Can microsegmentation help IoT security?

The Internet of Things (IoT) promises some big benefits for organizations, such as greater insights about the performance of corporate assets and finished products, improved manufacturing processes, and better customer services. The nagging security issues related to IoT, unfortunately, remain a huge concern for companies and in some cases might be keeping them from moving forward with initiatives. One possible solution to at least some of the security risks of IoT is microsegmentation, a  concept in networking that experts say could help keep IoT environments under control.

With microsegmentation, organizations create secure zones within their data centers and cloud environments that enable them to isolate workloads from each other and secure them individually. In IoT environments, microsegmentation can give companies greater control over the growing amount of lateral communication that occurs between devices, bypassing perimeter-focused security tools.

It might still be early in the game for companies to be using microsegmentation for IoT, but industry watchers see potential for IoT deployments to spur enterprises to adopt microsegmentation for more granular, less complex protection than traditional firewalls can provide.

IoT introduces new security risks

IoT security risks can include any number of threats involving the connected devices themselves, the software that supports IoT, and the networks that make all the connections possible.

As IoT deployments have grown, so have threats to security. There’s been a “dramatic” increase in IoT-related data breaches since 2017, according to a report from research firm Ponemon Institute and risk management services firm The Santa Fe Group. Further complicating the issue, most organizations are not aware of every insecure IoT device or application in their environment or from third party vendors. Ponemon’s research shows that many organizations have no centralized accountability to address or manage IoT risks, and a majority think their data will be breached over the next 24 months.

IoT security risks can be particularly high for industries such as healthcare, because of the high volumes of sensitive information being gathered and shared by devices over networks. Among 232 healthcare organizations surveyed by research firm Vanson Bourne, 82% had experienced an IoT-focused cyber attack in the past year. When asked to identify where the most prominent vulnerabilities exist within healthcare organizations, networks were cited most frequently (50%), followed by mobile devices and accompanying apps (45%), and IoT devices (42%).

READ MORE: Penn State secures building automation, IoT traffic with microsegmentation

How microsegmentation helps IoT security

Microsegmentation is designed to make network security more granular. Other solutions such as next-generation firewalls, virtual local area networks (VLAN), and access control lists (ACL) provide some level of network segmentation. But with microsegmentation, policies are applied to individual workloads in order to provide better protection against attacks. As a result, these tools provide more fine-grained segmentation of traffic than offerings such as VLANs.

What’s helped advance the development of microsegmentation is the emergence of software-defined networks (SDN) and network virtualization. By using software that’s decoupled from network hardware, segmentation is easier to implement than if the software were not decoupled from the underlying hardware.

Because microsegmentation provides greater control over traffic in data centers than perimeter-focused products such as firewalls, it can stop attackers from gaining entry into networks to do damage.

There’s also a management benefit to segmentation. “If you can properly implement microsegmentation, you can add a layer of security between IoT devices and other sensitive resources without poking holes in your firewall,” says Robyn Westervelt, IoT security analyst at research firm IDC. “But the underlying infrastructure must support this approach, and may require the installation of new, modern switches, gateways, etc.”

The concept of breaking networks into segments for security or privacy reasons is not new. Companies have been isolating some of their critical or high-risk resources for some time.

For example, network segmentation is common in the retail sector, Westervelt says. Many merchants are isolating their payment environments from other network traffic to reduce the scope of the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards designed to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment.

“It is not foolproof, because as we saw in the data breach at retailer Target, attackers can find a way to jump from one system to another,” Westervelt says. “It takes more sophistication and resources to do this; enough to thwart many financially motivated attackers. But it can be done.” 

The details of the Target breach have been muddied over the years, Westervelt says. “Attackers used stolen credentials to gain access to the contractor billing system used by Target to pay out its HVAC provider,” she says. “From there, they gained access to the network and moved laterally to the POS [point of sale] systems.”

Segmentation also can be used to isolate critical application workloads in virtual environments, Westervelt says. “This is what I think of in the context of ‘microsegmentation,’” she says. “In this way you can set tighter controls around the critical workloads and closely monitor access and changes.”

The technology is also considered a best practice in industrial control system environments. “An organization can isolate critical programmable logic controllers assigned to sensitive processes, using industrial firewalls and unidirectional gateways,” Westervelt says.

In IT environments, newly deployed operational technologies (OT) with Internet connectivity can be segmented to prevent an attacker using them as a staging ground or stepping stone to production systems. This is where microsegmentation becomes relevant for IoT.

“These OT technologies include modern building management systems, solar panels, elevator sensors, and physical safety mechanisms including fire suppression systems,” Westervelt says. “This isn’t a huge area of importance at the moment, but we are seeing some large banks and financial services firms mitigate the risks associated with these OT technologies in data center facilities.”

Deploying microsegmentation as part of a broad IoT security strategy might make sense, networking experts say.

“This networking model allows for more granular control of network systems as well as better isolation if a security flaw is exploited,” says Kevin Beaver, an independent information security consultant. “These benefits can not only help improve security visibility and control, but incident response and forensics as well.”

The technology “can be a very effective way of segmenting IoT networks from IT systems,” says Jon Amato, director analyst at research firm Gartner. “The ability of microsegmentation products to create ‘virtual segments’ that separate device types from each other, even across multiple physical locations, is useful.”

It also lines up well with the IoT security guidance from organizations such as the U.S. Department of Homeland Security (DHS), Amato says. DHS in its Strategic Principles for Securing the Internet of Things report recommends that organizations weigh the benefits of connectivity against the risks it introduces:

“IoT consumers, particularly in the industrial context, should deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption,” the report says. “IoT consumers can also help contain the potential threats posed by network connectivity by connecting carefully and deliberately, and weighing the risks of a potential breach or failure of an IoT device against the costs of limiting connectivity to the Internet.”

Microsegmentation fits with this suggestion quite well, Amato says. “It’s not really enough to just create a single IoT segment, which I refer to as the IoT swamp, but also segment those devices off from each other,” he says. “And, the lack of host-based controls for most IoT devices leaves you to externalized solutions like microsegmentation to accomplish that.”

Microsegmentation for IoT security slow to take off

Despite the potential advantages, to date there does not appear to be widespread adoption of microsegmentation for IoT security, Amato says.

“What I’m seeing is that only the organizations that already have a mature IoT security program are building upon that by implementing microsegmentation, or extending their existing program into the IoT realm,” Amato says.

For most organizations, “simply getting the IT and IoT separated from each other is the best they can do right now,” Amato says. “And sometimes the best you can do has to be good enough. It’s useful, and I’m hearing a lot of organizations talking about it. But far fewer [have actually] done microsegmentation for IoT after looking into the level of effort involved in making it all work.”

It’s important for organizations building an IoT infrastructure to consider whether they really need microsegmentation for IoT security, Beaver says.

“You have to determine your current risk level and business workflows,” Beaver says. “With every new technology or control comes unintended consequences. Will the additional complexities associated with a zero-trust model impact your security program in ways that could negate any perceived benefits?”

A good practice is to thoroughly understand how IoT will affect all the networks in the enterprise, in order to determine the best approach ensuring secure transmissions of data.

“Develop security standards and policies that are not just enforceable, but are actually enforced—IoT included,” Beaver says. “Be smart about your controls. If you approach it with a risk-based perspective and vow to minimize network complexity, you may just be able to get and keep your IoT environment under control.”