It is estimated that there are more than 18 billion connected Internet of Things (IoT) devices operating in the world today – and that number is expected to approach 30 billion in just the next five years. Clearly, securing these devices is important.

The Risks of an Expanding Attack Surface

Critical infrastructure services, like water, energy, and transportation, rely on operational technology (OT) to control and manage the physical equipment and processes. The proliferation of IoT devices to provide “smart technology” at the edge leads to more interconnected industrial environments and allows for remote monitoring and enhanced process optimization. However, it also links the security of these IoT devices to national security.

A Dynamic Defense with Zero Trust

While we can’t possibly harden every single IoT device, we can implement zero trust approaches to help address the issue. Zero trust is a security model that grants no automatic trust for any user, device or application operating on a network. By utilizing zero trust capabilities such as behavior analytics, security teams have an interesting and impactful way of assessing what “normal” looks like when it comes to IoT devices, which better enables them to spot atypical behaviors indicative of a breach.

Specifically, teams can monitor the behavior patterns of an IoT device or other piece of operational technology rather than just the device’s identity or qualities. For example, if a temperature sensor meant to maintain optimal refrigeration within a biomedical research lab consistently reads 70 degrees Fahrenheit and then jumps to 120 degrees within 5 minutes and stays there, you can assume the building is likely on fire.

But what if it’s bouncing back and forth? It could be a bad sensor, it could mean the device is compromised, or something else altogether. But the device is now flagged as untrusted, and teams can use that to address the sensor or to digitize its monitoring and set automated guardrails to dynamically adjust trust levels. You can’t do this with a network-based approach. Zero trust allows you to treat each individual sensor as more than just a one-off, but as potential indicators of larger problems.

This is important for a number of reasons. Oftentimes, IoT devices are deployed and managed by non-IT staff who may not be thinking about complex IT vulnerabilities from nation state actors. Some of these devices may also be too old or too small to be protected by typical endpoint hardening. You may recall that about 10 years ago, a major retailer was hacked into via its HVAC system. The system was connected to the rest of the IT network and that connection allowed bad actors to get access to all sorts of portions of the network – even to the point-of-sale systems where they were able to intercept debit card transactions and harvest customers’ banking information.

Another way zero trust proves especially valuable for mitigating these risks is because it allows IT leaders to change rules on the fly. If an atypical behavior is observed, leaders can instantly shift access controls automatically, in real-time.

Securing the Future of IoT and OT

The key takeaway is that, with IoT or OT devices it’s not enough to focus on endpoints. These devices may not be secure by design, are difficult to manage and may not even be possible to implement in some cases. An architectural solution like zero trust can help reduce the risk to the overall environment.

With a rapidly growing attack surface, including the increasing prevalence of connected IoT and OT devices, national security and critical infrastructure teams will need to be more vigilant than ever. The same creativity that we see in other cybersecurity domains is also present with IoT and OT devices. For example, it was recently reported that a hacker group used bot-nets to look for vulnerable and open devices scanning for common admin passwords, getting in and causing disruptions.

To address these challenges, agencies should integrate zero trust principles, including continuous monitoring and least privilege access, while leveraging AI-driven tools to identify anomalous behavior in real-time.

All of these measures underscore the importance of leveraging zero trust across the entirety of the enterprise to find, prevent and mitigate the impacts of attacks – wherever they may originate.