Successful cyber security depends on many components working together to make sense of the thousands of possible security incidents that hit an organisation's infrastructure. This is especially true when it comes to IoT security.

In recent years, cyber criminals have concentrated attacks on enterprise IoT devices as well as targeting operational technology (OT) devices in industrial systems and critical infrastructure (such as ICS/SCADA).

Cyber criminals use IoT and OT devices to delve further into networks, threaten safety, and cause disruption: Mirai is still one of the greatest examples of this. One of the largest DDoS attacks ever was launched on service provider Dyn using an IoT botnet thanks to the Mirai malware. Once infected, the malware searched networks for vulnerable IoT devices and then used known default usernames and passwords to log in, infecting those devices with malware.

According to a SANS survey, IT security teams lack visibility into the security and resiliency of their OT networks, with most respondents (59 percent) saying they are only “somewhat confident” in their organisation’s ability to secure their industrial IoT devices.

These incidents underscore the need for organisations to secure the IoT and OT infrastructure, particularly as they become more interconnected than ever, thanks to the rise of hybrid working.

1 Integrate and define IoT/OT security events in your SIEM
Integrate IoT/OT alerts with an organisational SIEM. With certain products, it only requires a short time tuning this to forward the appropriate alerts to the SIEM to avoid alert fatigue.

Once IoT/OT alerts integrate into an SIEM, agree which threats need monitoring. Base this on the threat landscape, industry needs and compliance – among any other more specific factors. Once you’ve defined these, your organisation will know what represents an incident within the SOC; an unauthorised change to OT equipment, for instance, such as an unauthorised change to Programmable Logic Controller (PLC) code.

Once you know which threats to look out for, construct rules for detection as well as security threat levels in the SIEM. This prevents superfluous noise, flagging only significant incidents: an unauthorised change to PLC ladder logic code has a high severity alert if this is done from an unauthorised device or out of hours, for example.

2 Plan the resolution: clarity is key
Once you’ve created rules, you need to know how and who will deal with alerts: you need to eliminate uncertainty between IT security and IoT/OT teams – who is responsible for investigating abnormal events? Organise workflows that allow tier one analysts to handle most IoT/OT incidents but that bring in specialised IoT/OT security experts to investigate when needed. 

So, if PLC code has changed, an analyst checks if a programming device is an authorised engineering workstation and the change happened during normal hours or a scheduled change window. If not, the workflow ensures that a rogue workstation from the network is blocked or disconnected.

3 Training and sharing intelligence
Having the right knowledge about how IoT/OT environments work is critical for SOC analysts as they can have more productive conversations with IoT/OT personnel when resolving incidents and can deploy the relevant remedial actions within such environments without harming those operations.

4 Rising to the challenge of securing IoT/OT endpoints
CISOs are increasingly accountable not only for IT but also IoT/OT security. While IoT/OT staff’s primary objective is to maintain their control network’s availability and integrity, IT security teams’ main task is to maintain the confidentiality of sensitive data.

The key to success is to align IT and IoT/OT teams so they collaborate effectively and have well-defined roles and responsibilities. This means that organisations need to strengthen IoT/OT security and ensure that the right policies and procedures are in place to help in monitoring and securing IoT/OT environments.

An example of this is implementing a Zero Trust strategy to secure corporate and customer data. The implementation focuses on strong user identity, device health verification, validation of app health, and least-privilege access to resources and services.

5 Use the right tools at the right time
The technologies required to create a functioning SIEM need to be agile, robust, responsive and trustworthy.

Microsoft Defender for IoT, formerly Azure Defender for IoT, is part of Microsoft’s wider SIEM and XDR offering, that can deliver security for all endpoint types, applications, identities, and more. It offers the same types of device discovery, vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices. 

Using Microsoft Defender for IoT enables organisations to gain visibility and insights to address complex multi-stage attacks that specifically take advantage of IoT and OT devices.