I would wager that just about everyone reading this article has some sort of smart home gadget nearby (whether you want to or not!). Maybe you have an Amazon Echo powering some lights and switches to help you go to sleep and wake up more easily. Or, if you’re like this writer, you may spend more time than you want to admit with Home Assistant, trying to automate literally anything just for the fun of it.
The IoT Explosion
In recent years, consumer-grade Internet of Things devices (IoT) have become cheaper and easier to use, and the same is true in the Industrial IoT (IIoT) market. Trends like Industry 4.0/5.0 and increased governmental pressure to better secure critical infrastructure are only small catalysts to this movement. IIoT devices, ultimately, are meant to keep workers safe by automatically collecting data, performing specific actions, or completing other critical tasks.
Both IoT and IIoT face the same primary challenge – how do you secure some of the riskiest devices out there? And let's remember, these devices are typically cheaply produced with hardcoded firmware and operating systems that cannot be upgraded, leaving vulnerabilities open in an organization’s (or home) network.
Are Smart Devices Really That Dangerous?
Yes and no. The concept of smart and IoT devices is not inherently bad or dangerous. At the most basic level, these devices offer increased convenience, control, and comfort in our homes – while improving safety, assisting with data collection, and boosting business agility in the industrial space. It is in the actual implementation of the devices that things can quickly go sideways.
Generally speaking, IoT devices run legacy firmware and operating systems, which leaves them exposed to common exploits that can be easily found on the internet. On the consumer side, manufacturers rarely send out updates for IoT devices like smart plugs or bulbs because it just doesn’t make sense for them to do so. They prefer to sell new hardware with updated software than build out upgrade mechanisms for all the various types of devices they have on the market.
The industrial side is unfortunately no different. At many, if not most, companies, legacy hardware and software is running some of the most critical tasks for the business. This could include anything from monitoring air quality in a coal mine, to controlling the amount of chemicals mixed into our drinking water, to complex manufacturing lines where a single moment of downtime means significant monetary loss.
IoT Security: Where to Start?
Communication and connectivity are the name of the game when it comes to improving IoT security. Various devices and sensors are always checking, storing, and sending data to a central repository, and this means some type of network access is needed. Manufacturers of both IoT and IIoT devices will demand unrestricted internet access to transfer data and allow you to interact with the devices from a centrally managed dashboard.
There’s no silver bullet for either IoT for IIoT security, but let’s look at some best practices for securing these popular devices, both at home and in the enterprise:
Segment your networks: Utilizing 802.1q VLANs, it is critical to carve up the larger corporate network into smaller, more defined chunks, typically based on purpose. Setting up an “IoT” VLAN is a good first step but it’s key to go even further, creating VLANs based on vendor, device type, device role, and continuing to layer granularity.
Enforce traffic policies on both inter-VLAN and VLAN <-> internet communications: IoT devices call home to many sources, making it crucial to set firewall or other traffic policies to ensure that only validated, authorized vendor traffic is being passed to the vendor. In addition, confirming that VLANs cannot talk to each other (no routing between VLANs) can help mitigate the risk of malware or ransomware spread if a device becomes infected.
If an organization (or home) cannot utilize VLANs, using physical ports on a router connected to a core switch is also a workable option but may lack the same granularity as VLANs.
Utilize an identity-based approach to securing access to both the physical devices and all management consoles:Especially in the industrial space, if device control is compromised through a dashboard, it can lead to catastrophic results. Legacy VPNs, SDPs, and other traditional access solutions put too much emphasis on the network and provide broad access rather than granular security.
Conclusion
While Cyolo is not (yet) available for home users or the consumer space, we do have a proven track record in helping Operational Tech (OT) and industrial organizations understand their IoT threat landscape and put in place identity-based access and connectivity controls to achieve the outcomes above. With a unique architecture that does not rely on network connectivity or vendor trust, Cyolo is perfectly positioned to solve access nightmares for both IoT and IIoT.
