The Explosive Growth of IoT: An Expanding Attack Surface
The incredible growth of the Internet of Things has presented unique business opportunities and enabled operational models across a wide range of industries and use cases. Although estimates vary, Gartner Research predicts there will be over 25 billion connected IoT devices by the end of this year. These devices are powering exciting new use cases across a multitude of industries from automotive to healthcare, as well as driving business outcomes and operational efficiencies previously unattainable. However, this explosion in adoption has inadvertently expanded the attack surface, exposing organizations to a wide range of IoT security risks. In fact, in just the first half of 2021, there were 1.5 billion IoT attacks (Source: Threatpost.com). Modern security models like Zero Trust present an opportunity to ensure the business and operational benefits of IoT are not negated by the increased risk of deploying these types of devices at scale.
IoT Security Challenges: A Focus on Features, Not Security
One of the ongoing challenges in securing IoT is the nature of the devices themselves. Device manufacturers are focused on form and function, with little to know emphasis on the actual security of the device. This has made IoT a popular target for attacks as hackers exploit these vulnerabilities using a wide variety of techniques. To make matters worse, applying common endpoint security controls typically associated with user devices such as an endpoint agent or strong authentication are not possible in the world of IoT. This combination of the increasing number of these devices, along with little to no built-in security, make the lack of security control options even more of an issue when it comes to overall risk to the organization.
Applying Zero Trust to IoT: Starting with Visibility
Another challenge related to IoT security is a simple lack of visibility for IT security teams. Since many IoT devices are purpose built devices such as security cameras or MRI machines, these devices are typically deployed by facilities or manufacturing teams with little to no coordination with security stakeholders. Without proper visibility, security controls cannot be applied, making reducing the associated risk impossible. Comprehensive visibility should be “Step 0” in any organization’s approach to applying Zero Trust best practices to their IoT infrastructure. Once discovered and profiled, each device should also be evaluated for overall risk based on a range of criteria from vulnerability posture to the type of access the device has to other resources such as critical applications and data. This visibility and risk assessment will drive the overall strategy for Zero Trust best practices and security controls such as “least access” privileges. At Palo Alto Networks, many customers utilize our IoT Security solution to gain comprehensive visibility and start securing their IoT infrastructure.
Applying “Least Access” Controls
One of the cornerstones of a Zero Trust strategy is the concept of “least access”. This means allowing only the right amount of access to applications and resources necessary for a user, or in this case, an IoT device to do its “job” on the network. As an example, a security camera should only be communicating video traffic to a specific destination such as a security head end or storage server. Similarly, a MRI machine in a hospital should only be communicating to infrastructure that supports the storage and viewing of medical scans. Each device should not be going out to the internet, except in the rare case they require an update such as a firmware update from the manufacturer. This “least access” approach mitigates a wide range of threats related to device compromise and limits lateral movement and other malicious activities.
The final consideration in applying Zero Trust to IoT lies in continuous monitoring. Once visibility is achieved and “least access” policies are in place, continuous monitoring of devices is critical to detect if a device has been compromised and is acting in a way that deviates from typical behavior. Luckily, this is relatively easy to do given the mostly static nature of today’s IoT devices. As purpose built devices on the network, IoT devices should have a static set of access requirements and a predictable pattern of behavior. Given these characteristics, tools that provide behavioral baselining and analytics are key to identifying when a particular device has “gone rogue” and has deviated from its business purpose within the organization.
Zero Trust as a Business Enabler
When done right, Zero Trust presents an opportunity to not only increase security, but to also reduce overall complexity by rebuilding security in a way that meets our modern digital transformation initiatives. When applied to the incredible growth and opportunity presented by IoT, unique business and operational benefits can emerge, while managing a large majority of the risk introduced by this emerging infrastructure.