IoT Security Best Practices
- October 18, 2017
It’s no secret that IoT security is a problem. That’s why there are so many regulations and initiatives aimed at fixing the issue. But even with the right measures in place, networking professionals still need to be careful how they deploy IoT.
To those ends, a number of best practices have been published to guide IoT deployments. Here’s a run down and summary of those IoT security best practices for easy reference from some of the top sites and how cloud-based SD-WAN, such as Cato Cloud, can help.
ZDNet: 10 best practices for securing the Internet of Things in your organization
The 10-step list compiled by Conner Forrest includes insight from numerous IoT experts including John Pironti, president and chief information risk strategist at IP Architects, Gartner research vice president Earl Perkins, and Forrester Research senior analyst Merritt Maxim:
- Understand your endpoints — Each new IoT endpoint introduced into a network brings a potential entry point for cybercriminals that must be addressed.]
- Track and manage your devices — Understand what connected devices are in the organization by rolling out an asset discovery, tracking, and management solution at the beginning of an IoT project.
- Identify what IT security cannot address — Identify what aspects of the physical device cannot be secured through IT security practices.
- Consider patching and remediation — Evaluate IoT devices in part in terms of their potential for patching and remediation.
- Use a risk-driven strategy — Prioritize critical assets in your IoT infrastructure first.
- Perform testing and evaluation — Do some sort of penetration testing or device evaluation before deployment.
- Change default passwords and credentials — While common sense, some IoT devices have default passwords that are difficult to change or cannot be changed at all.
- Look at the data — Understanding the way an IoT device interacts with data is crucial to securing it.
- Rely on up-to-date encryption protocols — Businesses should encrypt the data moving in and out of their IoT devices, relying on the strongest available encryption
- Move from device-level control to identity-level control — As more IoT devices offer the ability to connect multiple users to a single device, the focus of security should shift to identity-level control,
Microsoft: Internet of Things security best practices
The “Internet of Things security best practices” on the Microsoft Azure site divides IoT security by role — hardware manufacturer/integrator, IoT solution developer, IoT solution deployer, and IoT solution operator:
IoT Hardware Manufacturer/Integrator
- Scope hardware to minimum requirements: The hardware design should include the minimum features required for operation of the hardware, and nothing more.
- Make hardware tamper proof: Build in mechanisms to detect physical tampering, such as opening of the device cover or removing a part of the device.
- Build around secure hardware: If COGS permits, build security features such as secure and encrypted storage, or boot functionality based on Trusted Platform Module (TPM).
- Make upgrades secure: Firmware upgrades during the lifetime of the device are inevitable.
IoT Solution Developer
- Follow secure software development methodology: Development of secure software requires ground-up thinking about security, from the inception of the project all the way to its implementation, testing, and deployment.
- Choose open-source software with care: When you’re choosing open-source software, consider the activity level of the community for each open-source component.
- Integrate with care: Many software security flaws exist at the boundary of libraries and APIs. Functionality that may not be required for the current deployment might still be available via an API layer. To ensure overall security, make sure to check all interfaces of components being integrated for security flaws.
IoT Solution Deployer
- Deploy hardware securely: Ensure hardware deployed in unsecure locations, such as public spaces, is tamper-proof to the maximum extent.
- Keep authentication keys safe: During deployment, each device requires device IDs and associated authentication keys generated by the cloud service. Keep these keys physically safe even after the deployment. Any compromised key can be used by a malicious device to masquerade as an existing device.
IoT Solution Operator
- Keep the system up to date: Ensure that device operating systems and all device drivers are upgraded to the latest versions.
- Protect against malicious activity: If the operating system permits, install the latest antivirus and antimalware capabilities on each device operating system.
- Audit frequently: Auditing IoT infrastructure for security-related issues is key when responding to security incidents.
- Physically protect the IoT infrastructure: The worst security attacks against IoT infrastructure are launched using physical access to devices
- Protect cloud credentials: Cloud authentication credentials used for configuring and operating an IoT deployment are possibly the easiest way to gain access and compromise an IoT system.
DarkReading: Get Serious about IoT Security
Derek Manky in a commentary on Dark Reading identifies four recommendations for IT professionals to when addressing IoT security:
- Patch management is critical — Advanced threats have exploited already patched vulnerabilities, and closing those gaps are critical. IPS and virtual patching should also be used to protect unpatched IoT devices.
- Use redundancy segmentation for securing backups — Scan backups to ensure their clean and segment them off network to prevent tampering.
- Focus on improving internal visibility — Securing the perimeter is not enough. Implement the necessary controls to monitor and secure internal traffic.
- Reduce the time to defend — Connect together proactive solutions and simplify your network to respond faster to threats.
IEEE: Internet of Things (IoT) Security Best Practices
In the “Internet of Things (IoT) Security Best Practices,” the IEEE group breaks IoT security into three parts — securing devices, securing the network and securing the overall system.
- Make hardware tamper resistant
- Provide for firmware updates/patches
- Perform dynamic testing
- Specify procedures to protect data on device disposal
- Use strong authentication
- Use strong encryption and secure protocols
- Minimize device bandwidth
- Divide networks into segments
Securing the Overall System
- Protect sensitive information
- Encourage ethical hacking, and discourage blanket safe harbor
- Institute an IoT Security and Privacy Certification Board
How Cato SD-WAN Helps Secure IoT
IoT security remains a challenge, but there’s plenty IT professionals can do to minimize the risk. A secure, cloud-based SD-WAN, such as Cato Cloud can certainly help.
The built-in next generation firewall (NGFW) and firewall as a service (FWaaS) protects mobile users and locations from external threats. Even if IoT devices can’t be patched, Cato Cloud’s advanced threat protection allows IT professionals to use virtual patching to protect the devices. And by inspecting all traffic between sites, the cloud, the Internet and mobile users, Cato Cloud detects and contains IoT threats that may have penetrated the perimeter.
To learn more about Cato Cloud and how it compares with traditional, appliance-based SD-WAN see our solution description.