As the number of IoT devices expands, enterprises need secure, zero trust policies in place to prevent third-party attacks
The number of IoT devices is exploding every year, with an estimated 13.2 billion online in 2022 and an expected 34.7 billion by 2028. This expansion is redefining the size of enterprise network attack surfaces and, with unsecured edge devices frequently being exploited in lateral network breaches, organizations are looking to improve security with zero trust IoT solutions.
How is IoT being attacked?
It’s no surprise that hackers are actively working to steal your company’s data and intellectual property. As digital tools including cameras, sensors, point of sale (POS) systems, meters, and more are brought online, they present a potential entry point when not properly administered.
Lateral attacks
Many IoT devices automatically begin broadcasting their IP addresses when powered on. This information can often be accessed by someone using a readily available IP scanner, most of which are available online and are perfectly legitimate. Bad actors can then use this to gain access to a fish tank thermometer or HVAC system, for example, and despite it not containing valuable data itself, can be used to move laterally from one device to another until wider access is achieved.
Also, some IoT devices come with default credentials that, when not managed properly, aren’t changed. This risk is compounded when dozens, hundreds, or thousands are installed and connected to the network.
Efficient isn’t always secure
While IoT comes in all shapes and sizes, they’re typically built to be highly efficient and with exactly enough processing power to perform specific tasks — no more, no less. Unfortunately, most aren’t equipped to install or operate onboard security and anti-virus applications.
Zero trust principles
Zero trust security is built on the assumption that anyone attempting to use a network is a bad actor who must be restricted through ongoing verification. Zero trust principles do not consider any part of a network to be an implicit trust zone, meaning that even after an identity is verified, a user is only able to connect to specific, predetermined resources.
Organizations are rapidly adopting zero trust networking principles to complement or replace Virtual Private Networks (VPNs). To illustrate the difference between the two, imagine that you’re visiting a school as a presenter for career day. After your identity is verified at the front office, a VPN system would grant you implicit trust and give building-wide access, including to any classroom or facility.
A school with zero trust implementation replaces implicit trust with context-based trust, meaning that even after identity verification by a school security officer, access would only be allowed to a specific classroom — nowhere else. Additionally, ongoing monitoring would be conducted to verify that every action was in accordance to prescribed policies, violation of which would result in expulsion.
Zero trust IoT is essential
With only explicit connections from a user to a resource being allowed, IoT zero trust standards are critical for ensuring modern WAN security. Again, when bad actors target IoT devices in a factory, restaurant, or department store, the risk of loss not from the sensors, meters, or cameras themselves, but that once breached, hackers can then move laterally through the network until more valuable assets are identified.
Zero trust architecture uses site-to-site encryption and can include IoT remote access functions to provide secure communication across sites, vehicles, devices, applications, users, and the cloud. It also enables administrators to isolate user-to-resource access to limit lateral movement, hide IP addresses, build granular policies, and eliminate risky default access.
The need for zero trust IoT security is readily apparent when considering Industrial IoT (IIoT) use cases, where thousands of devices are regularly brought online. This is especially true for locations including auto manufacturing sites, water treatment plants, distribution warehouses, transportation hubs, and healthcare facilities.
For example, a router in a factory might have 20 IoT devices connected to it. With zero trust in place, none of those devices could communicate with each other without explicitly defined permissions, and even then, only through the router.
Secure access for third-party vendors
Few if any organizations rely entirely on employees for daily business operations, typically turning to external contractors, consultants, and other third parties for work — many of which require some degree of network access. Going back to the career day example, students might take notes from your presentation on school-issued laptops or tablets, support for which would likely be provided by a third party. Verifying Wi-Fi connectivity and installing applications would require limited network access, but system-wide access would present unreasonable risk.
Rather than offering the keys to the kingdom, carefully defined user-to-resource connections can be given using a Zero Trust Network Access, or ZTNA, solution. This would allow the vendor to update internet filters but not access to applications where a student’s grades could be altered.
Simplified management improves security
Companies face a growing number of threats as 5G enables simple and fast connectivity for remote locations, vehicles, applications, and the burgeoning number of IoT devices. As network administrators work to protect systems with zero trust IoT principles, it’s important to consider where the solution is coming from. While certainly available from third parties, including reputable vendors like Palo Alto and Fortinet, onboarding and managing yet another platform can become unwieldy for overburdened IT staff.
The ideal recipe is to use a cloud-based network management platform with integrated zero trust. Networks based on modern zero trust principles enjoy a reduced attack surface and improved protection against damaging lateral movements — enabling all the benefits of 5G to expand edge device connectivity.