Why You Should Integrate IoT Security Into Your Vulnerability Management Program

It’s safe to say that the internet of things (IoT) is mature enough that it’s on everyone’s radar by now. The IoT as we know it has been around for more than a decade, but it wasn’t until about five years ago that organizations started integrating the IoT as a core component of their enterprise security programs. Still, many IT professionals and executives alike are not addressing IoT security at the same level at which it’s creating tangible business risks.

I’ve worked with many businesses to help create their security programs from scratch — everything from policies to technologies to ongoing security assessments. One thing I’ve found is that addressing these elements of security from the very beginning is much easier than trying to integrate controls into an environment that’s already established.

It’s no different with the IoT. These devices are bringing an onslaught of random systems into practically every business network, yet many people still aren’t paying attention. That must change if businesses are to maintain some semblance of reasonable security.

Exploits Come in All Shapes and Sizes

In terms of threats and vulnerabilities, the IoT is pretty much a continuation of traditional enterprise network systems. There are myriad scenarios encompassing IoT-related attacks on enterprise networks, such as:

  • Device to device;
  • Device to traditional endpoint — i.e., workstations and servers;
  • Device captures of network traffic;
  • Device to network perimeter; and
  • Device to cloud.

There could be IoT-centric network activity taking place right under your nose that you might not even be aware of. One thing to remember is that IoT network communication goes in two directions — outbound and inbound — across both wired and wireless networks. Your environment must be equipped to not only handle the bandwidth requirements of the IoT, but also the visibility and control that’s needed to keep things in check.

To effectively integrate your IoT environment within your larger vulnerability management program, you must first identify your IoT systems. You simply cannot control or secure the things you don’t know about. But there’s more to it: You also need to understand which specific vulnerabilities IoT devices pose and how those vulnerabilities can be mitigated.

Perhaps the right solution for your organization is a dedicated IoT security appliance. Specific integration with your internal vulnerability scanning and patch management might be in order. Or it could be that you must address things on a case-by-case basis, finding, analyzing and resolving security concerns across all your IoT platforms.

The important part is that you’re properly acknowledging the vulnerabilities. Be it a smaller environment hosting a handful of medical devices or a larger industrial control network made up of countless devices, IoT systems need to be identified, enumerated and evaluated for vulnerabilities. Many security professionals aren’t sure where to start in terms of identifying these flaws. Some vulnerabilities are the predictable basics of weak passwords, unencrypted communications sessions and outdated software that facilitates remote exploits. Others often have odd services running in unexpected ways, or they’re connected to parts of the network and/or doing certain things that you thought were not allowed or even possible.

Simply lumping these systems into existing vulnerability management practices may work, but not always. It’s important to not just tackle IoT vulnerabilities in a binary fashion, but also truly figure out how the IoT can be integrated into your existing security initiatives.

Find the Right IoT Security Solution

I’m a strong believer that buying tools alone does not solve security problems. In fact, procuring and deploying additional tools just for the sake of it can create additional challenges and increase risk. This applies as much to IoT security as it does to any other aspect of enterprise security. That said, there are tools and services dedicated to solving the challenges associated with the IoT. However, before opening the budget to simply check another security or compliance checkbox, you should consider the following questions:

  • What IoT systems are on the network?
  • What specific business risks does the IoT introduce into the enterprise? How are those risks best addressed?
  • What business requirements need to be met?
  • What current work will have to be delayed or given up entirely when taking on a new IoT management/security system? Will a new resource have to be hired to fill the gaps?
  • How will a new IoT management/security system be integrated with existing network security controls? Does there seem to be a reasonable cultural fit?
  • Alternatively, can existing security technologies, such as security information and event management (SIEM), cloud access security broker (CASB) or endpoint detection and response (EDR), be leveraged to discover and lock down the IoT environment?

Determining the proper set of IoT controls for your environment is one of the more important long-term security decisions you will make. This is why all the right people — including management outside of the IT organization — need to be on board so the best decisions can be made. You’ll have to leverage technology for the IoT more than anything else, and I can assure you that your paperwork won’t be enough.

Acknowledge IoT Concerns and Take Action

The IoT is not some new fad that will fade away; it’s a new facet of your network that must be managed whether you think something should be done about it or not. And it’s not going to get any easier as time goes on. Now’s the time to plan and develop approaches to the IoT systems that are already on your network and quite likely posing business risks.

Identify the IoT systems and devices that are — or will soon be — on your network, understand how these endpoints are creating risk, and then do something about it. Any gaps or weaknesses in IoT security will most likely facilitate the next big network event, so prepare your enterprise before it’s too late.