A secure network requires dealing with the complexity of IoT security

By: Larry Lunetta, Vice President of Wallet Solutions Marketing at Aruba, a Hewlett Packard Enterprise Company.

When organizations implement the Zero Trust and SASE cybersecurity frameworks, the top priority is to ensure that those connecting to the network are authenticated with the appropriate access privileges. Users often represent the most fertile attack surface as they can become malicious or fall victim to phishing, inadvertently sharing sensitive information with malicious actors, which can cost a business dearly.

Meanwhile, organizations must also manage the flood of “things” entering the network, such as in the Internet of Things (IoT). Sure, a wireless thermostat or smart speaker can’t be phished like a person, but each device represents another node that further expands the attack surface, an area that is expanding at an exponential rate. Fortunately, a recent communication from the NIST National Cybersecurity Center of Excellence (NCCoE) helped resolve this issue.

To summarize the findings, network and security teams face significant hurdles in securing IoT devices on the network. Managing IoT devices is just as complicated, if not more so, than managing users when tasked with securely integrating these devices onto the network while monitoring them for optimal performance and protection.

Network layer integration and lifecycle management

NIST highlights in its project description how difficult IoT security is for a myriad of reasons:

  • Manufacturers often provide a unique set of login credentials for the millions of devices these organizations produce. Although sharing the same network credentials for each device is often straightforward, this system does not have the ability to identify each device, nor is there a method to verify that each device connects to the appropriate network.
  • In contrast, manually provisioning a unique network ID for each device greatly increases the complexity of the onboarding process, not to mention that such approaches are resource-intensive, error-prone, and insecure.
  • Going further, requiring manufacturers to assign a unique network ID to each device as part of the manufacturing process is impractical and inefficient while potentially increasing the cost of production.
  • Finally, even though each device includes unique credentials, IT often lacks visibility into which devices are connecting to the network. These blind spots lead to gaps in the overall security paradigm, regardless of how effective the Zero Trust and SASE frameworks are on the user security side.

To help solve the problem, the NIST NCCoE has created a new project called “reliable network layer integration and lifecycle management,” essentially a method to automate network layer integration based on the following basic rules:

  • Provides each device with unique network credentials
  • Provides the device and network the ability to authenticate each other
  • Is performed over an encrypted channel (to protect the confidentiality of credentials)
  • Does not give anyone access to credentials
  • Can be performed repeatedly throughout the life of the device

Effective and efficient IoT cybersecurity

By leveraging NIST recommendations, IT teams can build a network that delivers the connectivity, performance, scalability, automation, and security that their respective businesses require. After all, IoT devices aren’t just used to track building maintenance or occupancy, they provide critical data that informs business leaders on how to optimize their organization to achieve business goals, whether it’s about improving the physical health of its employees or finding new and better ways of operating. . The data that IoT devices create and compile can also help further automate processes and even support a more efficient way of managing IT infrastructure.

Watch this video to learn how Aruba ESP can help organizations better manage IoT on the network as part of digital transformation initiatives:

Copyright © 2022 IDG Communications, Inc.

Sharon D. Cole