The term “Shadow IT” is used to describe a scenario where workers buy information technology products and use them in the workplace. Shadow IT is most often associated with cloud services such as file sharing, collaboration tools and other applications where the worker has chosen a product they prefer over the company standard, or perhaps there is no corporate alternative. 

Now there’s another “shadow” rising in business: Shadow IoT. It refers to the use of connected devices, often called the “internet of things” or IoT, in the workplace. In the IoT era, the world is more connected than ever. IoT transformation has resulted in device connections to grow at a rapid pace. ZK Research has forecast that by the end of 2023 there will be 80 billion connected endpoints.

That creates a number of new security risks for enterprise IT, since they don’t have the same level of control over these devices as they do traditional endpoints. Unauthorized shadow IoT devices, even those oriented to consumers such as Alexa devices, Teslas and Peloton bikes, are increasingly being deployed in the enterprise and alarming new data reveals it’s becoming a real problem.

A recent report from the computer security service Ordr Inc. found a multitude of vulnerabilities and risks stemming from connected devices. The IoT cybersecurity company compiled analysis of more than 5 million unmanaged, IoT and “internet of medical things” or IoMT devices in Ordr deployments between June 2019 and June 2020.

Rise of the Machines: Enterprise Of Things Adoption and Risk Report found 20% of enterprises with IoT deployments have payment card industry and virtual local-area network or VLAN compliance violations. Ordr identified deployments where retail IoT devices used the same subnet as tablets, printers and physical security devices. Even more shockingly, 75% of deployments have VLAN violations, and in some cases networks are sharing connections with a number of USB card readers and other devices.

The healthcare industry seems to be most afflicted by shadow IoT. When examining healthcare organizations, Ordr discovered deployments where medical devices were on the same VLAN as nonmedical IoT devices. The vast majority (95%) of healthcare deployments had Amazon Alexa and Echo devices active in their environment in conjunction with hospital surveillance equipment. Health organizations are potentially violating HIPAA privacy laws since voice assistants can eavesdrop and unknowingly record conversations.

Devices with Food and Drug Administration recalls and vulnerabilities are also common in the healthcare industry. Ordr found 86% of healthcare deployments had more than 10 FDA recalls issued for their medical IoT devices, which means they are either defective or present a health risk.

Furthermore, 10% to 19% of medical devices run Windows operating systems that are Windows 7 or older and likely haven’t received necessary security updates. Ordr found several instances where Facebook and YouTube applications were running on MRI and CT machines — likely using outdated operating systems like Windows XP. This makes the devices prime targets for cybercriminals when connected to the public internet.

The report’s findings highlight the importance of recognizing existing security risks associated with IoT deployments. Unmanaged IoT devices increase the attack surface of internal networks and are likely to become targets for malware and data breaches. Connected medical devices are even more vulnerable if they are acquired and managed by someone other than internal security or IT teams. If a Tesla belonging to a doctor can connect to the hospital network — a real incident uncovered by Ordr — it’s easy to imagine another scenario where the unauthorized connection is a malicious one.

It’s not just healthcare organizations that struggle with securing and managing IoT devices. ZK Research data shows 61% of IT teams have no or low confidence in knowing which devices are connected to their network. That’s up from 51% just a few years ago — an indication that security and operations need advanced solutions to tackle the shadow IoT problem.

Given the small software footprint of connected devices, traditional security tools aren’t effective in safeguarding IoT endpoints. Nearly half (49%) of organizations surveyed by ZK Research find themselves guessing or using “Frankensteined” solutions for better visibility, but almost always run into security issues.

That’s why organizations need IoT security solutions that can be integrated with existing security and asset inventory management systems. Such solutions can not only detect connected devices but also share IoT context with key systems, including security information and event management and computerized maintenance management systems.

Even more imperative now in a time of crisis is to ensure organizations prioritize network security. The COVID-19 pandemic has forced IoT transformation across many industries. Everything is hyperconnected, from IP-enabled ventilators and EKG machines in healthcare to wireless temperature and vibration sensors in manufacturing. COVID-19-related malware and ransomware attacks are also on the rise, as cybercriminals take advantage of vulnerable services and unsecured connections.

Organizations with IoT deployments should look for IoT security solutions that resolve issues in a scalable, automated fashion. Last year, Ordr launched a Systems Control Engine or SCE platform that uses artificial intelligence to manage and secure connected endpoints. Ordr’s SCE maps all the network flows and automatically identifies IoT devices using a flow genome. The company maintains a database that contains tens of thousands of IoT endpoints.

Using the flow genome, SCE can recognize even the smallest behavioral change that could lead to a security issue. The platform automatically isolates the device for further investigation, without requiring IT to manually create and implement policies for micro-segmentation. SCE generates the policies for vulnerable devices, which can then be pushed to firewalls, network access control products, switches, and wireless LAN controllers.

With advanced solutions such as Ordr’s SCE, organizations can take important steps to discover devices, understand their behavior, identify risks and generate policies to be better prepared for IoT challenges that lie ahead.

Zeus Kerravala is a principal analyst at ZK Research, a division of Kerravala Consulting. He wrote this article for SiliconANGLE.

Photo: fernando zhiminaicela/Pixabay