What’s Really Out There in IoT Cyberspace?

Do you know what is connected to your network right now? If you don’t, your network is vulnerable to attacks you might never see coming. You can’t protect what you don’t know exists.

You’re in good company if you’re mistaken about what’s connecting to your network. Cisco’s 2018 Annual Cybersecurity Report found a large discrepancy between the number of IoT devices that IT managers thought were on their networks, and the actual quantities. For example, government IT underestimated IoT connected devices by 12%, healthcare by 33%, technology by 43%, and finance by 50%.

How did we get this so wrong? Shadow IT gets some of the blame. Individuals, acting on their own or their departments’ interests, purchase devices that they connect to corporate networks without giving IT the opportunity to manage, or even enumerate them. Yet these devices and apps may be able to freely connect to sensitive enterprise resources as well as the open internet. That’s a dangerous network security vulnerability. It has several repercussions, according to the Report’s analysis of unmanaged devices:

• 83% of analyzed IoT devices had an older vulnerable OS version with no record of patches available. Devices running dated system software are more likely to be hacked.
• Undetected and undefended devices are vulnerable to infiltration and takeover, enabling the creation of IoT botnets (such as Mirai, Brickerbot, and Hajime). These can wreak additional havoc through DNS attacks or by spreading malware.
• Un-managed plug-and-play networks using low-energy Bluetooth and low-power wide area networks are proliferating in mobile and Industrial IoT applications, along with a corresponding level of Bluetooth malware such as BlueBorne, BroadPwn, and Krack. With billions of Bluetooth devices connecting to critical infrastructure in healthcare and industrial applications, that’s a lot of risk to manage.

Protecting and Preserving IoT Deployments

Beyond shadow and rogue IT equipment, older IoT devices are a potential network threat if they’re not tightly managed. Even modern IoT devices can create a virtual tsunami of risks for IT. To gain control over IoT deployments, IT needs automated resources to find, secure, and manage all the various legacy and new devices that are connecting to networks.

Existing legacy devices are typically simple in functionality, have minimal identifying information, negligible or non-existent security capabilities, and are usually installed with default—and easily hacked—security settings. In the realm of legacy IoT, the goal is to identify the existing networked devices and provide maximum protection or isolation, even if they have no inherent security capabilities. Network management tools need to sense and locate the existing devices, detect and record the manufacturer, type, and model if available. Once identified, network management assigns policies that control where data from devices can stream, and what types of other devices can communicate with the legacy nodes.

When deploying new devices, we at least have the advantage of knowing the identities and installation locations, and we can use available and hopefully contemporary built-in security software. However, applying the appropriate policies to hundreds or thousands of new connections is an IT workload nightmare when attempted manually.

As new IoT deployments surge, sensors, cameras, beacons, and other telemetry collectors need to be automatically added to pre-defined network segments while applying policies that prevent them from communicating with inappropriate sources such as botnets. Policies can also specify where data from individual devices is routed for processing in order to preserve privacy. For example, video cameras should receive instructions from and send feeds to authorized applications only and reject any commands from sources outside their segment. Automating the application of these policies is key to keeping up with the rapidly expanding IoT universe.

An Architectural Approach to Controlling IoT: Intent-Based Networking

Taking control of both legacy and new IoT deployments enables IT to see it once, protect everywhere using policies that are defined centrally and deployed across the security fabric of the network. The use of a shared source of network intelligence means that when any of the network management components of the architecture detects a threat, the information is available to all the other elements and remediation can begin immediately.

Intent-based networking (IBN) is an architectural approach to managing everything connected to enterprise, campus, and software-defined wide area networks—including the explosion of IoT devices. IBN provides a security fabric to both reign-in legacy IoT devices, and manage the rollout of innovative digital transformation initiatives based on new hybrids of devices and applications such as proximity-tracking beacons and analytics for hospitality.

Cisco’s Intent-Based Networking controller, DNA Center, is our answer to the IoT security challenge. Cisco Identity Services Engine (ISE) uses profiling technology to find, identify, document, and analyze the characteristics of legacy and newly-connected devices. It feeds the data into DNA Center to provide proactive alerts for network problems and automated remedies. Cisco SD-Access provides automated end-to-end segmentation with consistently-applied policies to enforce security for all IoT devices from office to campus, warehouse to manufacturing floor, transportation to outdoor arenas.

Not Just IoT Security, Secure Operational IoT

While the goal of achieving secure control over the expanding universe of IoT devices is made possible with DNA Center and Intent-Based Networking, additional rewards come by gaining operational insights into networked devices no matter where they are physically connected. By collecting telemetry data that devices transmit and analyzing where it is going, the intent-based network becomes a tool to provide actionable insight into operations, enabling you to realize the full benefits of securely deploying IoT applications as part of a digital transformation journey.

Now, wouldn’t you like to know what all your IoT devices are doing right now?



Anand Oswal

No Longer with Cisco