In the last few years of my career I made it a personal goal to solve a mystery I’d always noticed while working in IoT, and with security organizations inside different businesses – particularly with some very experienced CISOs (Chief Information Security Officers). I was trying to better understand why they chose to address security threats to IoT devices in a different, and often clumsier manner than security threats to IT equipment.
What my detective work uncovered was that they didn’t actually have much of a choice in the matter.
We all know that nowadays CISOs are held responsible for any cyber attack that hits their organization – whether it originates from external sources like the internet or applications, or from internal threats; whether it penetrates the organization’s networks through IT equipment or an IoT device; and whether the attack spreads from IT to OT systems or vice versa. The CISOs are always responsible.
To satisfy their responsibilities best, most CISOs ensure that their IT devices are protected with endpoint security solutions and monitor IT networks and devices using a variety of cybersecurity tools such as Security Information and Event Management (SIEM) systems. Yet from what I observed, these solutions were rarely applied to IoT security. Why?
CISOs’ Silent Compromise
For one, CISOs don’t believe they can get the type of endpoint security required for IoT visibility or management in their SIEM and other tools. When prompted with, “Why don’t you just ask your IoT vendors for the same type of security you get from your IT vendors?” I was not surprised by the answer: “If we demand that, we won’t get it. There are no real-time endpoint protection solutions for IoT devices which provide that level of visibility and manageability.”
After hearing this answer from far too many enterprise CISOs, I turned my back on them, and started asking IoT device vendors the same thing, put differently: “Why don’t you offer customers real-time visibility and manageability on your devices?” Imagine my surprise when the most common answer was, “Well… no one’s asked for it.”
Dumbstruck, I went back to the CISOs. “Well, why don’t you develop your own endpoint protection solutions for your IoT devices, like you do with your IT devices?” The primary response was somewhat shocking: “We have no access to our IoT device firmware, but even if we had – it’s clear that our vendors will remove the warranty from our devices as soon as we “tamper with them”.”
We’re left with a lose-lose situation. CISOs would love to gain visibility and manageability of IoT devices in the same way they have with IT equipment; they do not ask for it as they believe they cannot get it; the vendors do not provide it as no one asks for it; and are holding their customers captive by threatening to remove devices’ warranties in cases where CISOs obtain it themselves.
Forced to Sacrifice Security or Connectivity
The way this situation is currently addressed truly holds the IoT revolution back. CISOs are still held accountable for the security of their networks, and so they can’t let IoT devices be connected, but not protected. But without the ability to protect IoT devices and monitor them with their security monitoring tools, they do what has become the industry standard: micro segmentation.
Too often, IoT devices are pushed into separate “closed” networks. The closed network approach isn’t always effective, and in this scenario, security teams do their best to deny communication between IoT devices and IT tools (such as Active Directory, organizational calendars, and more) and even disable IoT device connectivity to the internet!
Without the first letter in IoT, what is an organization’s Internet of Things really composed of? Just things. This is a sad state of affairs for an industry so well funded, and getting bigger by the year. Yet in the recent past, I’ve witnessed more and more how IoT device vendors are abandoning their cloud-based solutions and giving in to the demand of their customers to offer on-prem solutions instead. It’s like we’re collectively giving up on the IoT dream.
How Do We Turn IoT Around?
In time, an effective way to flip the status quo on its head took shape: address the vendors’ needs and then proceed onto those of their customers. Just as security originates with IT vendors, it must also with IoT. However, the IoT industry is young in comparison with IT, so for now, bringing about change is best done by incentivizing vendors to do so.
For Firedome, this demanded that we offer vendors a solution including both an embedded IoT security product and the capability to build a subscription model around it for enterprises.
A first in the IoT industry, Firedome aligns the motivations of enterprises and device vendors with a solution that turns what is normally a cost item into a revenue opportunity. It offers a triple-win solution that:
Solves the biggest pain of enterprise security organizations: Their lack of visibility and manageability of cyber threats to IoT devices, monitored in the same SIEM system as their IT equipment.
Introduces a new subscription-based service for device vendors, by solving a real pain that their customers are more than ready to pay for.
Enables enterprise operations teams to embrace the I in IoT and get what they paid for: the type of connectivity that spurs growth.
Let’s give a push to this revolution, and change the paradigm. To see Firedome in action today, simply schedule a demo and one of our experts will see you there!