The massive scale, device complexity, and long product lifecycles of connected products have all created a situation where even the most mature enterprise IT organizations struggle to secure their IoT environments. More critically, many of the weaknesses in connected products are at an under-the-hood level that only you, the manufacturer, can address.
Vendor risk management is becoming pivotal to enterprises and they’re increasingly holding their vendors accountable. Enterprises are expecting product manufacturers to take a stronger leadership role in not only designing more secure IoT products but also providing security support over the entire lifecycle of a deployed device.
IoT product manufacturers should be building out a robust product security program that includes long-term security monitoring capabilities. Your customers need it and are willing to pay a premium to address some of the ongoing challenges associated with securing connected devices, including:
There are literally billions of IoT devices compared to millions of IT devices connected to enterprise systems. The ability to maintain this large volume of devices can be almost impossible for an already overburdened IT staff to keep up with.
Couple the volume with the diversity in the types of IoT devices and issues are exacerbated. The unique characteristics of so many disparate devices make it almost impossible for IT personnel to keep up with the knowledge they need to configure and monitor equipment deployed in their operations.
IoT devices run on a variety of purpose-built software and third-party applications that IT may not be able to access. The maintenance of this software is often owned by the manufacturer, either via remote access or via service personnel visits. Even if the IT organization can gain access to the code or operating system, it is often contractually barred from updating it by the manufacturer due to concerns that these changes could materially change its performance.
High-value connected products such as expensive medical devices or industrial IoT (IIoT) devices tend to remain in service for far longer than the typical IT network device. New vulnerability discoveries for any device always stack up over time and the configuration of these products can also slowly decay to a less secure state as installers, users, and ultimately malicious attackers make changes to things like firewalls, running processes, installed software, and antivirus settings.
IoT devices use significantly more types of networks and communication protocols when compared to enterprise IT devices. Devices might be using cellular, Bluetooth, Wi-Fi, physical internet, mesh, or some other connectivity approach. The monitoring of these networks that are not traditional TCP/IP networks is often difficult for IT to handle.
IoT devices produce massive amounts of data. Business solutions are typically using data from devices and often aggregate that data in the cloud. This means IT security managers need to understand where the data goes, how it’s being stored, and how it’s being used. It’s a tall task keeping track and securing these high-volume data flows across a legion of different devices. In addition, IoT data traffic may cause interruptions in other applications and systems.
Many connected products are an evolution of existing machinery in physical operations that used to be secured from tampering and malfeasance through physical protection, and by keeping them off the corporate network via so-called air gaps. Nowadays IoT devices are spread across many geographically dispersed, sometimes unsecured locations. Add on the problem of ‘shadow IT’ devices, common for IoT, and security quickly becomes more of an issue.
Traditional security tools like antivirus software were not built to work outside a company’s firewall, and in most cases, IoT devices do not have the bandwidth to run scanning software at the edge.
Many organizations that utilize IIoT devices, connected medical devices, and other connected products in operational technology (OT) environments lack the requisite experience in OT cybersecurity to know how to find and prioritize fixes to vulnerable connected devices without jeopardizing delicate OT environments with a very low tolerance for downtime—such as in dire medical situations or for critical infrastructure.
Throughout all of this, enterprise IT lacks guidance, documentation, or any other kind of support from the majority of their IoT device vendors.
As more enterprise IT organizations come to grips with these challenges, IoT vendors should prepare themselves for the increasing scrutiny they’ll face directly from their customers and from regulators to shoulder more of the responsibility in improving the state of IoT across the globe. Yet, this pressure spells opportunity for new IoT security services and market differentiation. Promoting security features and functionalities can give a big boost to a connected product by encouraging customers otherwise leery of turning on connectivity. Or, with the right product security visibility in place, manufacturer support of enterprise IT can be offered in the form of revenue-generating add-on security services.
All of this will take a concerted effort that goes far beyond just scanning embedded software for vulnerabilities before shipping products. The smartest manufacturers recognize that they need to be able to track the security posture of their devices over the entire deployment lifecycle. Understanding configuration problems, identifying new vulnerability discoveries in third-party code, and identifying issues in the customer environment that could impact the security of deployed devices should all be part of a comprehensive IoT product security strategy.
To get a glimpse into how your team could use IoT lifecycle security monitoring to take your product security function to the next level, get a demo of the CPX platform.