IoT security is a growing concern as modern enterprise attempts to take advantage of these handy devices. These concerns are then compounded by reports of DDoS attacks perpetrated with the devices causing massive damage to unsuspecting victims. More recently, a sophisticated DDoS attack on Dyn resulted in the take down of several popular sites, like Twitter and Dropbox. Just a few weeks before that, Krebs on Security fell victim to a similar style botnet which used IoT devices as proxies. Occurrences like this create a sense of wariness and raise the security question: Should these devices be kept separate from internal business networks?
To answer that question, we ultimately need to understand both the goals of any IoT deployment and potential risks when connecting them to internal networks. IoT devices by their very nature are social creatures. After all, being connected to a larger web of devices is why they were created in the first place. As such, the more they're able to communicate with associated systems, the more useful they'll likely be.
Take a recent case study by Network World, for example. An HVAC business was running into issues keeping up with customer service. They relied on an old model where customers themselves reported issues to an associate who then relayed the message to the appropriate technician. The process was convoluted and error-prone.
In stepped IoT to the rescue. Under their new model, the same company leveraged the benefits of IoT sensors to communicate issues with HVAC units directly to an enterprise app ecosystem. In doing so, the company was able to cut time off customer service requests and save money by cutting out precious man-hours.
The real linchpin to this strategy was the ability of IoT to talk with internal services. In this case, it was ERP and CRM systems; in yours, it might look slightly different. Either way, in order to unlock the full potential of IoT in enterprise, there must be some way for each side of the equation to collect useful information.
Providing a Safe Environment
So how can this be done safely? Many would be quick to throw IoT devices in a DMZ or segregated VLAN. While this would certainly reduce risk of malicious behavior generated by these instruments, their usefulness would be limited. Fortunately, IoT can be safely used within the confines of your business-facing network.
The key to IoT security is two-fold. First, control over communication between these devices and critical infrastructure must be maintained. This is as simple as being supremely selective when granting communication to and from IoT deployments. When you think about it, IoT devices should only be deployed with a specific goal in mind. If certain communication lines — at the network, software and/or hardware level — don't directly contribute to that goal, they shouldn't be enabled.
While this may seem common sense, the sheer number of devices and sources from which they're introduced make this task easy to overlook. The second aspect is tightly wound with the first. These devices and the communication lines through which they operate must be closely monitored. It's important here to not be single-minded either. While strictly monitoring network traffic can help protect your IoT deployments from taking part in the aforementioned DDoS attacks, a more comprehensive approach is needed. Using solutions that monitor application traffic as well will help you stay on top of IoT devices with malicious intent.
As IoT continues to grow — and grow it will — so will the potential risk associated with its use. That being said, by maintaining control over their channels of communication along with comprehensive monitoring of their chatter, these devices can in fact live harmoniously inside your network. As with any internet-connected technology, remaining vigilant and proactive is the key to staying safe.