Skip to main content
Exploring what’s next in tech – Insights, information, and ideas for today’s IT and business leaders

Can zero trust instill confidence in IoT device security?

IoT devices are harder to secure than regular computers, and too many are unprotected. We can do better.

Last March, a 21-year-old Swiss hacker successfully accessed and seized control of 150,000 smart industrial cameras developed by Verkada, a little known security-as-a-service company in Silicon Valley.

As hackers often do, the antagonist, still on the run from authorities, attacked security cameras in hospitals, factories, police departments, prisons, gyms, schools, and offices just to prove he could. In doing so, he also demonstrated how hard it has become to fully trust the cyberdefenses of those millions of internet of things (IoT) devices attaching to corporate networks around the world.

"Organizations are slowly waking up to the reality that their IT environments are not limited to the data center, office, or laptops their employees use to work from home," says Craig Robinson, program director for worldwide security services at IDC. "IoT devices are increasingly on corporate networks, and traditional IT cybersecurity methods alone aren't up to the task of ensuring they do not turn into major vulnerabilities."

To deter such threats, many enterprises are turning to an increasingly vital cybersecurity strategy: zero trust.

Never trust, always verify

With zero trust, every person or device that tries to log onto a network is treated as a potential threat. In such a system, if an IoT application tries to access network services or data, it must first authenticate itself. It makes no difference if the device and application are already on the network. The zero trust assumption is that any IoT apps requesting access to assets may contain malicious code. So, no matter where they are, those devices are isolated or segmented in digital waiting rooms and aren't allowed to move on without credentials.

"Zero trust isn't a traditional model where everything you do is focused on securing systems," says Deepak Patel, a cybersecurity expert in the Office of the CEO at Zscaler, a cloud information security company. "It's really about limiting the blast radius and access of potentially malicious users to specific applications. You always assume a compromise is happening or is about to happen."

Please read: Making better security practical: 5 steps to microsegmentation

The concept of zero trust has been around since former Forrester analyst John Kindervag coined the phrase in 2010. At the time, most IT organizations viewed the concept as too revolutionary or were reluctant to move on from the perimeter-based security models that they thought had served them well over time. But that changed suddenly and dramatically a few years ago as organizations suffered a triple-digit rise in ransomware attacks, increasing supply chain and critical infrastructure breaches, and attacks aimed at remote worker endpoint devices during COVID-19.

The danger in IoT adoption

Meanwhile, users and corporations significantly accelerated the pace of IoT adoption in the enterprise. Many connected devices now serve essential operational technology (OT) functions, such as managing factory production and supply chain efficiency, remotely monitoring and servicing tractors in the field, and regulating environmental and HVAC systems to conserve energy and minimize costs.

An even larger portion of IoT devices are employee-held IoT gadgets containing limited, if any, security functionality, according to many observers. These have presented a considerable problem. Indeed, Kaspersky reported 1.5 billion attacks against IoT devices worldwide in the first six months of 2021, and Zscaler discovered a 700 percent spike in IoT-specific malware assaults involving corporations in 2020 compared with pre-pandemic levels.

What makes IoT devices so vulnerable is that most are meant to be simple. Passive. Almost stupid. Like a lightbulb or coffee maker. They have limited hardware and computational power, making it tough to embed security into them. Their components are basic and sometimes cheap or outdated. And the software on them is often hastily written, with little regard for cybersecurity, because vendors want to get the products on the market as quickly and inexpensively as possible.

All of this makes IoT devices juicy targets for cybercrooks looking for easy paths into corporate networks.

Please read: What makes 'critical software' critical?

"When you hear about these kinds of IoT attacks, you might ask, 'Who would bother hacking something as simple as a connected lightbulb?'" says Philip Attfield, CEO of Sequitur Labs, which works with OEMs to build security capabilities into connected devices. "The reason is, there are network stacks on them. They are trampolines or trajectories to everything else on your network."

What to do about it

Jon Green, chief security officer at Aruba, a Hewlett Packard Enterprise company, says many organizations now realize the only way to head off this IoT device problem is by applying zero trust. But many are unsure how to go about implementing it.

One form of zero trust operates at the application layer, which makes sense because that is where most critical data lives. "That's what you want to protect from harm," Green says. That can be partially accomplished at the edge within Secure Access Services Edge (SASE) architectures, but Green notes that "many IoT devices don't really have any concept of an application layer that contains any sort of security."

He says one way to address such limited devices would be to ensure zero trust operates at the network layer. Zero trust at the network layer involves aggressive network segmentation, or microsegmentation, based on device identity. This makes it important to have device profiles that can recognize known characteristics like network usage patterns, protocols, port numbers, and other behavioral aspects that security systems can check against devices attempting to connect.

Experts warn there are no quick fixes. Many organizations think they can buy some off-the-shelf solution and be zero trust ready. But zero trust is not a product. Rather, it's a "strategy to reduce implicit trust throughout the enterprise," according to Forrester. As such, concept patriarch Kindervag advises organizations concerned about IoT device security to roll zero trust out slowly and programmatically.

"You can't solve the entire IT organization's problems at once," Kindervag says. "You have to break your work into chunks so that it's manageable. The zero trust approach makes that possible."

Experts say one of the first tasks should be to determine what IoT devices are accessing the network—and why. Too often, they note, IT leaders have no idea what is allowed to connect at any given time, which can be a recipe for disaster.

"The internet should never be able to see an IoT device, but if you use a search engine called Shodan, you find 60 to 70 percent of factories are exposed," says Zscaler's Patel. "It's scary. There are a lot of municipalities, water treatment plants, and even some nuclear plant consoles in this boat."

Please read: Constant scrutiny is the key to making zero trust happen

To overcome this issue, Patel recommends religious adherence to the security principle of least privilege, under which a user or device has privileges to access only what it needs to access. With this approach, only those IoT devices that have a demonstrable need for it gain network access.

Seeking help

While this may all seem straightforward, experts note that zero trust represents quite a challenge for time- and expertise-strapped organizations.

Because of this, some corporations try to secure their complete infrastructures by routing all their IP traffic through a trusted partner offering advanced analytical capabilities based on zero trust principles. These SASE vendors, including Zscaler, say this approach gives companies a convenient and cost-effective way of detecting, classifying, and securing all their IoT and OT devices. So-called fat client devices, like desktop computers, run agent software that connects to the SASE network. Simpler devices, including IoT devices, are rarely capable of running agent software, but integrations with enterprise networking providers can ensure their traffic passes through a SASE proxy server, where security systems can apply policies.

IDC's Robinson notes that whatever approach an organization chooses, it must be continuous to be effective. Billions of IoT devices come online every year, and cybercriminals are relentless in attempting to compromise them. He says that zero trust should be viewed as a journey rather than a destination.

"You'll never see a project plan for zero trust with an end date," Robinson adds. "It's not something you go off and do and then you're done. It doesn't work that way."

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.