Why Most IoT Cybersecurity Strategies Will Fail with Zero Trust: A Conversation with Denny LeCompte, CEO of Portnox

I spoke recently with Denny LeCompte, CEO of Portnox, maker of a cloud-native network access control (NAC) solution, among other products. In his view, most Internet of Things (IoT) cybersecurity strategies give zero hope for Zero Trust.

Q: Why must IoT devices be secured to avoid becoming gateways onto the corporate network by cybercriminals?

A: In general, IoT devices are manufactured with little concern for security. While bypassing security best practices helps keep production costs low for manufacturers, it also puts the often overwhelming onus of securing the device on the end user or administrator. Unfortunately, this means IoT devices are particularly susceptible to cyber-attack. Cybercriminals know IoT is vulnerable and that many administrators and end users simply can’t keep up with the demand for more sophisticated security safeguards, so they exploit these devices with relative impunity. It’s not so much a question then of “why” IoT should be secured anymore, but rather of “how.”

Q: What are some of the ways cybercriminals are using IoT devices to gain access?

A: Some of the top ways in which hackers are leveraging IoT devices to gain access is through methods such as vulnerability probing, DNS spoofing, universal Plug & Play (uPNP) exploitation and reverse engineering firmware. And with so many ways “in,” there is no shortage of high-profile incidents involving cybercriminals gaining network access via IoT – recent hacks against Tesla, Western Digital, and even a high-end casino are some recent examples.

Q: Why should identifying, authenticating, authorizing, and segmenting IoT devices become a standard mandate of the connected business era?

A: Most businesses have limited visibility into the security posture of the vast web of devices attached to their networks, especially when it comes to IoT. But you can’t protect against what you can’t see. Businesses need to be able to see IoT devices requesting access to the network. By “see,” I mean being able to properly profile the device and determine its type, location, requested access layer, and more. Until that is possible for an organization, authorizing and segmenting those devices is moot, if not impossible. Applying access and control policies to IoT requires at least an understanding of the device’s ID…and an accurate one at that.

Once a business can see and profile all IoT devices, they can start configuring and enforcing authorization and micro-segmentation policies for these devices to further strengthen their network security posture. Most companies today can’t see, let alone control access for IoT. But ostensibly, if they could do both, they’d define strict policies that take into account the inherent vulnerability of these devices.  With the right toolset, organizations can enact these policies without additional overhead, architectural changes, or on-premises hardware.

Q: Can you explain where fingerprinting fits into establishing and enforcing Zero Trust for IoT?

A: IoT remains the biggest hurdle in achieving universal zero trust across the organization. Since IoT has been so difficult to accurately profile, the zero trust model would argue that no IoT device can be trusted, and thus should not be allowed on the network. Unfortunately, IoT is critical to business operations today – particularly in manufacturing, healthcare, construction and engineering.

Fingerprinting IoT devices is the process of identifying an IoT device’s vital characteristics on the network to define and apply unique policies based on those characteristics. Important characteristics typically include device manufacturer, make and model. These characteristics are then utilized to further classify the device types, such as security cameras IP Phones, gaming consoles, medical devices, etc. Examples of policies that could be defined based upon those characteristics and classifications would be to place all security cameras onto a designated VLAN, apply an ACL to all medical devices which block all uninitiated incoming network traffic to the devices, or even to deny access onto the network entirely, or place the device into a safe quarantine guest VLAN in the cases of gaming consoles.

With the ability to first see and then control IoT devices through the use of IoT fingerprinting, organizations can close the loop on this zero trust security model gap.

Q: How can businesses close IoT security gaps and unknown entry points?

A: Businesses can close IoT security gaps by implementing comprehensive IoT security protocols that include IoT fingerprinting, as well as access and authorization policies based on IoT profiles across their entire environment. On top of that, it’s imperative to keep firmware up to date, turn off unused services, rely on firewalls to manage accepted traffic, and stay on top of general environmental drift due to inevitable human interference with IoT. Just like the rest of the security threat landscape, IoT threats and best practices to prevent cyberattacks and network exploits will continue to evolve so businesses need to be ready to scale their security practices to keep pace.