Internet of Things (IoT) devices have proven their worth and have become commonplace across business sectors at companies of all sizes. They offer powerful new sensing and management capabilities that companies in previous decades could only dream of.
The global market for business IoT devices has grown steadily thanks to the broad range of capabilities this technology offers. The research firm McKinsey & Company estimated that the total global volume of connected IoT devices will be 43 billion by the end of 2023. That represents a three-fold increase in just the past four years.
As the install base of IoT devices increases, so does the attention of hackers and other bad actors. That means our security precautions need to advance at an even faster rate.
Internet of Things security challenges will require some unique solutions. This article explores one specific, often overlooked angle: the physical security of these powerful networked assets. It digs into some of the greatest security challenges this “converged” technology poses and offers some suggested best practices for addressing them.
Internet of Things devices are powerful because they bring together physical and networked systems. It is converged technology that puts data collecting and physical control tools into settings where neither could exist side-by-side before.
That means IoT devices create a security convergence. For example, a physical attack on an IoT target could render your network vulnerable. And vice versa, a remote network-based attack could create a physical threat to your people or facility.
IoT technology comes in all shapes and sizes. But when it comes to thinking about business security, there are three main categories you must pay attention to.
Because they’re networked, these systems can be compromised by an attacker, just like a networked IT system. And attackers can take control of them to do physical damage to your facility. That means we need new building security.
Mobile IT devices and computing peripherals are also IoT tools you need to know. These devices commonly include smartphones, wireless displays mounted in your hallways, networked printers, and other wireless devices. These devices run basic operating systems and are targets for remote attacks. Unfortunately, they’re also all valuable and desired by thieves.
The last category of IoT devices you need to worry about is mobile inventory management devices. Warehouse workers use wireless handheld scanners to track inventory items coming and going from your facility.
They also have wireless network connections to send data to financial, inventory, and Enterprise Resource Planning (ERP) systems in real time. These devices are essential to a company’s wider business operations, so you need a reliable way to track and store them.
If you want to know the best physical and network security measures to take, you first need to understand the unique threats of using IoT devices in your workplace. Some of the most common include:
As we’ve seen, market forecasts show a sustained, strong demand for IoT enterprise devices. Unfortunately, this has led some manufacturers to prioritize ease of setup over security. They’re looking for any angle to set themselves apart to make a sale, which often leads them to make shortcuts in the name of convenience.
For example, many manufacturers ship IoT devices with open network connections and well-known default passwords. Those are gifts to hackers. The burden is on your IT department to manually harden the security on every device as it comes in the door.
The value of an IoT network increases as you make it larger. But unfortunately, larger networks can be more complex, making them difficult to secure. And hackers can hide malicious activity in higher volumes of traffic.
Distributed denial of service (DDoS) attacks can be devastating. Unfortunately, they will likely become more common as hackers figure out how to leverage the billions of new, unsecured IoT devices connected to the Internet.
To instigate a DDoS attack, a hacker first gains control of many devices over the Internet using a virus or many other forms of remote attack. Then, they connect these devices to a network under their control. DDoS networks can sit dormant for months or years, with devices going about their normal business until the hacker flips a switch and turns those devices into a “botnet” that overwhelms a target system with a tidal wave of garbage network traffic.
If an IoT device is connected to the Internet, it is at risk of becoming part of a botnet. You might become the target of that botnet attack. In the best-case scenario, you only lose control of your IoT devices until your IT security team can disconnect them locally.
While attackers often look to compromise IoT devices to make them part of a wider botnet, more concerning for a company is an attacker using a vulnerable IoT device to initiate a lateral attack on their network. A lateral attack is when a hacker first comprises a less important but vulnerable device on a network—for example, an IoT air quality sensor.
Then, they use their access to that device to force their way laterally, across your network, into another device. They repeat this process undetected until they’ve comprised a valuable target, like a server with employee data or trade secrets.
So those are some of the key security challenges companies can expect to face when introducing new IoT technology into the workplace. There is a lot to deal with, but you have many tools available to overcome these challenges.
Any company looking to purchase new building, technical, or handheld IoT equipment should follow some basic security best practices. We’ve collected some of the most important ones here.
Look for personal devices staff brought into the workplace, items your teams might have purchased from discretionary budgets that didn’t make it into official records, and any other IoT assets in the workplace that slipped through the cracks. Add these to your master inventory. Then schedule your next inventory update. Annual updates are a recommended minimum.
Just because an IoT device comes with a wireless connection doesn’t mean you have to use it. Every network connection introduces a new security vulnerability into your workplace.
Evaluate whether you’re going to use each device's sensing or data gathering capabilities. If the answer is no, then disable its network connection.
You can have all the hardened network and physical security in the world, but if your people don’t know how to use it or assess threats, you’re going to be vulnerable. So you need to secure the human layer.
Train your employees on how to use IoT devices safely and securely. Ensure they know the possible threats to IoT infrastructure your organization might face.
Most organizations follow regular maintenance and update schedules for IT devices. But IoT infrastructure devices are often not equipment your IT team is used to interacting with. So make sure your newly-networked IoT infrastructure is added to your regular software update schedules.
As with ensuring newly-networked devices get updates, you also need to start monitoring them for ongoing network security issues. You can’t rely on endpoint protection—like antivirus software—as most IoT devices don’t run operating systems that can support those measures. Instead, your IT security will be network-level, needing real-time attention.
Mobile IoT devices, like smartphones, tablets, and handheld scanners, are popular targets for theft. So, in addition to the network security measures we’ve discussed so far, you also need to provide improved physical security and management for these assets. Smart asset lockers are an excellent tool for doing that.
Smart lockers secure your mobile IoT assets. Connected management software gathers real-time intelligence on how they’re used, where they are, and who has them signed out. Advanced smart locker systems also offer built-in charging for your IoT devices, content surveillance to monitor their health, and workflow support to improve their use.
IoT infrastructure and mobile devices can deliver the competitive advantage you need to get ahead. That is, as long as you secure and manage them properly.
Internet of Things assets are converged technology that require proper care as both network and physical devices. Your entire organization can benefit from their use, but it must understand how to manage them securely and efficiently.
Check out our Guide Physical Security 101: How to Start Building a World-Class Security Program