As the number of IoT devices continues to increase dramatically, so does network vulnerability, says Will Knehr, Senior Manager of Information Security and Data Privacy at i-PRO Americas.

In the past three years, nearly 20% of organizations have observed cyber-attacks on Internet of Things (IoT) devices in their network. Many of these small computing devices were developed with convenience – not security – in mind.

The class of devices developed for use in manufacturing, securing enterprise facilities and enabling smart farms, termed the Industrial Internet of Things (IIoT), are more likely to include security features but still increase the risk of cyber-attacks.

A security framework called zero trust is gaining adoption worldwide as a way to address the vulnerabilities connected devices present. With zero trust, all users, whether inside or outside an organization’s network, must be authenticated, authorized and continuously validated for security confirmation and posture before being granted access to applications and data.

Through a recent executive order, the US White House has mandated federal compliance with zero trust architecture and design by 2024. This will result in a huge federal shift in US policy for 2023 with ripple effects on any organization doing business in the US. As the past has shown us, others soon follow where the federal market goes.

Securing user access

Most modern-day network architectures work a lot like airports. When you enter, you go through a security check showing your ID and boarding pass, but once inside, you can roam freely and check out all the shops, terminals and gates; no one stops you from exploring.

Networks are similar. Once you provide your username and password, you can poke around and explore. Roaming around freely on the network is something hackers rely on to find vulnerable devices, information to steal or ways to escalate their privileges.   

In that same airport scenario with zero trust in play, you can access only the terminal, gate and plane you are authorized to use when you get through security. You aren’t allowed to roam the entire airport checking out anything else.

The scenario illustrates the key idea behind zero trust — the person going to the airport is allowed to access only those resources they need to go to their destination and nothing else. In a zero-trust network, when someone wants to use a network resource (email, web server, printer, etc.), they are given access to that resource alone and nothing else. Access to every resource must be authenticated and approved. 

The beauty of zero trust is that in addition to giving access to a specific resource only, it also does a context analysis. When someone tries to access a network resource, context analysis looks at the user permissions and privileges, authenticates the user, looks at the device the user is using to access the network and sees if the device belongs on the network, if the device is updated and patched, if it has antivirus and other required software and checks to see if the policies on the device are correct.

Zero trust does a deep analysis of the user, the device and the resource they are trying to access, making it far more secure than traditional security architectures.

Securing device access

Zero trust doesn’t just secure access by the user. It also secures access by devices like security cameras, access control systems or IoT/IIoT devices using the same principles. Security cameras, for example, currently use passwords to authenticate to the network. If you have a good-quality camera, it will also use a signed certificate for encryption. Combine that with 802.1x and network segmentation and you’ve got almost the full extent of IoT/IIoT protection.

In a traditional scenario, if a network computer is compromised by a hacker who scans the network, finds a camera and launches an attack against it, the chance is high that the attacker will successfully compromise the camera.

In a zero trust scenario, if a network computer is compromised by a hacker who scans the network and finds a camera, the zero-trust boundary recognizes that the compromised computer has no business communicating with the camera and blocks the request. The network has detected that the context of the request is abnormal and the attack was not successful.  

Zero trust has many more implications for IoT/IIoT. Traffic going to devices can be monitored for context and can also be used to authenticate the IoT/IIoT device itself. Every device has unique features like a media access control (MAC) address, operating system version and hardware ID that can be used to make sure that the device is supposed to be on the network and that it is behaving properly. This helps prevent attackers from using IoT/IIoT devices as attack vectors in the network. 

While security professionals are highly aware of the risks posed by vulnerable devices, the continued push to secure networks by IT professionals and network vendors will create even more cybersecurity awareness.

Zero trust architecture as a network security model has gained momentum and we anticipate continued adoption around the world for the need to validate every transaction between devices and people. The Special Publication 800-207 published by the National Institute of Standards and Technology defines further cyber protection standards that support this movement.

Will Knehr is the Senior Manager of Information Assurance and Data Privacy at i-PRO Americas, Inc. He has been working to secure networks since 2004 when he started his career in Cryptologic Warfare conducting cyber-defense missions for the NSA, CMF, DoN, DoD and DISA. He also worked for Northrop Grumman supporting special projects for the NSA and DISA building virtualized environments for malware analysis, data brokering and managing their cybersecurity program. Will holds master’s degrees in CyberSecurity and Business and industry certifications including CISSP, PMP, CEH, CNDA, CASP, CMMC RP and more.