Securing IoT Devices Demands Applying Zero Trust Principles

Two recent sets of vulnerabilities discovered in medical IoT devices, one in lab testing gear and one in a temperature sensor, the latter of which brings back memories of the infamous fish tank sensor hack in Las Vegas, highlight the need for implementing Zero Trust principles when deploying IoT devices.

When one thinks about Zero Trust in relation to IoT devices, network segmentation comes to mind as the easiest way to control access to these devices and, if the device is compromised, restrict access to other apps and data so patient data may not be accessed or an attack can pivot to other devices on the network. The challenge is that these devices may need that access because these smaller devices are often part of larger solution deployments to do blood testing or control the temperature of samples or pharmaceuticals, so simply implementing these segmentation policies will still allow for access to apps, data, and other devices that these components communicate with. Access control needs to go deeper, and you need to define exactly what these devices have access to on other devices, application servers, or internet hosts.

IoT device deployments, like many modern networks, tended to grow organically and not always as planned. Devices slowly got added to the network to fill a need, like printing, video monitoring, package tracking, and by the time enterprises realized what happened, thousands of devices had become part of the corporate network with no plans on how to manage them, how access would be controlled, or how they would be monitored. This means that as problems were discovered, teams pivoted to resolve the problem without any thought or ability to redesign the deployment, so these requirements were properly addressed. Since the proliferation of these devices isn’t slowing down, problems like this continue to rise, meaning the time to act is now.

IoT Security has been identified as one of our Top 10 Emerging Technologies for 2024 which reflects the growing concern around securing these devices. In response to these concerns, a lot of solutions have emerged to address concerns around IoT devices, device inventory, vulnerability management, identity and access management, network control and security, and endpoint security. These solutions can only assist once security leaders determine they’re going to implement Zero Trust principles to IoT device deployments. That means:

  1. Recognizing what’s wrong right now
  2. Analyzing what level of access is needed to these IoT devices
  3. What data do they need access to
  4. How these devices are going to be monitored.

Forrester clients interested in assessing these requirements and providing directions on your IoT Security roadmap should submit an inquiry or guidance session request with me.  If you don’t know how you’re going to use this technology, it’s going to be shelf ware.