The Enterprise of Thing’s troubling lack of security

When it comes to security and manageability, Enterprise of Things (EoT) devices must have far more stringent requirements than consumer IoT devices, which often have virtually no built-in security. Indeed, enterprise use of consumer-grade IoT is highly risky.

Making the matter even more urgent is the growing number of deployed EoT devices, which is expected to increase significantly over the next two to three years. (I estimate there will be more “things” in an enterprise than PC and mobile phone clients combined within three to four years.)

As a result, it is imperative that companies address the growing security requirements for these devices in order to avoid any potential catastrophic events (e.g., hacking of automated tools, disruption of processes, autonomous vehicles losing control, drones crashing, GPS systems redirected, etc.). While some may be costly in terms of data or production loss, others may be downright deadly.

3 strategies for improving EoT security

There are many issues involving EoT security, which should be seen as an integrated component of overall enterprise security and not a unique requirement. For this brief discussion, I’ll focus on three key points that can easily make or break an EoT installation.

Hardening EoT devices

It’s imperative that companies deploy EoT devices that are built on secure and verifiable architectures for both hardware and software. Technology such as ARM’s TrustZone or Intel’s Trusted Execution Technology provides a secured area of the chip that can be used to store critical data that can securely identify and/or run kernel-level code to prevent malicious activity. Root of trust systems, now prevalent in many of the newer generation of chips and proven in the mobile device world, also provide a way to verify the OS on booting and/or before running so as to prevent hijacking of the device.

Unfortunately, many older, and even some current, EoT devices are built on lower-level, less-functional chips that do not provide such technology. And consumer-grade IoT devices generally have no protection. It’s imperative that companies identify and replace any such devices. The ease with which they can be hacked is appalling, and the damage potential is great. This is a liability enterprises should eliminate as soon as possible.

Securing all code running on these devices

Code security requires both a hardware and software approach that work in unison. As indicated above, modern chips have built-in security functions to protect against errant code that can be used to hijack a device. In conjunction with a hardened operating system, such as BlackBerry QNX (which has been used in mission-critical applications for many years) and newer versions of Android and Windows for IoT, a combined front against malicious activity can be established.

But that is not enough. It’s also imperative that companies test their apps for any potential avenues of attack. Many test tools exist for apps running on virtually any OS, but many EoT products still contain custom-built, low-level code that has never been adequately screened. Along with the imperative to check the hardware technology stated above, it is equally important to assure that the software is fully secured through fault testing and simulations.

Monitoring of all network traffic to/from EoT devices

Finally, its critical to prevent the hostile takeover of large numbers of devices. This has occurred in many consumer devices where DDoS attacks were delivered from wireless cameras, Wi-Fi access points, etc. An effective way to prevent such activity is to monitor traffic to and from the EoT endpoints. Many network monitoring tools already exist (e.g., RSA NetWitness, Citrix Netscaler), and they can prove valuable in finding suspicious network activity that could point to malicious behavior. While I believe all organizations should deploy network traffic monitoring as a security measure, it’s doubly important for EoT devices that could affect safety and/or operations of the organization.

Bottom line: Many older EoT installations exist, and new ones are rapidly coming online. Enterprises deploying EoT solutions should not follow the consumer model where lowest cost often outweighs required secure implementations. While no EoT installation is quite the same, it’s still imperative to try to develop some standard security practices that can at least limit the type and scope of security breaches.

Without a concerted effort, EoT can actually do more harm than good. Companies should act now before the scale of installed unprotected devices makes it impossible to create a comprehensive security strategy.