Securing Enterprise IoT with Blockchain Integrated into Privileged Access Management Strategies

Securing IoT Data at Scale Is Possible

Enterprise IoT solutions are growing, but some say not fast enough.

What’s holding IT, OT and network operations teams from large implementations of connected things – from smart buildings, to smarter surveillance systems, to more efficient fleets and more optimized factories – is fear of attacks and security breaches.

In a survey about IoT security published earlier this year, researchers found that 97 percent of respondents believe unsecured IoT devices could be catastrophic for their organization.

For those who had implemented IoT technologies, only 29 percent reported actively monitoring connected endpoints and systems for related third-party risks.

The Ponemon Institute, an independent research firm focused on privacy, data protection, and information security policy, and the Shared Assessments Program, the industry-standard body on third-party risk assurance published The Internet of Things (IoT): A New Era of Third-Party Risk, confirming what many CIOs already know, or feel – that we’re still early and that there are clear and present dangers when security is not thoroughly thought-through and implemented.

Beyond Smart Metering, Connected Everything

This is not to say there have been no widespread implementations. Shortly after the turn of the century, utility companies began rolling out smart meters to provide a less expensive, more practical, digital way of “meter reading” through monitoring data using the Internet as the means to connect meters and integrate the information into their management and billing systems.

Connected meters, appliances, cars, doorbells, baby monitors and more pervaded the consumer world, while more and more companies across a range of industries started to develop more sophisticated solutions, from healthcare monitoring devices to connected cars.

Real world cyber-attacks against the IoT heightened awareness, and created more focus on security aspects, which are not easy to manage given the size and scope, distribution and data sharing associated with enterprise IoT.

A few of the most well-known attacks include:

  • In Ukraine, an entire power grid was taken offline, impacting 86,000 homes.
  • In Dallas, Texas, 156 tornado alarms were hacked, and continued to go off in repeating 90-second cycles, causing panic and fear of WWIII.
  • In Germany, a steel mill was the target of a cyberattack when hackers successfully took control of the production software and caused significant material damage to the site.
  • In the UK and elsewhere, hospital devices were hit with ransomware, causing a state of emergency to be declared because the hospitals were unable to continue critical services.
  • In the US, IoT devices were turned into BOTS, and then controlled and used to participate in a DDoS (Distributed Denial of Service) attack similar to the one that targeted Dyn, bringing down Netflix, Twitter, Amazon, AirBnb, CNN and the New York Times.

It’s no wonder those responsible for enterprise networks, applications, and most of all data – are alarmed at the thought of large IoT deployments They are already dealing with securing their basic infrastructure – servers, networks, phone systems, and clouds – and they’ve done so in part by implementing expensive, complex Identity Access Management and Privileged Access Management systems to control who has access, or the ability to access, from what devices to the infrastructure and what level of access they have.

The 2017 Verizon Data Breach Digest report had it right when they made this statement about Enterprise IoT:

“Today, the IoT is not confined within an organization’s typical control boundary, as the connected infrastructure has moved far beyond those control lines. These devices exist virtually everywhere, are available anytime, and are on a variety of platforms. This must prompt organizations to think about IoT threat modeling in a manner that incorporates security and privacy by design.”

IoT Devices Often Lack Security Controls

All IoT devices collect data, communicate across networks, mainly the Internet, and in most scenarios have credentials and passwords to protect their configuration or enabling networking. IoT connected devices pose a significant risk to enterprises and governments alike when access security is not in place.

In some cases, legacy industrial control systems have been in place for 15-20 years. Attackers have figured this out and are increasingly exploiting weak security to compromise older equipment, using them for pivot attacks by gaining unauthorized access to network systems.

To secure these and more modern devices, Gartner noted that privileged access management (PAM) is essential for ensuring IoT networks cannot be hacked, but with the increased number of endpoint devices due to IoT, the demands on PAM is becoming much more distributed, complicated and expensive.

How Privileged Access Management Helps Secure IoT

PAM helps to manage the people and the hundreds of thousands of “things” that are connected to a network and is already in place in most large enterprises today.

As noted by Gartner, however, PAM for IoT is substantially different from traditional PAM. Security specialists must treat PAM IoT as a specialized domain and not simply as an extension of traditional PAM because there are huge differences when it comes to securing a variety of IoT devices, over nearly 500 different IoT platforms. Today’s PAM tools and technologies are not good enough.

Blockchain for IoT: Managing Keys and Credentials to Ensure Data Integrity and Compliance

Blockchain solutions, taking advantage of distributed, immutable ledgers, solve better for more complicated privileged access scenarios, where  a person – or some other system – needs access to a device or back-end service. This is what complicates access management for IoT. Blockchain security, designed properly, enables enterprises to secure the credentials for all accounts, human and machine, no matter how they’re accessed. Blockchain access management solutions also make logging, audit and compliance more manageable, while helping prevent breaches.

It’s important for us to understand important nuances when it comes to how blockchains can be optimized.

For machine identities, IoT platforms connect IoT devices to an app, creating even more complex administration, security and data silos for IT departments to manage. Cognida incorporates machine identities into enterprise administration, enabling machines to be authenticated as part of a unified enterprise security strategy. Given this, machines (systems that communicate directly with IoT devices) can now be granted permission to share access and information with other enterprise systems.

Cognida utilizes Blockchain distributed ledgers to distribute digital identities (human and machine) and security policies (who has access to what) to network connected systems and applications within the enterprise. This establishes ubiquitous awareness between users, mobile devices, machines and applications and enables enterprises to centrally manage access security policies and interactions across distributed assets.

We cannot overstate the importance of the distinctions here, and the opportunity to design systems integrating people, devices, applications, physical and virtual networks and multiple clouds in the most effective, scalable ways.

We will look back on password-based and two-factor authentication methods in the future, and realize in a more complex hyper-connected world, we need more robust, unbreakable security approaches.

We will look back at centralized systems and recognize that is while a unified view and control application is critical, it is decentralizing security using blockchain that will make scaling security possible.

The Machine-To-Machine Mandate for Access Management: Five Key Points

  • Quality blockchain access management ensures that if a device is not recognized, it will not be allowed to access the network, system or any information.
  • In the case of a breach or unauthorized access, it will become much easier to identify in real-time and lock systems down.
  • The blockchain ledger creates an undeniable trail recording which system, or human administrator, accessed what, and performed which actions.
  • Properly secured any APIs used to connect IoT devices and services and share data are also mission critical to address and secure, using advanced multi-factor and risk-based authentication.
  • Blockchains can be designed to support Machine-to-Machine, Human-to-Human, and Machine-to-Human applications using the same, unified approach.

How Cognida Helps

Given the ocean of API’s, technologies and emerging communications protocols, integrating blockchain for access management into existing enterprise applications is a huge challenge, and one that Cognida has undertaken to solve for – and simply.

Cognida’s Network and platform provides an efficient means to rolling out IoT projects, securing them with the blockchain of each enterprise’s choice, depending on their use case.

Our open source technology enables:

  • Offloading identity management and access security
  • Supporting data access and integration
  • Securing data sharing services
  • Providing edge/cloud server hosting with enterprise administered security and access
  • Enabling blockchain-based distributed identity management and security policy enforcement

To learn more about how Cognida is unifying, simplifying and harmonizing enterprise IoT projects, contact us.

By |2018-09-11T11:15:15+00:00September 5th, 2018|Uncategorized|

About the Author:

Michael H.