As mentioned in the earlier blog about the Internet of Things, there are significant risks. Looking at how these various IoT devices become more integrated into enterprise systems, it is essential to understand the configuration and management requirements associated with these devices. IoT devices may not be perceived as something that is a threat to the overall security of the enterprise, but a misconfigured IoT device can allow for a malicious outsider to gain unauthorized access to the network. This may then allow for the malicious actor to pivot to another connected system and escalate privileges and be able to gain access to sensitive information.
The majority of IoT devices do not incorporate security as part of the overall design approach. This may be due to the desire to be first to market, or the limited processing capacity of IoT devices. Ashford (2018) shared that unaware users of IoT devices allowed the devices to connect to the internet and became part of the million+ members of the Mirai botnet due to unmitigated vulnerabilities. Understanding the patching capabilities of the IoT device should be a primary concern when considering the addition of such a device since it could pose a significant security risk.
Finally, conducting an extensive analysis of the actual costs and benefit of incorporating the IoT device is vital. Simply including the device to be part of the latest and greatest is not reason enough to compromise the security of an enterprise. Many of the IoT devices out there currently may be part of a cyber-physical or operational technology system. For example, an infotainment system on an automobile may have access to the Controller Area Network (CAN) bus. This access could allow control of the physical abilities of a vehicle. Likewise, a smart meter may be part of the operational technology of an organization, but if granted access to the overall IT systems, could present a significant risk.
A closing thought, when dealing with IoT devices in an enterprise there are two key things to remember. The first is ensuring that all patches are applied promptly. Second, segregate the IoT device as much as possible from the critical IT components. These two things can help significantly reduce the risk presented by IoT devices.