Scalable Security for IoT Deployments: Privileged and Permissioned

IoT and Industrial IoT present the greatest network, data and application security challenges in recent history.

In fact, some experts believe that the business potential for the connected world is being held back due to security concerns, and rightfully so.

What’s holding IT, OT and network operations teams from large implementations, whether smart buildings or smart factories, smart campuses or smart cities, is fear of attacks and security breaches.

In a survey about IoT security published earlier this year, researchers found that 97 percent of respondents believe unsecured IoT devices could be catastrophic for their organization.

For those who had implemented IoT technologies, only 29 percent reported actively monitoring connected endpoints and systems for related third-party risks.

The Ponemon Institute, an independent research firm focused on privacy, data protection, and information security policy, and the Shared Assessments Program, the industry-standard body on third-party risk assurance, published The Internet of Things (IoT): A New Era of Third-Party Risk, confirming what many CIOs already believe: that we’re still early and that there are clear and present dangers when security is not implemented properly. 

Real world cyber-attacks against the IoT has heightened awareness over the last few years. Here are a few examples of the most well-known attacks:

  1. In the US, IoT devices were turned into BOTS, and then controlled and used to participate in a DDoS (Distributed Denial of Service) attack like the one that targeted Dyn, bringing down Netflix, Twitter, Amazon, AirBnb, CNN and the New York Times.
  2. In Germany, a steel mill was the target of a cyberattack, when hackers successfully took control of the production software and caused significant material damage to the site.
  3. In Ukraine, an entire power grid was taken offline, impacting 86,000 homes.
  4. In Dallas, Texas, 156 tornado alarms were hacked, and continued to go off in repeating 90-second cycles, causing panic and fear of WWIII.
  5. In the UK and elsewhere, hospital devices were hit with ransomware, causing a state of emergency to be declared, because the hospitals were unable to continue critical services.

It’s no wonder those responsible for enterprise networks, applications, and sensitive data are slow to roll with large IoT deployments, despite their business logic including cost savings, more competitive offerings, more efficient supply chains, and stronger bottom lines.

They’ve spent the last few decades trying to keep up with threats to their basic infrastructure – servers, networks, phone systems, and clouds, putting into place Identity Access Management and Privileged Access Management Systems, to control who has access, or the ability to access, from what devices to the infrastructure, and what level of access they have.

 “Today, the IoT is not confined within an organization’s typical control boundary, as the connected infrastructure has moved far beyond those control lines,” the 2017 Verizon Data Breach Digest report said, calling out enterprise IoT saying, “These devices exist virtually everywhere, are available anytime, and are on a variety of platforms. This must prompt organizations to think about IoT threat modeling in a manner that incorporates security and privacy by design.”

To secure these and more modern devices, Gartner noted that privileged access management (PAM) is essential for ensuring IoT networks cannot be hacked, but with the increased number of endpoint devices due to IoT, the demands on PAM are becoming much more distributed, complicated and expensive.

PAM helps to manage the people and the hundreds of thousands of “things” that are connected to a network, and is already in place in most large enterprises today.

As noted by Gartner, however, PAM for IoT is substantially different from traditional PAM. Security specialists must treat PAM for IoT as a specialized domain and not simply as an extension of traditional PAM, because there are huge differences when it comes to securing a variety of IoT devices, supported on over nearly 500 different IoT platforms.

There is no one single security tool/solution for IoT, as is the case with traditional IT and OT.

Traditional security solution approaches are not the only option.

There are and will be privileged accounts for IoT end devices, gateways and servers that are used by humans and applications.

When considering PAM for IoT and not just core IT infrastructure and networking, scalability is a major concern, which is why Krontech knows our carrier grade solution is much more scalable, compared to more traditional PAM providers.

To learn more about how Krontech’s PAM solutions can secure IoT and IIoT deployments, contact us.

Author: Ilyas Apaydin