I would wager that just about everyone reading this article has some sort of smart home gadget nearby (whether you want to or not!). Maybe you have an Amazon Echo powering some lights and switches to help you go to sleep and wake up more easily. Or, if you’re like this writer, you may spend more time than you want to admit with Home Assistant, trying to automate literally anything just for the fun of it.
In recent years, consumer-grade Internet of Things devices (IoT) have become cheaper and easier to use, and the same is true in the Industrial IoT (IIoT) market. Trends like Industry 4.0/5.0 and increased governmental pressure to better secure critical infrastructure are only small catalysts to this movement. IIoT devices, ultimately, are meant to keep workers safe by automatically collecting data, performing specific actions, or completing other critical tasks.
Both IoT and IIoT face the same primary challenge – how do you secure some of the riskiest devices out there? And let's remember, these devices are typically cheaply produced with hardcoded firmware and operating systems that cannot be upgraded, leaving vulnerabilities open in an organization’s (or home) network.
Yes and no. The concept of smart and IoT devices is not inherently bad or dangerous. At the most basic level, these devices offer increased convenience, control, and comfort in our homes – while improving safety, assisting with data collection, and boosting business agility in the industrial space. It is in the actual implementation of the devices that things can quickly go sideways.
Generally speaking, IoT devices run legacy firmware and operating systems, which leaves them exposed to common exploits that can be easily found on the internet. On the consumer side, manufacturers rarely send out updates for IoT devices like smart plugs or bulbs because it just doesn’t make sense for them to do so. They prefer to sell new hardware with updated software than build out upgrade mechanisms for all the various types of devices they have on the market.
The industrial side is unfortunately no different. At many, if not most, companies, legacy hardware and software is running some of the most critical tasks for the business. This could include anything from monitoring air quality in a coal mine, to controlling the amount of chemicals mixed into our drinking water, to complex manufacturing lines where a single moment of downtime means significant monetary loss.
Communication and connectivity are the name of the game when it comes to improving IoT security. Various devices and sensors are always checking, storing, and sending data to a central repository, and this means some type of network access is needed. Manufacturers of both IoT and IIoT devices will demand unrestricted internet access to transfer data and allow you to interact with the devices from a centrally managed dashboard.
There’s no silver bullet for either IoT for IIoT security, but let’s look at some best practices for securing these popular devices, both at home and in the enterprise:
Segment your networks: Utilizing 802.1q VLANs, it is critical to carve up the larger corporate network into smaller, more defined chunks, typically based on purpose. Setting up an “IoT” VLAN is a good first step but it’s key to go even further, creating VLANs based on vendor, device type, device role, and continuing to layer granularity.
Enforce traffic policies on both inter-VLAN and VLAN <-> internet communications: IoT devices call home to many sources, making it crucial to set firewall or other traffic policies to ensure that only validated, authorized vendor traffic is being passed to the vendor. In addition, confirming that VLANs cannot talk to each other (no routing between VLANs) can help mitigate the risk of malware or ransomware spread if a device becomes infected.
If an organization (or home) cannot utilize VLANs, using physical ports on a router connected to a core switch is also a workable option but may lack the same granularity as VLANs.
Utilize an identity-based approach to securing access to both the physical devices and all management consoles:Especially in the industrial space, if device control is compromised through a dashboard, it can lead to catastrophic results. Legacy VPNs, SDPs, and other traditional access solutions put too much emphasis on the network and provide broad access rather than granular security.
While Cyolo is not (yet) available for home users or the consumer space, we do have a proven track record in helping Operational Tech (OT) and industrial organizations understand their IoT threat landscape and put in place identity-based access and connectivity controls to achieve the outcomes above. With a unique architecture that does not rely on network connectivity or vendor trust, Cyolo is perfectly positioned to solve access nightmares for both IoT and IIoT.
Josh Martin is a security professional who told himself he'd never work in security. With close to 5 years in the tech industry across Support, Product Marketing, Sales Enablement, and Sales Engineering, Josh has a unique perspective into how technical challenges can impact larger business goals and how to craft unique solutions to solve real world problems. Josh joined Cyolo in 2021 and prior worked at Zscaler, Duo Security, and Cisco.
Outside of Cyolo, Josh spends his time outdoors - hiking, camping, kayaking, or whatever new hobby he's trying out for the week. Or, you can find him tirelessly automating things that do NOT need to be automated in his home at the expense of his partner. Josh lives in North Carolina, USA.