Security Versus Virtual Working

Tim Nyland-Jones, Information Security Manager at Northgate Vehicle Hire, investigates the ongoing challenges of standardizing IoT software and interoperability, offering practical insights for IT professionals.

The Current State of IoT Security

Recent statistics highlight the urgency of addressing IoT security: in 2023, IoT devices experienced an average of 5,200 attacks per month, with 32% of organizations reporting IoT-related security incidents (Source: IoT Security Foundation, 2023).

The'make it work, make it right, make it fast' mantra remains prevalent in software development:

• Make it work: Create a product meeting functional requirements.
• Make it right: Address legal and compliance risks, ensure thorough testing.
• Make it fast: Optimize code for efficiency.

While this approach works well for mature platforms, IoT devices present unique challenges due to their limited processing power and diverse operating systems. Security often takes a backseat to functionality, raising critical questions for enterprise IT professionals.

Case Study: The Perils of Rushed IoT Implementation

In 2022, a major retailer rushed to implement IoT-enabled inventory tracking devices. Within months, hackers exploited weak default credentials, accessing sensitive supply chain data. This incident resulted in a $5 million loss and damaged customer trust, underscoring the importance of thorough security measures in IoT deployments.

Navigating the Lack of Standards

While ISO27001 provides a framework for organizational information security, software-level standards for IoT remain elusive. ISO27034 (application security) shows promise but is incomplete. The complexity of software development and the IoT sector's immaturity contribute to this standardization challenge.

Dr. Sarah Chen, IoT Security Researcher at CyberTech Institute, notes: "The rapid evolution of IoT technologies often outpaces our ability to establish comprehensive security standards. It's crucial for organizations to adopt a proactive, risk-based approach in the interim."

Practical Framework for IoT Security

In the absence of universal standards, IT professionals can leverage questions based on the UK Government's Cyber Essentials programme:

1. Usernames and passwords: Ensure all accounts are documented and changeable.
2. Encryption: Verify the use of robust, documented encryption algorithms.
3. Patching: Establish clear expectations for security updates and end-of-life policies.
4. Vulnerabilities: Confirm the existence of a reporting mechanism and vendor responsiveness.
5. Testing: Request evidence of vulnerability testing and remediation plans.

Proactive Measures for IT Departments

1. Segregate IoT devices from the main corporate network.
2. Conduct or outsource regular security testing of IoT devices.
3. Implement a rigorous patching schedule, checking for updates at least weekly.
4. Establish clear responsibilities for IoT device management, especially for third-party managed devices like CCTV systems.

John Davis, CISO at TechSecure Solutions, emphasizes: "Proactive risk management is key. IT departments must take ownership of IoT security, even when devices fall under other departments' purview."

Checklist for IT Professionals

• Conduct a thorough inventory of all IoT devices on the network
• Assess each device against the Cyber Essentials-based questions
• Implement network segmentation for IoT devices
• Establish a regular patching and update schedule
• Develop an incident response plan specific to IoT-related breaches
• Provide IoT security awareness training for all relevant staff

Conclusion

As we navigate the complex landscape of IoT security, IT professionals must balance innovation with robust security practices. By adopting a proactive, risk-based approach and leveraging existing frameworks, we can mitigate the inherent vulnerabilities of IoT devices and protect our organizations from emerging threats.

Further reading

• IoT Security Foundation Annual Report 2023
• NIST Special Publication 800-213: IoT Device Cybersecurity Guidance for the Federal Government
• OWASP IoT Security Verification Standard
• Practical IoT Hacking" by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Beau Woods, and Tao Wang (2021)
• IT Security Courses By TSG Training

Download the PDF Version of this Whitepaper Here