By now, there should be no question in anyone’s mind that the Internet of Things (IoT) – that is, devices other than computers, tablets, or phones which are connected to the Internet – is growing quickly and, when it comes to security, potentially risky.
Many of them are already in in our offices, our factories and distribution systems, and even in our homes—and there are only likely to be more of them in the near future. From connected cars to cameras to thermostats to light bulbs to kitchen appliances and even to Internet-connected toys, one estimate is that by 2020, there will be billions of these devices.
There have been numerous recent articles documenting the security risks of IoT–hard-coded passwords that can’t be changed, devices with security vulnerabilities that can’t be remediated – but if you don’t know what the actual risk is to your business right now (or how it may grow as more IoT devices become connected to your environment), then you need to know how to address these risks.
IoT Inventory Proposed Requirements
A bipartisan bill was recently introduced in the U.S. Senate that would require U.S. government agencies to build an inventory of IoT devices currently connected to the Internet, as well as require manufacturers who want to sell such devices to government agencies to comply with existing industry standards for cybersecurity (e.g., NIST, ISO, etc.). (The bill also provides that in some cases, vital IoT devices that lack the required level of security could still be used if there were compensating controls and the agency using the device goes through a process to determine if a waiver of the rules is appropriate.)
Private sector organizations may want to take a page from the public sector, and consider building an inventory of IoT devices in their own environments. Anything from a laptop to a web-controlled light bulb connected to the company’s networks is, by definition, an IoT device. But by knowing what devices are (or can be) connected to the Internet, one can better evaluate the level of risk for each device, and make decisions to deploy (or not) these IoT devices.
IoT Inventory Strategy
While an inventory can be conducted in a number of ways, below is one suggested strategy for beginning this inventory:
- First, ask employees at large. Circulate a notice, perhaps by email, requiring every employee to report any devices that they have installed on a company network that was not provided by the company.
- Second, add company-provided devices. Ask your IT department to add to the list any devices which it has installed for any employee, contractor, or vendor.
- Finally, cross-check the resulting list. Scan company networks and generate an automated inventory of all devices that are connected. Any entries on the automated inventory that remain must be investigated so that there are no “mystery” devices attached to the network.
Once you have your inventory, you can review the risks of different devices. Some – like those known to have significant security issues that can’t be remediated – may have to be removed from the network and, if appropriate, replaced by more secure devices.
At the same time, an organization should strongly consider, in collaboration with HR, IT, and legal departments, establishing and communicating a policy that prohibits the attachment of any device to its network without permission - notwithstanding the necessity of having tools to detect and prohibit connection of unauthorized devices to the network. Having such a policy in place prohibiting such conduct is an important deterrent, and supports the imposition of penalties for violations of an established policy.
Knowing that there are generic risks relating to IoT is certainly important. But knowing what your actual risks are today - and how they could change tomorrow - is even more so.