A Secure Network Requires Addressing IoT Security Complexity

By: Larry Lunetta, VP Portfolio Solutions Marketing at Aruba, a Hewlett Packard Enterprise company.

When organizations implement Zero Trust and SASE cybersecurity frameworks, the top priority is ensuring those connecting to the network are authenticated with appropriate access privileges. Users often represent the most fertile attack surface as they can go rogue or be phished, inadvertently sharing sensitive information with malicious actors that can cost a business dearly.

Meanwhile, organizations also must manage the flood of “things” entering the network, as in the Internet of Things (IoT). Sure, a wireless thermostat or smart speaker can’t be phished like a person, but each device represents another node that further expands the attack surface area, an area expanding at an exponential rate. Thankfully, recent communication from NIST National Cybersecurity Center of Excellence (NCCoE) have helped to address this issue.

To summarize the findings, network and security teams face significant obstacles in securing IoT devices on the network. Dealing with IoT devices is just as complicated, if not more so, than managing users when tasked with safely and securely onboarding those devices onto the network while also monitoring them for optimal performance and protection.

Network Layer Onboarding and Lifecycle Management 

NIST highlights in its project description how IoT security is difficult for myriad reasons:

• Manufacturers often provide a single set of log-on credentials for the millions of devices these organizations produce. Although sharing the same network credential for every device is often simple, this system lacks the ability to identify each device, nor is there a method to verify each device is connecting to the appropriate network.
• In contrast, manually provisioning a unique network credential for each device drastically increases the complexity of the on-boarding process, let alone that such approaches are resource intensive, error-prone, and insecure.
• Going further, requiring manufacturers to assign a unique network credential to each device as part of the manufacturing process is impractical and inefficient while potentially raising the cost of production.
• Lastly, even if each device includes unique credentials, IT often lacks visibility into these devices connecting to the network. Those blind spots lead to gaps in the overall security paradigm, no matter the effectiveness of Zero Trust and SASE frameworks from the user security side.  

To help solve the problem, NIST NCCoE created a new project called, “trusted network-layer onboarding and lifecycle management,” essentially a method to automate the network-layer onboarding based on the following ground rules:

• Provides each device with unique network credentials
• Provides the device and the network an opportunity to mutually authenticate
• Is performed over an encrypted channel (to protect credential confidentiality)
• Does not provide anyone with access to the credentials
• Can be performed repeatedly throughout the device lifecycle

Effective, Efficient IoT Cybersecurity

By leveraging the NIST recommendations, IT teams can create a network that provides the connectivity, performance, scale, automation, and security that their respective businesses need. Afterall, IoT devices are not just for tracking building maintenance or occupancy, they provide critical data that informs business leaders about how to optimize its organization to achieve business goals, whether that’s improving the physical health of its employees or finding new and better methods to operate. The data IoT devices create and compile may also help further automate processes and even support more efficient way to manage IT infrastructure.

Watch this video to learn about how Aruba ESP can help organizations better manage IoT on the network as part of digital transformation initiatives: