Organizations must isolate IoT from regular IT, says telco

That IoT deployment should be isolated from the main network, is among new advice from AT&T.

Tracking Internet of Things solutions already implemented, including their vulnerabilities, is among the recommendations made in newly published advice from AT&T.

Almost all (90%) of organizations aren’t convinced that their own IoT solutions are secure, AT&T says it found in an October 2015 survey.

AT&T has since produced advice that says an “all-inclusive” risk assessment must be completed by companies as they shift into IoT implementations. The advice is published in a recent cybersecurity guide (PDF) aimed at CEOs.

Key advice is that IoT deployment should be isolated from the main network, the company says. In other words, IoT data and networks should be inaccessible from the “existing IT systems.” That way “an attacker’s ability to launch broader cyberattacks on mission-critical systems,” can be reduced, AT&T says. AT&T is a mobile data network vendor.

Companies should try to figure out the kinds of risks that each IoT deployment brings in, AT&T believes. Those risks could be related to data or physical and operational resources and at the very minimum each IoT device should have some kind of security on it, the telco says.

A third of organizations have reported that they might have more than 5,000 devices connected, AT&T says.

“Business and technology leaders must be mindful of the security implications of this new technology,” AT&T says in the advice. The challenge grows further as IoT devices are deployed to control infrastructure, such as factory operations and supply chains. And it’s not just own-devices that require mindfulness, AT&T explains. Partners’ and customers’ IoT can wreak just as many problems. In fact, 88% of respondents “lack full confidence in the security of their business partners’ connected devices,” AT&T found in the 2015 study.

“At many organizations, IoT devices are being deployed without proper security measures,” AT&T says. Part of that isn’t the company’s fault, though. Much of the equipment used in manufacturing, say, was never designed to be used on the Internet. The telco cites the example of shop-floor equipment that has become Internet-enabled. The lack of security there opens-up IoT to hackers looking for vulnerabilities. AT&T says it’s identified a 458% “increase in vulnerability scans of IoT devices.”

A major issue is that companies don’t know how many devices they have, or how many they are responsible for. Almost half of the surveyed said they were “merely estimating” numbers. Only 14% had any formal auditing in place.

Software or firmware patching functionality should be a requirement in any IoT device, the phone company thinks. All network-connected IoT should have it. System resets and a no-default, unique password should also be included, the company says.

Plus, there shouldn’t be any backdoors that could be exploited, or “ancillary services” that aren’t relevant to the function of the device, AT&T says.

In addition to the aforementioned risk assessment and separation of IoT networks from existing IT in a deployment, AT&T says communication with other stakeholders is important. The CEO—who the report is aimed at—should get each business unit to understand the importance of security; and define “security protocols” for legal and regulatory reasons, too.

And while AT&T is in the security business—as well as the data network business—and so might be expected to show enthusiasm for a security in devices push, the company does come up with some horrific examples of IoT hacking worth recounting: In 2014, an IoT attack in Germany caused a steel mill blast furnace not to be able to be shut down.

And sometime between 2011 and 2014, a security researcher hacked into an airline flight entertainment system and was able to send “a climb command to the aircraft on which he was traveling,” AT&T says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.