Two recent sets of vulnerabilities discovered in medical IoT devices, one in lab testing gear and one in a temperature sensor (the latter of which brings back memories of the infamous fish tank sensor hack in Las Vegas), highlight the need for implementing Zero Trust principles when deploying IoT devices.
When one thinks about Zero Trust in relation to IoT devices, network segmentation comes to mind as the easiest way to control access to these devices and, if the device is compromised, restrict access to other apps and data so that patient data may not be accessed or an attack can pivot to other devices on the network. The challenge is that these devices may need that access, because these smaller devices are often part of larger solution deployments to do blood testing or control the temperature of samples or pharmaceuticals, so simply implementing these segmentation policies will still allow for access to apps, data, and other devices with which these components communicate. Access control needs to go deeper, and you need to define exactly what these devices have access to on other devices, application servers, or internet hosts.
IoT device deployments, like many modern networks, tended to grow organically and not always as planned. Devices slowly got added to the network to fill a need, such as printing, video monitoring, or package tracking, and by the time enterprises realized what happened, thousands of devices had become part of the corporate network, with no plans on how to manage them, how access would be controlled, or how they would be monitored. This means that as problems were discovered, teams pivoted to resolve the problem without any thought or ability to redesign the deployment so that these requirements were properly addressed. Since the proliferation of these devices isn’t slowing down, problems like this continue to rise, meaning the time to act is now.
IoT security has been identified as one of our top 10 emerging technologies for 2024, which reflects the growing concern around securing these devices. In response to these concerns, a lot of solutions have emerged to address IoT devices, device inventory, vulnerability management, identity and access management, network control and security, and endpoint security. These solutions can only assist once security leaders determine that they’re going to implement Zero Trust principles to IoT device deployments. This means:
- Recognizing what’s wrong right now.
- Analyzing the needed level of access to these IoT devices.
- Understanding the data to which the devices need access.
- Determining how these devices are going to be monitored.
Forrester clients interested in assessing these requirements and gaining direction on their IoT security roadmaps should submit an inquiry or guidance session request with me. If you don’t know how you’re going to use this technology, it’s going to be shelfware.