Internet of Things: Where to draw the line

Marc Thaler

As the onslaught of Internet-accessible technology continues, managing IT environments grows even more complicated. Sometimes, though, necessary protection can still be achieved by applying a simple strategy.

“If it doesn’t need Internet access, then isolate it from the Internet,” LOGICnow Security Lead Ian Trump says.

214888774You, as the IT pro, likely see the point Trump makes. But can you say the same for the decision-makers in your company? The interconnectivity of web-enabled devices – better known as the Internet of Things or “IoT” – offers many exciting possibilities for businesses of all sizes. It also has the potential to pose security problems, as Trump knows only too well.

In his travels, Trump assessed the IT security of a non-profit business that sought an automatic teller machine (ATM) for its lobby. The vendor’s machine needed Internet access for something as harmless as alerting headquarters when cash was low.

“The vendor thought the ATM could just be plugged in to the network and it would be good to go,” Trump says.

Except the ATM ran Windows XP. See the problem?

A network-connected machine running an unsupported operating system is a cybercriminal’s dream. And a loss of cash, while bad, wouldn’t be the worst of it.

“The network might have been compromised so malware could take PIN and credit card information, building up a large amount of data and sending it to parts unknown,” Trump explains.

That nightmare scenario, according to Trump, was avoided by isolating the machine on its own segment of the network. In doing so, the vendor gained the ability to communicate with the ATM without exposing it to the Internet at large.

But here’s the moral: Changes in an IT environment will introduce new areas of attack. IT managers and administrators need to make certain they understand this critical issue. Adding new devices to a network where existing assets reside has possible repercussions.

Trump’s IoT rule of thumb is this: If a machine or device plugs into the wall for power, there’s a good chance it has an IP address. IT pros, therefore, need to educate themselves and the workforce they protect on how IoT technology can be integrated – securely.

According to Trump, creating a lab where the IT staff can test devices before authorizing them for actual use is a smart move. This approach offers an opportunity to gauge how the configuration of IoT technology will affect operations.

Of course, Trump acknowledges that some businesses don’t have the budget to create a lab, in which case he suggests IT pros do the following:

  • Determine who is liable for the devices – your company or the provider?
  • Seek an explanation from the vendor for the measures it takes to build secure devices.
  • Ask IT staff of other companies to share their due diligence checklist.

It is now imperative that every business weigh the perceived benefits against the potential risks. Nobody wants to be responsible for the technology that leads to a data breach.

“Businesses have to make an assessment,” Trump says. “If they’re not equipped to do it, they may have to look at the device and say we can’t accept the risk.”