines or other high-speed rotating parts in a critical piece of machinery.

Given their importance and significant cost, it’s not a surprise that IT generally manages the deployment and maintenance of OT systems. While this ensures that IT knows all it needs about the OT system and that patches and firmware updates are properly managed, it doesn’t mean OT doesn’t face real threats.

In addition to the possibility of bad actors compromising OT devices as a way to breach the network and exfiltrate valuable data, the threat of cyber-kinetic attacks that physically damage mission-critical equipment is very real. For example, a cybercriminal could conceivably cause a CNC milling machine to overheat by preventing its cooling system from operating.

Overcoming the challenges

Despite the challenges – many of which are considerable – there is quite a lot that can be done to better protect IoT and OT devices.

The first step in protecting an organisation’s IoT and OT devices is to discover them all. Gaining visibility is key to effective security and requires an up-to-date inventory of all these devices, which includes all relevant data about each device.

Another key element of proper cyber hygiene is installing patches. Be diligent and install patches promptly.

Monitoring is also vital. Effectively monitoring IoT and OT devices is a daunting task but is worth the effort. Fortunately, there are security services providers who can help with this.

Partnering with a security services provider is also a good option for many companies, particularly those without a security operations centre (SOC).

Companies that determine they need help should look closely at managed detection and response (MDR) providers. Their combination of 24/7 monitoring, experienced security experts and focus the early detection and response to threats make them an ideal security partner for many companies.

Though all MDR providers can monitor their customers’ servers, desktops, laptops and other traditional IT assets, companies should carefully evaluate MDR providers to ensure they engage one that can also monitor IoT and OT devices. This requires MDR providers to be experts in using the latest agentless network sensors, such as Microsoft Defender for IoT. These sensors are key to an MDR provider’s ability to discover customers’ IoT and OT assets, ingest telemetry from these devices and to continuously monitor them without impacting their performance.