A new report from the UK government has revealed a draft code of practice for the IoT. Titled “Secure by Design”, this signals an important step in progressing IoT safeguards and will hopefully prove illuminating for those who need advice on how to securely take advantage of the IoT.
Though these best practices have yet to be finalized, the report makes clear that if we don’t take action and follow these guidelines, then Parliament will be forced to enact legislation.
Government may be justified in doing that too as both commercial and critical infrastructure risks are high. IoT security is not just a case of private vulnerabilities, but increasingly one of public threats.
The rapid pace of IoT device production and adoption has resulted in a variety of security considerations being ignored. Gartner predicts that there will be over 20 billion connected devices in the world by 2020, and that the world could be riddled with security vulnerabilities. Rarely a day goes by when a new smart device or feature enhancement is not discovered to be exploitable, often by some basic security failings.
These threats aren't benign either. Aside from the data leakage, many devices, even personal Wi-Fi, are found to have vulnerabilities that allow attackers to surveil their owners. Mirai showed the scale of damage that the wide availability of basic IoT vulnerabilities could wreak by taking over hundreds of thousands of devices using an attack which guessed device credentials out of a tiny library of commonly used default passwords. It was that simple.
IoT expansion into the commercial world yet poses more complications for security organizations. Networks of IoT endpoints provide new targets as do the multitude of connections that such networks necessitate. Unfettered use of IoT devices, being introduced into business by employees or to improve remote and mobile workers, provide a target rich scenario for a wide array of threat actors.
Even then, it’s not clear if people understand how to manage these devices within increasingly perimeter-less and cloud-bound networks. People should think of IoT devices like other network endpoints with the same kind of computing power as tablets, laptops or mobiles.
Admins know how to manage updates and patches for their operating systems and devices, but it's less often that they think of updating their IoT endpoints – assuming they are under management. In many cases, the use of these IoT devices on corporate networks is outside the purview of IT.
Furthermore, with a traditional endpoint, an admin will have access to its underlying architecture or operating system - this is often not the case with IoT devices, leaving admins in the dark as to the attack vectors and exposures facing their network.
Given all of that, a large scale IoT implementation, by remote employees and shadow IT, becomes more than a security risk, but a direct threat to the bottom line.
This kind of advice has been long awaited, especially for those rolling out IoT devices, or attempting to identify, curtail and control its entry into the extended corporate network but who lack the expertise to do so securely. Even if the draft guidelines don’t have the intended effect, it signifies that governments are really waking up to the very evident risks of the IoT.
For the moment these best practices are still in draft form. In the meantime, IoT security is largely in the hands of users and there’s actions you can take to manage IoT risk.
While many IoT devices have been rightly slammed for their woeful defenses, there are plenty of well-designed and secured devices for the enterprise out there. It's important that you research a given device’s protection mechanisms. More so, have the means to discover, classify and take policy-based actions for such devices on your infrastructure, and create a system in which IoT devices can be granted or denied network access.
It’s also important that you put sanctioned IoT devices and newly discovered devices on appropriate parts of your network. Networks should be segmented so that vulnerabilities or critical data in one part of your network does not mean compromise in another part of your network due to IoT exploits.
For IoT devices that can be accessed remotely or may need to be serviced, you’ll have to provide the right kind of secure access. These internet-enabled endpoints will have to be monitored and access authentication procedures will have to be strengthened - so you can make sure that access and use of IoT devices adheres to policy.
Manufacturers and users would be wise to heed Secure by Design’s recommendations. The report states right from the beginning that though the UK government would rather the free market make these changes itself, inaction will force their hand, “if this does not happen, and quickly, then we will look to make these guidelines compulsory through law.”
The UK government’s new code of practice is a real wake-up call to users and manufacturers of IoT devices. Both need to take the opportunity to secure their IoT schemes now before the cops - and the robbers - come knocking.