We are currently experiencing the single largest explosion of network-enabled devices that we’ve ever witnessed. Many of these devices are running on the same networks as critical business solutions and may even be connecting directly to critical assets or delivering a critical capability themselves.
While these devices have a processor, an operating system, run software required to perform a function and communicate on networks, that is generally where the similarities with traditional IT devices (laptops, servers, and mobile devices) ends. The devices that I’m referring to are categorized by many names including unmanaged, unagentable, IoT, and OT.
Traditional solutions long used to assess and manage risks associated with IT devices fail to deliver the same value when facing this new form of device. These devices are typically walled off black boxes, designed with a real-time OS to deliver a specific outcome (versus a common IT OS that can be used to deliver many outcomes). They will not allow for the installation of other software, and rarely can configuration settings be adjusted in support of security. Even patch management is more complex than ever before; hundreds to thousands of unique devices spanning a nearly equally long list of unique manufacturers, most of which are running unique platforms with distinct management requirements. If patches are ever released, applying these patches is challenging at best and often involves proprietary tools that won’t work at scale.
Much of the rapid growth in the last couple of years is tied directly to digital transformation efforts within our organizations and the providers that deliver to our organization’s needs. The need to make rapid business decisions and to deliver solutions that meet the needs of customers, deliver continuous uninterrupted service, and rapidly evolve to their highest priorities has resulted in the need to integrate IT and OT through IoT.
New or enhanced experiences are being delivered to customers through modern technology that is ultimately being integrated with both newly developed products and decades-old technology running in our data centers, shop floors, retail facilities, medical operations, etc. As enterprises look to reduce operational expenses in support of sustained innovation and increased profitability into the future, devices ranging from predictive maintenance sensors, contact tracing devices to staff replacement devices are being implemented at an increasing rate as well.
In terms of the latter, industry analysts are estimating that job automation and orchestration efforts will be accelerated as a result of the long-term enterprise response to the current health crisis. Enterprises are expected to assess the greatest points of failure in their supply chains and operations due to an inability for staff to perform the work safely and accelerate automation plans. In many industries and sectors, this will include the deployment and integration of even more unagentable devices.
It’s also worth noting that in 2020, progress towards regulations that define minimal security standards for manufactured devices remains very slow. When combined with device manufacturer economics optimized for cost and the fact that the market is demanding rapid outcomes over secure assets, the end result is that most devices continue to be manufactured without security in mind.
Managing this risk while in my prior role as a Global CISO at a Fortune 100 organization was a top priority for me. An investigation into an event a few years back led to the realization that nearly every new piece of equipment entering our facilities were now network connected. Whether it was strategically beneficial to our operations or to one of our service providers, it was network-enabled, likely connected, and potentially even expecting to communicate with Internet services. It was everything.
Attempts to use our existing stack of security capabilities, designed with traditional IT devices and assets in mind were failures in all cases. These solutions were lacking the context required to understand these devices and ultimately caused more work than the problems they solved. Segmentation as a lone strategy was quickly determined to be a no-go as well. We would only be able to segment the devices that we were aware of (a subset of all such devices) and those that were not required to interact with other business assets (an even smaller list).
This ultimately led to our assessment of products developed from the ground up with IT and unagentable devices in mind; all without an agent, operating in a continuous manner and passively so as to take advantage of existing infrastructure and to avoid impacting business-critical devices. Once we assessed these modern offerings in our environment and compared them to current capabilities, we knew that we needed to grow our capabilities to manage IoT risks with a platform developed around the complete modern environment.
Though the risk may be high and growing, the good news is that proven solutions are available, and many have been designed to be deployed rapidly and remotely. As we look to safeguard and enable accelerated digital transformation efforts, while also helping to maintain critical business operations in this shifting landscape, there’s no better time than now to start developing this strategy.