“Having an inventory of your devices is a fundamental part of asset management,” says Andrew Wild, CISO at QTS, an international provider of data center, managed hosting and cloud services.
“We’ve also developed a policy that requires a review and approval process for new types of devices that will be attached to the network,” Wild says. “Secondly, the infosec organization is tracking all of the device types on the network to monitor the appropriate vendor vulnerability disclosures and continuing to perform network wide vulnerability scanning to identify and fix vulnerable devices, including IoT devices.”
QTS has many network-enabled sensors and control systems that collect and forward various types of information, from environmental data to power system monitoring.
Devices should be secure by default
Having an IoT security policy and enforcing it strictly is a wise approach, DiDio says. “Organizations can mitigate and decrease the risk to an acceptable level by being proactive,” she says. “That means that in IoT environments security must be built-in from inception. The IoT environment must be secure by design, secure by default, secure in use, secure in transmission and secure at rest.”
Other “must dos” include conducting vulnerability testing to find out where the weak points are in the network and work to shut them down; staying up to date on security fixes and patches; deploying the appropriate security devices and software; training and re-certifying IT staff on the latest security mechanisms and investing in security awareness training; and taking inventory of what’s on the network.
Companies using or planning to use the IoT can also work with other organizations to push for security standards for connected objects.
“It took years for the technology community to realize the need to build security protocols into internet communications,” McNicholas says. “Companies can advance their security effectively by attempting to formulate and seek consensus on technical standards that allow for more secure communications.”
A key to developing strong IoT security will be acquiring the needed skills.
Most organizations do not have the internal skill sets that securing IoT devices will require,” Laliberte says. “Securing IoT devices requires a unique mix of hardware, development, network, and embedded security skills. Finding these at all, let alone in one person, is extremely difficult.”
One of the skills most needed to develop better security protocols for IoT is the ability to communicate more effectively about risk, McNicholas says. This communication needs to take place among technologists, attorneys and business leaders.
“Only if the company can speak a common language can robust discussions about risks and rewards take place,” McNicholas says.
Sign up for CIO Asia eNewsletters.