AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

IoT: The Weakest Link in Your Enterprise Security

by

When most people talk about the Internet of Things (IoT) today, they’re usually referring to the cool gadgets and toys du jour – Google Glass, connected homes, iWatch and fitness bracelets etc. But it’s important to remember that IoT also applies to more mundane systems, such as lighting sensors, heating and cooling systems, vendor machines, commercial fridges, electronic gates, and many many other IP based systems that are likely already maintaining your enterprise – without you even realizing it.

In most cases these systems are managed by facilities managers, usually using old, often unpatched computers – systems that are connected to the internet and often to your corporate network.

Unfortunately facilities managers are not always the most technology savvy, nor do they have a lot of exposure to the company’s information security processes and practices. Yet they are also likely to be people who take initiative and deploy the latest gadget for managing window blinds or some other smart building system.

These IoT systems are clearly a weak, or even broken, link in your IT and physical enterprise security practices, providing new attack vectors for cyber hackers and for flesh and blood criminals. First, they might attack the physical system from the IT side: for example, by exploiting the IP interface of the system that manages the electronic gates in order to break in to your parking garage to steal the CEO’s nice new shiny BMW. Second, they might attack your IT infrastructure by breaking into the IoT gadget itself: for example, by breaking into the IP-ready holiday lights and using it as a stepping stone into your production network.

So here are 5 key tips to help protect your organization from the uncool side IoT:

  1. Be Aware. Whether you know it or not, IoT is already happening all across your organization. Knowledge is power, so the first, fairly obvious, step is to make sure you’re fully aware of what’s going on.
  2. Incorporate IoT into your security strategy. Next you need to bring your facilities systems, and those that manage them, in line with your network security policy – they are just as important as the systems that generate revenue for your business. And you need to remember to address the physical security implications of these systems – not just the virtual aspects.
  3. Collaborate with IT. In this new connected world, you need to make sure that IT security is consulted and involved whenever a new IoT system is evaluated and deployed – even if it’s an internet connected coffee machine!
  4. Secure IoT systems. Review and update the security measures provided by the IoT system. You’d be surprised how often they rely just on a 4-digit pin, a (gasp) password that is stored in plaintext inside the software, unencrypted communications, and (horror!) hard-coded back doors: think computer systems of the 1980’s…
  5. Segment the network. Once you’ve recovered from the shock, include these systems in your network segmentation strategy. Put the IoT system on a separate VLAN, behind a firewall, and only allow remote access via VPN with decent authentication, authorization, and auditing (in front of the 4-digit pin).

With IoT fast becoming an integrated part of literally ‘keeping the lights on” at most organizations, remember that while it may look ‘cool’ it can also be a wide open door for criminals. Make sure you shut it!

Subscribe to Blog

Receive notifications of new posts by email.