Q&A: Jeff Wilbur of the Online Trust Alliance on why enterprise IoT security is a lot like BYOD

Enterprise IT departments are seeing odd echoes of the problems they faced during the early BYOD era in the entrance of IoT technology into the enterprise, where one of the principal threats is the use of consumer-grade (read: insecure) IoT gizmos on corporate networks.

Jul 26th 2018

As consumer Internet of Things (IoT) devices inevitably find their way into the workplace, IT pros need to isolate them from the rest of the enterprise network, perhaps on a network of their own, so they don’t become backdoors exploitable by attackers, according to the head of the Online Trust Alliance.

Jeff Wilbur, the director of the alliance, which is an initiative within the larger Internet Society, says that it is better to embrace employees’ IoT devices and allow them to be used safely than to ban them and risk their unauthorized, unprotected use that could undermine network security.

Similarly, industrial IoT devices deployed by businesses should be firewalled off from the broader corporate network in order to minimize risk of compromise, he said in an interview with Network World senior writer Jon Gold.

Here’s a transcript of that conversation.

Network World: How does the OTA’s work with consumer-grade IoT security translate to the enterprise sector?

Wilbur: A few years ago, we took those general concepts of security and privacy, because every year we do an audit of about a thousand websites and organizations – email authentication practices, privacy and security, and we realized that the IoT market was growing, that there were going to be an order of magnitude more devices that were sending and receiving data, and generating data that needed to be secure and private as well, so we created a listing through a working group that eventually involved over a hundred different organizations. That (group) created a list of principles, mainly targeted at manufacturers, so security, privacy and lifecycle properties of IoT products, and what they should consider building into the product from the beginning, sort of the security and privacy by design.

We’ve had that out for a few years now, and it gets updated as necessary, but if you take that list of principles, and then apply it to the other side, the users of these products, it can be used as a filter to decide “what kind of products should I buy? What are the security and privacy characteristics that they should have?”

The reality today is that not all products – in fact, not many of the IoT products – are conforming to that list of principles yet. And when consumer-grade products kind of sneak their way into the enterprise … IT folks may or may not know it’s even there, and these products can be very chatty, they can be collecting data or being sort of a gateway vulnerability to the rest of the network if they’re not properly isolated or dealt with.

Network World: What’s a good example of that type of consumer-type IoT sneaking into the enterprise?

Wilbur: I don’t know that we’re advocating to keep it out of the enterprise, we’re advocating to manage it within the enterprise. Because if it comes through the side door or the back door, under the radar, whatever term you want to use, that’s when it can be dangerous, but it can also, if managed properly, be just fine.

The examples I hear of late are, of course, smart TVs in conference rooms – they may mainly be used as monitors, you know, you hook your laptop to it for display, but they also are smart TVs, and depending on how much you allow that capability to be connected into your network, that’s a potential vulnerability point.

A lot of smart speakers are being used in those environments, so you’ve just got to pay attention to the data flows and where they are in the network, and who’s saying what. If you look at Alexa, for instance, and Google Home, for the most part it seems that they have pretty good security controls around it, but whoever owns those accounts, your voice queries get stored in your account. So a lot of people don’t know exactly what data is being captured. For the most part, there has been concerned about all voice being transmitted on through, even when there’s no wake word that initiates it, and that does not seem to be the case – it’s only passed through when there’s a real query involved, but it’s good to be cautious, especially in an enterprise environment.

Another area that it seems like IoT devices are making their way into [the enterprise] is appliances in the breakrooms, and it might be for the purposes of energy control or just remote monitoring, but again, those potentially can create an entry point for an attacker if they’re not managed properly. And then you’ve got fitness trackers that individuals bring in – for the most part, those just connect to your phone, and often they don’t hit the enterprise network, but depending on how you’ve got them set up, if your phone is then on your corporate Wi-Fi, then who knows?

Network World: This really DOES harken back to the BYOD challenges of several years ago, doesn’t it?

Wilbur: Exactly. And a lot of these devices have either default or hardcoded passwords, and so, if they are reachable, they might be an attacker’s entry point – they may or may not be software-updateable, so we have recommendations in [our checklist] like, if you’re looking at it from the very beginning, you should set up some policies and rules for employees about what they can bring in and what characteristics it should have.

The danger, and this is the same as the BYOD thing, is that if you’re too restrictive, you end up creating an under-the-table – they used to call it “shadow IT,” you can probably call this “shadow IoT” if you want – you can create that kind of thing where people say “I’m still gonna bring it in, but now it’s really gonna be under the radar,” as opposed to doing it with eyes wide open so you kinda know what you’re getting into.

We recommend setting up a separate network for those devices. Most companies set up a guest network for Wi-Fi, so why not have an IoT-specific network, or why not have them on your guest network also? It depends on the company, and how they want to organize things.

Network World: A lot of industrial IoT seems to involve connecting devices that were designed 10, 20, 40 years ago to the Internet, which they weren’t really meant to do. How do companies go about addressing that kind of concern, given that they’re not going to be able to simply replace giant pieces of industrial equipment that they may have been using for decades?

Wilbur: That’s going to vary according to the project – it’ll vary all the way from providing some gateway of connectivity from legacy systems into a network that gives them some sense of remote control of that, to whole new projects where you’re able to start from scratch with the latest stuff. So, in those kind of environments, the thing to be careful of is, when you have a tightly controlled, highly secure gateway, where the communication is kind of crossing between the IT network and the operational network. There’s a lot of attention these days being paid to that kind of IT/OT blending.

When you have situations like that, in a gateway, you can manage the traffic flow through that gateway very well if you want to, and so that’s really the chokepoint where you can do that. When you go to the newer sort of environment, where you’ve got new products and many of the individual devices are now connected, you can do similar things. Let’s say you’ve got a factory floor, and you have all your devices connected on that floor, you don’t want that network wide-open to the rest of your corporate network, right? So you’re going to have some kind of firewall into that, and it’s really a matter of paying attention to what can be accessed by whom and from where.

The risks of having industrial applications exposed to the world in some way are great – there can be physical harm to individuals, there can be catastrophic-level attacks on machinery to make it fail, and all that kind of stuff. So the security aspect of the connectivity needs to be very strongly taken into account in those kind of environments.