Tip

Why CISOs should use zero-trust security for IoT

IoT devices have significant business benefits but also open enterprises to escalating security risks. Discover why zero trust is the most practical way to secure IoT.

IoT is meant to drive operational efficiency and improve decision-making, largely by automating processes and reducing overall costs. But with these benefits come escalating cybersecurity threats that target IoT devices, which are notoriously vulnerable compared to traditional IT infrastructure.

Several security frameworks address IoT, including the NIST Cybersecurity Framework and IEC 62443 for industrial systems. That said, one approach -- zero trust -- has bubbled to the top as the most practical way to secure IoT. Zero trust's emphasis on continuous verification, continuous validation, microsegmentation and network-based behavioral analytics helps enterprises address visibility and enforcement gaps common when working with low-cost IoT devices.

Common IoT security challenges

The rapid expansion of IoT devices and other connected components has dramatically increased the attack surface for enterprise organizations. IoT systems often offer poor visibility, have limited built-in security capabilities and lack support for endpoint protection software, hobbling IT security teams. As a result, unpatched devices with weak credentials are common.

Their inherent security flaws make IoT devices ripe targets for malicious hackers, who exploit them to scan the network and compromise other systems, creating a serious risk to mission-critical components and data. Supply-chain risks only compound the issue. Pre-compromised IoT devices can introduce massive threats at scale, leading to botnets and persistent backdoors that make threat remediation incredibly difficult.

Their inherent security flaws make IoT devices ripe targets for malicious hackers, who exploit them to scan the network and compromise other systems.

Enterprises that don't properly address these vulnerabilities face the constant risk of ransomware attacks, operational disruptions, and compliance and regulatory issues. The financial and reputational consequences could be catastrophic.

How zero trust addresses IoT security

Zero trust principles use a "never trust, always verify" philosophy, eliminating the implicit trust often found in organizations that traditionally rely on perimeter-based security. Zero trust shifts enforcement to the network, focusing on device verification and continuous validation of every request. Least-privilege policies -- i.e., microsegmentation -- also sharply restrict device communications. That means a compromised IoT device cannot scan and infect other devices on the network, reducing the risk that a threat actor will disrupt operations or steal data from mission-critical systems.

Zero trust also solves the scalability issue of IoT security. Policies are applied, enforced and continuously validated at the network level rather than on the devices themselves. This method lets organizations centralize management and automate enforcement across thousands of endpoints regardless of device type, OS or firmware limitations.

Challenges of applying zero trust to IoT

While zero trust offers clear advantages over other methodologies, implementing it in IoT environments poses certain challenges. IoT networks contain many legacy and resource-constrained devices, making it difficult or even impossible to apply modern, network-based identity methods such as mutual authentication, device attestation or public key infrastructure enrollment. Network-level enforcement might also introduce latency, hindering the real-time capabilities of some IoT devices and platforms.

While zero-trust policy management is centralized, creating highly granular policies across thousands of IoT devices can grow increasingly complex. Interoperability issues can also arise for IoT endpoints that use non-standard or proprietary protocols. Without proper processes to onboard devices within a zero-trust model, security policies can quickly become muddled, potentially leading to inconsistent enforcement and security gaps.

Finally, shifting to a zero-trust methodology requires new skills and tools, as well as organizational cultural shifts that, without proper management, can slow adoption and affect day-to-day operations.

Best practices for implementing zero trust for IoT

Ideally, a zero-trust implementation follows a phased approach that addresses the operational constraints outlined above. CISOs should consider the following best practices:

  • IoT device discovery and inventory. Identify and classify all existing IoT devices and platforms, along with their risk levels, functions, protocols and communication patterns.
  • Define protection boundaries. Specify which external resources IoT groups need to communicate with. Use this information to formulate protection boundary policies.
  • Apply microsegmentation. Based on IoT discovery and protection boundaries, create policies that enforce strict least-privilege access.
  • Develop context-aware policies. For IoT devices that require agentless enforcement, combine identity-based methods with behavioral analytics.
  • Measure and adjust. Use tools to monitor and track metrics, including IoT device visibility, policy-enforcement rate and lateral-movement reduction. Make policy adjustments accordingly to further restrict communication flows without disrupting operations.

With proper collaboration across IT, security and operational technology teams and the right planning in place, zero trust can serve as the security foundation that enables IoT expansion for years to come.

Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.

 

Dig Deeper on Network security