The Only Way to Secure the IoT Is Zero Trust

Smart toasters, washing machines that can tell the future, and Siri. The Internet of Things is so much more than simply billions of connected things. 

IoT is about critical infrastructure, like traffic controls, water purification systems and power grids. IoT is about secure voting systems that uphold our faith in our most revered democratic processes. IoT also is about ensuring that our citizens, communities and economic systems are safe and healthy. And because the stakes surrounding IoT are so high, the potential benefits are so great, and the possible downsides are so dramatic when security is not taken into account from the start, organizations absolutely must embrace a comprehensive Zero Trust strategy. 

In fact, the only way to do IoT security is Zero Trust. Here’s why.

So many of the systems we use, and must protect, act in a deterministic manner; they behave the same way every time. An MRI machine is an MRI machine; its functionality determines that for me—and for my cybersecurity framework. But I do need controls to allow it to behave only the way it is supposed to behave.

That’s Zero Trust. It allows only the prescribed services and communications essential to function. We don’t trust anyone to have unfettered access to MRI systems or, of course, the data collected by MRI machines.

Behavioral analytics is also an important part of how we secure our connected things. They help us learn from mistakes, breaches, incursions—but only after the fact. By the time we learn from behavioral analytics, something bad has already happened, like automobile braking systems being hacked at 75 mph or pacemakers failing.

What we need with more connected things is the ability to lock down those systems against both intentional and unintentional threats. Rather than relying solely on layer after layer of security tools, systems and software, we need basic, smart security approaches.

So, when your executive team and your board members want to know why the organization’s IoT projects and systems must come under the enterprise-wide Zero Trust umbrella from the start, here are three reasons to give them:

Proliferation. It is clear that IoT will touch upon more of our lives at home, at work or in the community. The accelerated adoption of smart homes, smart cities and smart buildings, facilitated by a cascade of IoT devices embedded in everyday devices, will soon make IoT commonplace. The current estimates of anywhere from 20 to 50 billion connected things over the next several years may be the tip of the iceberg. IoT will be a core enabler of everything we do. You can’t address cybersecurity for anything that massive and pervasive without the same Zero Trust strategy you are applying to your applications, networks and computing infrastructure.

Footprint. IoT connection points such as sensors are very small – and will get even smaller. While that’s great for organizations that want to embed IoT functionality into a broad range of applications, it’s important to keep in mind that IoT devices have limited physical and virtual space for traditional cybersecurity tools. This makes it very difficult to overlay security on top of IoT devices—and especially not after those devices have been developed and are in use. That requires IoT-centric cybersecurity to be designed into systems from the very start—and to be tightly integrated with the Zero Trust framework already built into data centers, networks, cloud connections and mobile endpoints. You wouldn’t allow your organization to have a couple hundred unsecured PCs, right? Well, why should you accept thousands or even millions of unsecured IoT touch points?

Criticality. If you don’t lock down your IoT systems with a Zero Trust mentality, the potential for negative consequences will be staggering. Traffic systems won’t work, cars will crash, voting irregularities will be commonplace, hospital patients will be endangered, drinking water will be contaminated.  

So, before I get off my soapbox about the essential nature of Zero Trust for IoT applications, let me invoke the words of George Finney, chief security officer of Southern Methodist University:

“Zero Trust is a means to an end. How we use it will go a long way in shaping the cybersecurity landscape of the future.”

That cybersecurity landscape of the future will likely include IoT every step of the way. 

share: