A Vital Cert for IT Pros Charged with Securing the Internet of Things
Browse the shelves of your local home improvement or appliance store and you likely won't be able to move two steps before encountering a device bearing the adjective "smart." From televisions and microwaves to toothbrushes and sprinkler systems, almost every conceivable consumer device comes with WiFi or Bluetooth connectivity.
While exciting, the Internet of Things also introduces a whole new world of security risks, providing hackers with millions of new targets for their nefarious activities. A recent IDC report predicted that 90 percent of all networks will experience an IoT-related security breach by the end of 2016. That's a sobering statistic!
IoT devices aren't just popping up in homes — they're also appearing in offices and on factory floors. In some cases, these are the results of well-planned IT projects designed to improve automation or facilitate data collection. In other cases, well-meaning employees may simply plug an IoT device into an available network port without recognizing the risks such a device can pose to enterprise security.
Security and networking professionals must understand the scope of IoT efforts within their organization. And they must also have the tools and techniques at their disposal to help protect against the new threats that ever-expanding connectivity introduces.
Network Security in a World of Things
Fortunately, the controls used to secure IoT devices aren't really all that different from the network and device security technology that organizations have used for years to protect other networked devices. Security professionals simply need to consider IoT requirements in their work as they deploy and configure their security technologies.
Network Inventory: Securing IoT devices begins with an accurate network inventory. It's hard to deploy security controls when the organization doesn't have a strong understanding of what is connected to their network. Most organizations already have some type of network inventory tool and it's likely that this same tool will detect and inventory IoT devices connected to the network.
The results of a network scan are an excellent way to catalog the organization's current IoT status and may also serve as the basis for a network vulnerability scan that probes those devices for misconfigurations and other vulnerabilities that may require immediate attention.
Firewalls: Maintaining strong firewalls is the first line of defense for IoT devices, particularly those that might have other security vulnerabilities. Firewalls filter out undesirable network traffic before it reaches protected devices. In an IoT deployment, they may play a special role, creating a segmented network specifically designed to house IoT devices.
In this model, the IoT devices can freely communicate with each other and their command-and-control servers, but they are not reachable from the remainder of the organization's network. This segmentation approach prevents, for example, a guest using the organization's Wi-Fi network from connecting directly to the organization's IOT devices.
Secure Wireless: In most cases, IoT devices make use of wireless networks due to their location and, in some cases, mobility requirements. After all, it would be difficult to use a wired network connection for a smart car! As administrators configure the wireless networks that support IoT devices, they should choose strong encryption options.
It is vital to configure the use of Wi-Fi Protected Access (WPA) technology to prevent outsiders from eavesdropping on the communications exchanged between IoT devices and their servers. Those exchanges contain commands from the server, as well as, data reported back by IoT sensors, both of which should be protected.
Authentication: Strong authentication measures play an important role with IoT devices, just as they do other network devices. Organizations should choose devices that integrate with the organization's identity and access management infrastructure for authentication.
This centralized approach provides consistent security, reduces management overhead and makes it easy to remove a user's access when he or she leaves the organization. Administrators may simply mark an account as disabled in the centralized authentication console and immediately disable access to all systems using that authentication server, including IoT devices.
Patch, Patch Patch: Finally, patch management is a critical responsibility for the administrators of IoT devices. Like any technology product, IoT devices rely upon complex programs that use thousands of lines of code to perform their work. This code inevitably contains flaws and some of those flaws may allow a knowledgeable attacker to take control of the device for malicious purposes.
This is another area where maintaining an accurate inventory of IoT devices plays a critical security role. IT professionals should carefully monitor the websites of device manufacturers and watch for firmware security updates and then promptly apply updates after they appear. Remember, once the vendor releases a patch, the word of a vulnerability is out there and hackers may quickly seek out and attempt to compromise vulnerable devices.
Building IoT Knowledge
Technologists seeking to build knowledge about IoT security will quickly discover that there really aren't that many options for learning about the technology other than reading and hands-on experience. The IoT universe remains fairly immature and there aren't many formal training and certification programs that cover IoT in general or IoT security in particular.
One exception to this is the Cisco Industrial Networking Specialist certification available to help IT professionals learn about the networking concerns specific to the manufacturing, process control, and oil & gas industries.
This certification program isn't focused on security but it does provide an important base level of knowledge for technologists responsible for IoT deployments in those industries. Cisco doesn't offer formal training for this certification, but does provide two e-learning modules on control systems fundamentals and networking fundamentals that prepare candidates for the exam.
Candidates seeking the Industrial Networking Specialist certification must pass Cisco exam 200-401: Managing Industrial Networks with Cisco Networking Technologies. This exam contains between 55 and 65 questions administered during a 75-minute exam period and may be taken through Pearson VUE testing centers.
The Internet of Things is rapidly emerging as one of the technology forces that will shape the next decade of computing. IT professionals who understand how to design, build, secure and manage IoT networks will find themselves well-positioned to ride this technology wave. Earning the Cisco Industrial Networking Specialist certification is an excellent way to demonstrate IoT aptitude to potential employers.