3 factors that will impact the future of IoT device management

Dec. 5, 2019
Organizations must take a proactive approach to mitigate the growing cyber risks posed by connected tech

Despite valiant efforts, there is little doubt that cybersecurity will continue to be a priority for most organizations for the foreseeable future. Hackers are still actively trying to infiltrate both company and individual networked systems of all kinds. Ransomware, malware, spyware, and other unwanted programs continue to infect systems, destroy or breach data, and steal intellectual property. Automated “bot” programs scour the entire global network and attack every computer or website they find, probing for weaknesses such as software that is outdated or has known weaknesses.

One might think that this situation would lead to decreased interest in connecting more devices to global networks. On the contrary, the number and diversity of new internet-enabled devices is rapidly increasing, and we are still in the early stages of a far more interconnected world that will be driven by the Internet of Things.

The bad news is that no network-accessible information or system is completely safe, and no industry, government, or individual is immune.

The good news is that right now is the perfect time to review security strategies about IoT devices and update cyber-related management processes to make sure that they are as ready as they can be for this rapidly approaching reality. Here are three primary factors that will impact how IoT devices will be managed going forward.

Factor #1: The Scale of the Challenge

IoT is changing the scale of the security challenge. In the past, devices such as a door lock or security camera were based on physical mechanisms or dedicated electronic circuits. Today, internet-enabled door locks and security cameras incorporate processors and operational firmware that needs to be tracked, managed, and updated. IT and Security departments that were used to managing an organization’s servers and laptops are already finding themselves tasked with managing a much larger number of devices in order to maintain security on their networks.

Soon, even more devices will be added – environmental sensors, lighting controls, heating vents, and many more. It isn’t too far-fetched to envision a day soon when every individual sprinkler head on a campus-wide irrigation system is network-enabled and driven by updatable firmware. By that time, managers of larger systems won’t be managing a few hundred devices, they will be managing thousands, hundreds of thousands, or perhaps even millions of devices.

Clearly, tracking and updating procedures that will work for a small number of servers, physically located in a single room, will not work for large numbers of devices scattered across a multi-building campus. This complexity of vendors, timing, and sheer numbers will drive changes in how such a system can be managed and protected – and will soon affect many organizations.

Factor #2: The Nature of Interconnected Devices

The nature of IoT devices is also changing because the purpose of IoT devices is to increase the capabilities of interconnected systems. In the past, for one example, a video camera captured images and sent a video stream directly through a dedicated cable to a recorder. The camera and the recorder each performed their function separately and had distinct and separate purposes. Today, video surveillance systems are often managed by a VMS that communicates with, and controls, both the recorders and the cameras using an IP network.

This interoperability between the elements of the networked system supports far greater capabilities and flexibility than the older method based on the functionality of each element. This new approach also supports large, complex systems made up of, for example, cameras from multiple vendors. In order for it to work, however, the software for each element must not only be maintained and updated in a way that protects it from evolving networked threats, but also updated in a way that is compatible with every other element in the system to support the desired operations.

Going forward, manufacturers of IoT devices will have a significant and growing challenge to maintain the ongoing security of their devices while also maintaining the functional interoperability with all the various systems that will be interacting with their devices to perform desired functions.

Factor #3: The Impacts of Increased Security

As mentioned above, today’s network environment includes hackers, malware, and automated attackers. In response, manufacturers of networked devices are increasing not only the basic security features of their offerings but also the next higher level of security protections. For example, some networked surveillance cameras not only require a password to access their administrative functions, but now also include a function to lock out IP addresses temporarily if too many failed attempts happen in a row.

As more systems are implemented that will make use of multiple IoT devices to accomplish an ever-wider range of functions, managing the passwords of the devices will also grow in importance and complexity. Today, a VMS must also store the current password of every accessible camera in the system, in addition to that password being stored locally at every camera. Likewise, cameras that are equipped to send proactive messages to VMS or other systems must also store the passwords of those systems. Both of these need to be aware of the security protocols of their connected counterparts to avoid triggering lockouts or raising alarms. How would a camera’s own security protocol react, for example, to an automated system trying to update its firmware – would it view the attempt as an attack?

Today, it is still far too common to have system managers take shortcuts rather than fully manage this complexity. In fact, California recently enacted a law that prohibits manufacturers from shipping a surveillance camera into the state that has a default password – because so many surveillance systems were found with default passwords still active. And, the complexity of this challenge will only increase in the future with the increasing number of IoT devices.

Moving Forward

Knowing that every internet-connected device will be probed by hackers for weaknesses, what steps do companies need to take to survive and mitigate cyber-attacks?

Certainly, all the usual actions for cyber-hygiene will still apply, such as establishing and enforcing a password management policy. But, each policy needs to be reviewed in light of the changes that IoT devices are imposing on the organization’s networked systems. For example, would the password policy that is in place for human staff, including the length and complexity of passwords, and how often they are changed, be appropriate for IoT devices that are added to the company facilities? How can failed login attempts for each IoT device be detected, logged, limited, and locked out? Thinking through the existing policies in the context of the new IoT devices will go a long way towards strengthening the security foundation in advance of any large rollout.

In addition, specific planning should be undertaken to prepare for automating network testing including periodic discovery of every attached device, followed by automated checking of firmware and software versions and updating, as necessary. This is the only way that organizations will be able to have a chance to keep ahead of the automated bot net attacks triggered by hackers.

Another best practice is to have a “crisis response team” already configured and ready to take action. Typically, these teams would be comprised of both physical and logical security personnel, and capable of jointly assessing and taking action during a cyber incident.  These joint task forces can also extend their efforts beyond just during the incident – in fact, by working together during a critical time, it makes it easier for the organization to take on longer term efforts because there is a shared understanding of what needs to be done. 

By taking a proactive approach to mitigating IoT device risks, organizations reduce the accessible attack surfaces of their networks, ensure compliance with applicable regulations, and preserve their time to focus on the most important security actions. Knowing how IoT devices are changing the landscape in cybersecurity helps teams start now to be better prepared, rather than reacting to the effects of these changes in the future.

About the Author:

Bud Broomhead is a serial entrepreneur who has led successful software and storage companies for more than two decades. He has experience delivering computational and storage platforms to the physical security space for more than seven years, with an emphasis on infrastructure solutions for video surveillance.