4 Things to Do When Running the Iot Zoo

Zoos are fascinating places. In just a few acres you can encounter all kinds of interesting, rare and exotic animals from different parts of the world and from different ends of the food chain. But, what keeps the tigers from eating the zebras or even the visitors? Segmentation. Walls, fences, cages and other barriers that keep every critter safe and well behaved. The same concept is vital to the proper security of Internet of Things (IoT) and operational technology (OT) devices. As these devices proliferate, it is segmentation that keeps them all safe and well behaved.

Here’s what I mean.

The modern enterprise consists of a huge variety of network-connected devices that play different roles in making the network operate properly, provide services to customers and partners, and that allow employees to do their jobs quickly and efficiently. Once deployed, however, it can be difficult to track and monitor IoT devices—and you can’t manage what you can’t see.

Using the zoo analogy, if your devices are allowed to roam freely, some will be forgotten and others will act in unexpected ways. There will be unmanageable chaos. But, if the animals are categorized, monitored, segmented and cared for, the zookeeper can keep things operating in an orderly manner.

If you are among those struggling to keep your IoT and OT device menagerie in line, I have bad news. Your challenges aren’t getting any easier. According to some estimates, there will be between 41.6 billion and 83 billion IoT devices connected to networks by 2025. Those estimates were made before the outbreak of the COVID-19 pandemic. Now that a Pandora’s box of remote work has been opened, there’s a strong chance trends like distributed workforce, manufacturing automation and mobility will result in a sharp acceleration in the use of IoT devices, pushing those numbers higher. Making matters worse, many of those devices will connect to networks unnoticed, unmanaged and unsecured.

Healthcare is already among the industries feeling the effects of most sharply. Healthcare organizations rely on connected devices to perform their jobs and deliver the highest quality of care possible. It’s not just medical devices like insulin pumps, EKG machines and ventilators. Sophisticated healthcare facilities rely on connected devices for security monitoring and access control, administration, environmental control and IT operations management. The health, security and usage of non-medical devices can impact patient care so, for instance, IP-enabled elevator systems are needed to transport patients while HVAC systems can impact air quality in operating rooms. Protecting and managing IoT and OT devices is especially important in healthcare organizations post COVID-19, as we will be dealing with the aftermath of a surge of new devices being deployed.

Right now, roughly 15 million IoT devices are being used by healthcare professionals worldwide. Hospitals use an average of 10-15 devices per bed, collecting and communicating highly sensitive protected health information (PHI). It’s no surprise, then, that 82% of healthcare organizations have had their IoT devices targeted. The risk increases when devices used by medical personnel cross from professional to personal use. A tablet used to enter a patient’s PHI and check email makes the network it’s connected to more vulnerable to phishing scams and ransomware. Unfortunately, with hospitals focused on responding to the pandemic, some malicious actors see it as an opportune time to strike.

What can be done to mitigate the risk? If I ran the IoT zoo, there are four steps I’d take to figure out what was running wild and wrangle everything into its pen.

Discover and Inventory

You can’t manage what you can’t see, so complete, real-time discovery of IoT devices is critical. Step four of segmentation is unachievable without proper visibility and classification of devices. The fidelity of visibility and classification of devices is key, and needs to consider ephemeral assets that may go online and be brought up in a different physical or network location. We’ve seen this situation be exacerbated during the COVID-19 pandemic as new network-connected devices are rushed into service. 

Baseline and Monitor Behavior

Once you’ve taken inventory, you need to map how devices communicate and with what. Devices use a variety of protocols and communication patterns. Baselining what is normal is crucial to identify when devices start behaving badly. For example, without proper traffic monitoring, we won’t know that the baboons are attacking the pangolins every night. 

Identify Risks

With a baseline for recognizing bad behavior, you can identify anomalies that signal potential compromise, high-risk devices such as those running obsolete operating systems and devices with medical or FDA-advisories. The fragile, rare or highly valuable animals can be managed differently than a common “low value” asset, like a sparrow. Look out for solutions that tout their cybersecurity prowess with threat alerts but without providing ways to resolve the issues.  

Segment and Secure

Finally, with devices visible and categorized, and associated risks identified, your next step is to secure them. Since you cannot deploy endpoint agents, devices need to be properly secured using appropriate segmentation policies. The key is doing this in an automated manner that is scalable and operationally feasible, and uses the infrastructure that the organization has already invested in—networking products, firewalls and network access controls (NAC).

And, with apologies to Dr. Seuss, I’ll leave you with a final thought:

It’s an IoT zoo, said the young CIO, but the people who run it, don’t know what to do. 

If I ran this zoo, said the young CIO, I’d make a few changes. That’s just what I’d do. 

The monitors, HVACs and all of that stuff, are not secure or well managed. It’s not good enough! 

I’d ID and segment, assign policies, too. The old ways just don’t cut it. Time for something new!