One of the biggest concerns with the Internet of Things (IoT) is making sure networks, data, and devices are secure. IoT-related security incidents have already occurred, and the worries among IT, security and networking managers that similar events will take place are justified.\n\u201cIn all but the most restrictive environments, you\u2019re going to have IoT devices in your midst,\u201d says Jason Taule,\u00a0vice president of standards and CISO at security standards and assurance company HITRUST. "The question then isn\u2019t if, but how you are going to allow such devices to connect to and interact with your networks, systems and data.\u201d\n\nLearn more about IoT security\n\n10 Hot IoT security startups to watch\nIoT security plans: 3 things you must include\nTop 10 IoT vulnerabilities\nBuild security into your IoT plan or risk attack\nHow edge computing can help secure the IoT\n\n\nWhat can organizations do to enhance IoT security? There are plenty of options\u2014including a number of practices that might not be so obvious.\nRun security tests IoT source code\nTo build better security into IoT, organizations should start with the smallest component in their network infrastructure\u2014the code, says Laura DiDio, principal at research and consulting firm ITIC.\n\u201cThe majority of IoT devices are very small,\u201d DiDio says. \u201cTherefore, the source code tends to be written in the \u2018common tongue\u2019\u2014C or C++ and C# languages which frequently fall victim to common problems like memory leaks and buffer-overflow vulnerabilities. These issues are the network equivalent of the common cold.\u201d\nAnd like the common cold, they are pesky and persistent, DiDio says. \u201cIn IoT environments, they can proliferate and become a big and often overlooked security problem,\u201d she says. \u201cThe best defense here is to test, test and re-test.\u201d There are a variety of well-regarded testing tools on the market that have been used for IoT devices, DiDio says.\nSecurity and IT administrators can also use stack cookies, DiDio says. These are randomized data strings that applications are coded to write into the stack just before the Instruction Pointer Register, to which data overflows if a buffer overflow occurs. \u201cIn the event a buffer overflow does occur, the stack cookie gets overwritten,\u201d she says. The application will be further coded to verify that the stack cookie string will continue to match how the code was initially written. If the stack cookie doesn't match, the application terminates.\nDeploy access controls\nControlling access within an IoT environment is one of the bigger security challenges companies face when connecting assets, products and devices. That includes controlling network access for the connected objects themselves.\nOrganizations should first identify the behaviors and activities that are deemed acceptable by connected things within the IoT environment, and then put in place controls that account for this but at the same time don\u2019t hinder processes, says John Pironti, president of consulting firm IP Architects and an expert on IoT security.\n\u201cInstead of using a separate VLAN [virtual LAN] or network segment which can be restrictive and debilitating for IoT devices, implement context-aware access controls throughout your network to allow appropriate actions and behaviors, not just at the connection level but also at the command and data transfer levels,\u201d Pironti says.\nThis will ensure that devices can operate as planned while also limiting their ability to conduct malicious or unauthorized activities, Pironti says. \u201cThis process can also establish a baseline of expected behavior that can then be logged and monitored to identify anomalies or activities that fall outside of expected behaviors at acceptable thresholds,\u201d he says.\nRequire IoT gear to meet security standards\nOrganizations as a matter of course hire all kinds of service providers, and in some cases those services are provided through equipment that\u2019s placed on the customer\u2019s premises. In the age of IoT, there\u2019s a good chance the machinery will be connected and therefore vulnerable to hacking and other intrusions.\nIt\u2019s up to the customer to ensure that there is accountability in place if something goes wrong.\n\u201cOne place to start is within contracting,\u201d says Brian Haugli, a partner at\u00a0security consulting firm SideChannelSec and a former security executive at insurer Hanover Insurance Group. \u201cAre your vendors pushing an IoT into your enterprise as part of their services or solutions?\u00a0If so, you must know about it and see that it's part of the contracting\/procurement.\u201d\nMake sure it's clear who's responsible for updates and the lifecycle of the equipment, as well as if you'll have access to it in case of an incident, Haugli says. \u201cI've seen HVAC [heating, ventilation, and air conditioning] and printer companies not give up access that led to a stalled response effort,\u201d he says.\u00a0\u201cThose same vendors would push back on routine patching responsibilities or upgrades\u201d to operating systems.\nIn some cases, a contract might not specify when the customer would warrant a new piece of equipment with a supporting operating system, and the vendor might be unwilling to take on the cost, Haugli says.\u00a0As a result, an unsupported and vulnerable device could be allowed to sit on the network far longer than it should.\n\u201cIf we aren\u2019t articulating our requirements to our vendors, don\u2019t take steps to confirm compliance and aren\u2019t holding them accountable, what basis do we have for expecting these issues to be addressed?\u201d Taule says. \u201cIn the same way that hardware OEMs and software companies now all expect to be held accountable to identify and quickly resolve weaknesses in their products, so too should the companies that provide us the IP cameras, medical devices, printers, wireless access points, refrigerators, environmental controls and the untold number of other IoT devices upon which we increasingly rely.\u201d\nCompanies should apply the controls outlined in common security frameworks to IoT devices, Taule says. For example, include security functional requirements in your contracts; request recent vulnerability scans or assert the right to scan them yourself; obligate the vendors to provide timely updates to address identified weaknesses; and rescan the devices after any firmware updates to ensure that identified issues have been resolved and that no new issues have been introduced.\nDefend against IoT identity spoofing\nHackers and their techniques have become more proficient over the years, and this can represent a big threat for IoT security.\n\u201cThey continually up their game like counterfeiters and forgers,\u201d DiDio says. \u201cThe exponential increase in IoT devices means that the attack surface or the attack vector has increased exponentially.\u201d\nThat makes it imperative that businesses and their security and IT departments verify the identity of the IoT devices that they\u2019re communicating with, and ensure that they are legitimate for critical communications, software updates and downloads.\nAll IoT devices must have a unique identity, DiDio says. In the absence of a unique identity, an organization is at high risk of being spoofed or hacked from the microcontroller level to the endpoint devices at the network edge to the applications and the transport layer, she says.\nDon't let IoT devices initiate network connections\nCompanies should limit the ability of IoT devices to initiate network connections, and instead only connect to them using network firewalls and access control lists, Pironti says.\n\u201cBy establishing a one-way trust principle, the IoT devices will never be able to initiate connections to internal systems, which can limit an attacker\u2019s ability to leverage them as jump points to explore and attack network segments,\u201d Pironti says.\nWhile this will not prevent adversaries from attacking systems that have established connections to them directly, it will limit their ability to laterally move within networks, Pironti says.\nEnterprises can also force connections to IoT devices to go through jump hosts and\/or network proxies, Pironti says. \u201cBy proxying the connection in a funnel point, an organization can then inspect network traffic prior to coming from and to IoT devices, and interrogate [the traffic] more effectively,\u201d he says. That enables it to determine if the traffic and the payloads it carries are appropriate for the IoT device to be receiving or transmitting.\nGive IoT a network of its own\nMany types of control devices, such as thermostats and lighting controls, connect via wireless.\u00a0However, most enterprise wireless networks require WPA2-Enterprise\/802.1x, says James McGibney, senior director of cyber security and compliance at Rosendin Electric, an electrical contractor.\n\u201cMost of those devices do not support WPA2-Enterprise,\u201d McGibney says.\u00a0\u201cDeveloping a more secure device would be ideal. However, if the environment supports it you could put those devices on their own wireless network, segregated from the production network and allowing Internet access only.\u201d\nThat would require creating a separate service set identifier (SSID) and virtual LAN and having the capacity to route that traffic through a firewall, McGibney says. The segregated wireless network would be configured and managed from a centralized location, he says.\n\u201cWe have done this for some devices, [such as] vending machines that require Internet access, which we have no control over,\u201d McGibney says.\u00a0\u201cWe put them on our guest network, which is segregated from production.\u201d It runs on the same hardware but is on a separate VLAN, he says.\nInsert security into the supply chain\nIoT endeavors typically reach across multiple partners in a supply chain, including technology vendors, suppliers, and customers, and security must take that into account.\n\u201cIf you haven\u2019t already done so, go to your contracts, finance, or whatever other group in your organization manages supply chain,\u201d Taule says.\u00a0\u201cStart a conversation and a relationship with them such that approval is not provided for any IoT purchases unless security team concurrence has been provided.\u201d\nThese departments will eagerly comply with this if security offers to shoulder the burden of work for the analysis, Taule says.\nExactly how to best enhance the supply chain vendor selection process is up to the individual organization, Taule says, but he recommends considering manufacturers that allow independent validation; advocating for a write-protect switch on the device side such that the firmware cannot be updated without your knowledge; and only procuring authentic products rather than counterfeits.