Gartner on Enterprise IoT: Segment and Isolate EverythingTim Zimmerman Says Organizations Need IoT Security Policies
What's that IoT device on your network?
See Also: Hybrid IT-OT Security Management
Perhaps not unexpectedly, a lot of organizations may not know, says Gartner analyst Tim Zimmerman. And with long-term vulnerabilities such as BlueKeep and Ripple20 lurking within connected devices, inattentive management could have consequences.
"You can't manage or control something that you don't know exists," Zimmerman says. "Don’t be the organization that finds out about the device after a breach. Be proactive."
Zimmerman spoke on Wednesday as part of Gartner's virtual Security & Risk Management Summit for Asia-Pacific.
The surge in the use of enterprise IoT is erasing network boundaries with new types of connectivity, and 65% of IoT projects end up changing network communication structures, Zimmerman says.
"What happens when an IoT device traditionally governed by a VLAN now is required to cross an L3 boundary?" he asks.
Enterprises can take several steps to mitigate IoT security risks, according to Zimmerman. First, they need to know what's on their network. Then, they must create IoT security policies and governance rules. And IoT devices should be segmented and isolated to reduce the impact of something going wrong.
What's on the Network?
IoT security statistics don't inspire confidence.
Some 90% of IoT security cameras have some sort of security vulnerability, according to Zimmerman's presentation. Hundreds of millions of devices are vulnerable to the Ripple20 TCP/IP issues, and 45% of medical devices are vulnerable to BlueKeep, he says (see: Millions of IoT Devices at Risk From TCP/IP Stack Flaws).
Attacks, Zimmerman says, are "only going to get worse" - largely as a result of weak or missing IoT device passwords and weak authentication.
Organizations should create a security process for their governance teams that describes procedures for adding new devices to the network, regardless of what part of the business installs one, according to Zimmerman. All devices should be placed in a risk category - such as corporate devices, guest devices (BYOD), known devices that are out of policy and untrusted or unknown devices, he says.
Too many organizations don't know when a device is added to their network, Zimmerman says. "In one of our case studies, multiple devices with root access were on the network unknown to the IT or security teams."
All devices should be tested to monitor their behavior before they are put into production, Zimmerman says. Those tests should be conducted within a container for several weeks, but some users feel pressured to have devices go into production in as little as a day, he adds.
Putting a governance policy in place can codify the risks around such decisions, Zimmerman says. An IoT security policy should encompass discovery, identification and authentication. Taking it further, the devices could be segmented by role-based policies. "This allows you to put those cameras into one segment, building automation into another. Devices from one segment don't even see the other devices," he says.
IoT Strategic Network Road Map
For now, the ramping up of IoT governance is limited, and lack of staff with the necessary skills is a critical issue, Zimmerman says.
He recommends that organizations determine if their current strategy allows them to discover and classify all IoT devices. Then, within 90 days, they should create a governance policy that has board-level support, he says. "Now is the time to get ahead of the curve."