Commissioned by Armis, The Forrester report, State of Enterprise IoT Security in North America, revealed that 74% of the respondents felt their security controls and practices were inadequate for managed, unmanaged assets across IT, cloud, IoT devices, medical devices (IoMT), operational technology (OT), industrial control systems (ICS), and 5G.
Keith Walsh, OT security and operations director at Armis, says the trouble with many installations within organisations is that each department tends to go solo on management and risk containment.
He cites the example of departments that may have managers over OT/ICS facilities, for instance: air conditioning, sanitation, telecommunications, and other functions. Server rooms and computers of all shapes and sizes may be managed by a separate IT department.
Outside a typical office, a process plant in the oil and gas, petrochemicals, and chemicals industries, or a power plant (nuclear, other renewable, or fossil), will yet have different field operations and maintenance managers managing various safety and other controllers. The expertise demanded by these fields tends to be disparate and so it would be difficult to converge all such manageable assets into a single department or system.
“For unmanaged devices, which may include OT and IoT, these may yet be another hurdle for organisations, since they may never have been defined as a security hazard, until recent times when 5G/LTE and broadband have permeated throughout every facet of an organisation.”Keith Walsh
“So, it is safe to say, we can imagine the typical organisation may not have a complete security profile for all managed and unmanaged devices. Asset visibility is the first step in developing a security framework. You can’t secure what you can’t see,” he added.
As more devices in the homes connect to the internet, security and privacy concerns rise to new levels. The Palo Alto Networks’ The Connected Enterprise: IoT Security Report 2021 found that the problem has gotten worse with the rise of working from home. 81% of those who have IoT devices connected to their organisation’s network highlighted that the transition to remote working led to greater vulnerability from unsecured IoT devices.
“The bottom line is that while organisations are adopting best practices and implementing measures to limit network access, digital transformation is disrupting not only the way we work but the way we secure our ways of working,” explains Alex Nehmy, CTO of Industry 4.0 strategy for Asia Pacific & Japan at Palo Alto Networks.
He posits that safeguarding unmanaged and IoT devices continue to be an ongoing challenge. With most cyberattacks accessing corporate networks months before they are detected, ongoing monitoring and IoT device security should become a key focus area of a corporate IoT security strategy.
The real and present danger
The hacking events that we now remember including the Colonial Pipeline ransomware attack, meat packer JBS and the Triton malware attack against a Saudi petrochemical plant suggest that organisations will continue to be targeted as long as there are gains to be made.
Nehmy warns that most of today’s IoT security solutions provide limited visibility by using manually updated databases of known devices, require single-purpose sensors, lack consistent prevention and do not help with policy creation.
“They can only provide enforcement through integration, leaving cybersecurity teams to do the heavy lifting, blind to unknown devices, and hampering their efforts to scale operations, prioritise efforts or minimise risks,” he added.
Walsh further warns that the mature security processes that were born out of IT are now colliding with OT, as industry 4.0 becomes more pervasive. IoT devices also tend to be simplistic and lack sophisticated patching and firewalling capabilities.
“Looking ahead, Industry 5.0 is only going to increase the interaction between humans and machines to the point of necessitating real-world human safety protocols that go beyond current OT and IT security measures,” he continued.
The IT-OT convergence – who’s the boss?
Nehmy believes that the onus of IoT security rests on the shoulders of both operational technology (OT) and information technology (IT) teams and they need to work collaboratively to ensure IoT security is adequate.
Having an IoT security system that provides a single pane of glass to give these teams a consistent level of visibility, monitoring and enforcement across both IT and OT environments, also helps bring these culturally diverse teams together, regardless of the systems they’re securing.
When organisations have limited visibility of IoT and OT devices, it hampers their ability to begin securing them.
“You can’t secure what you can’t see. One of the best practices for integrated IT and OT security involves conducting continuous monitoring and analysis."Alex Nehmy
"The key focus should be on implementing a real-time monitoring solution that continuously analyses the behaviour of your entire network,” explained Nehmy.
Additionally, IT and OT teams should work together to ensure the IoT attack surface is managed by enforcing segmentation between IoT devices, OT devices and business-critical IT systems.
Strategy to secure IoT
Asked to name one strategy to secure IoT, Armis’ Walsh suggests understanding and identifying the attack surface.
“Once we do that, we can then properly patch, segment, and monitor transactions and interdependencies of those devices. Mitigating risk all starts with understanding and identifying the attack surface of our critical assets,” he added.
IDC cautions that IoT can very easily become the weak link or entry point for attacks in any organisation, which is why IoT solutions need to be secure by design. Extending a zero trust framework to IoT deployments can enhance security and reduce risk, but it is an enterprise-wide strategy that requires a complete understanding of all IoT systems on the network.
Nehmy concurs adding that implementing Zero Trust for IoT environments is the best approach for IT and OT personnel to devise an IoT security strategy that enforces policies for the least privileged access control.
Building a business case for IoT security
IoT and OT devices usually make up more than 30% of devices within corporate networks, 57% of which are also susceptible to cyberattacks, as they are built without security in mind and contain existing vulnerabilities.
“The attack surface of IoT devices permeates across all environments of the enterprise. While organisations may not yet spend more in managing the security of all connected assets, the increasing attack surface needs to be addressed holistically,” warns Walsh.
The attacks against Colonial Pipeline and JBS may have occurred in the US, but Deloitte believes that critical infrastructure operators in Asia Pacific are increasingly being targeted by cyber espionage and sophisticated attacks with the potential for severe disruption to essential services such as energy and water supply.
As IoT use grows in importance to the daily operations of critical infrastructure, adequately securing IoT and OT devices becomes a compelling business case, posits Palo Alto Network’s Nehmy.
He suggests that a comprehensive IoT business case should involve visibility of all IoT and OT devices, ongoing monitoring to detect security breaches, analysis of device risk and also the ability to protect and segment these devices. Ideally, this should be provided in a single security platform for the lowest total cost of ownership.
He opines that the monetary, reputational, and physical security repercussions of an IoT-based cyberattack, make it imperative for organisations to invest in advanced security solutions.
“Just as vaccinations keep us safe from COVID-19, investment in proactive prevention measures will place organisations in a better position to combat the IoT cybercrime pandemic,” he concludes.