Security Experts:

Need to Jumpstart IoT Security? Consider Segmentation

The Internet of Things (IoT) holds great promise for business collaboration and innovation through connections unimaginable a decade ago.

In the healthcare industry, medical devices connecting patients, care givers, and systems across facilities are being used to save lives and find cures. Manufacturers embarking on their digital transformation journey are connecting devices on the factory floor to increase uptime, productivity, and competitive advantage. And connected meters, switches, and circuit breakers are allowing utilities to deliver power with the reliability and reach necessary to keep the economy moving. In fact, the number of connected things is expected to reach more than 20 billion by 2020 according to Gartner.

But as the IoT grows so too does security risk. Organizations often aren’t aware of all the IoT devices connected to their network and expanding the attack surface. Adversaries are taking advantage of these weaknesses and are using these devices to establish a presence in an environment and move laterally across networks quietly and with relative ease until they accomplish their mission. WannaCry held medical devices for ransom at hospitals and shut down factories. Attacks on power grids compromised devices to infiltrate and disrupt critical infrastructure. Meanwhile, botnets like Mirai have infected hundreds of thousands of IoT devices, turning them into a collective weapon capable of launching coordinated attacks to incapacitate websites and take down parts of the Internet itself.

Segmenting NetworksIoT devices cannot protect themselves, either lacking the system resources to run any significant security capabilities or never designed with security in mind. Yet they need to be secured so that they can perform their functions unimpeded while making it harder for threat actors to use them for malicious activity.

Without visibility into the entire network, even expert security teams can miss anomalies and threat detectors. The next layer of defense comes from network and application segmentation that can secure your most private intellectual property and data. With flat networks, once attackers get in, they can go anywhere, and attaching IoT devices only increases the attack surface. Software-based, extensible segmentation at an IoT scale, along with a segmentation strategy driven by security controls, can prevent lateral movement and effectively improve security.

As you outline your segmentation strategy, here are three important aspects to keep in mind:

Identity and Trust - Establishing identity and the assignment of trust to users and devices

Visibility - To network, system, applications, and devices that drive security analytics and auditability

Availability - Establishment of resilience and availability mechanisms to meet business requirements

Let’s take a quick look at how these elements come together.

Electric utilities can have hundreds to thousands of power substations in geographically remote and difficult-to-reach locations. Therefore, any work that may be done remotely will help keep operational costs down by saving time and effort. Of course, that access must be secure. Additionally, if a technician is required to visit a substation, network access must be restricted to approved devices. Similarly, manufacturers often must allow remote access to their network from multiple vendors that provide remote support to their equipment. But they often lack visibility as to when the vendors are accessing their networks and what actions the vendors are taking during that time. A strategic segmentation approach ensures alignment to business goals while allowing only permitted, profiled devices access be it to the network at the substation, or to machinery on the factory floor.

In a hospital setting, equipment moves around; an array of devices are connecting to the network; patients and care givers need network access; electronic medical records must be protected; and campuses and regional clinics need to be connected. You need to understand all the systems on the network that generate data and the various individuals and devices that need to communicate and have access to that data. From there you can assign permission-level access and apply policy enforcement, not just in the network but also within systems and applications.

Segmentation is an important element of any security strategy to mitigate risk from IoT-based attacks, but it has to be done right. An approach that considers both specific business goals and the technology landscape and is developed and can evolve based on identity and trust, visibility, and availability allows you to reduce risk while helping your organization realize the promise of the IoT.

view counter
Ashley Arbuckle, Cisco’s VP/GM, Global Security Customer Experience, is responsible for the company’s security services portfolio, designed to accelerate customers’ success and deliver an exceptional customer experience. With over 20 years of security and customer success experience, Arbuckle has a long record of accomplishments that span security consulting, enterprise security operations, product management and general manager responsibilities. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo, where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.