Some companies see these gaps as opportunity, he adds, like Palo Alto Networks getting FedRAMP authorization for IoT. MSPs and systems integrators, meanwhile, have plenty of work ahead, Kirstein says. IP cameras were some of the earliest popular IoT devices, so the number of legacy cameras in use that need upgrading or replacing may create a wave of MSP service requests. "Legacy devices need to be isolated, since they often can't be secured at the endpoint." Different customers will need different levels of network separation or configuration.
Keeping up with new compliance guidelines for IoT will be tricky, since the low-cost, low-margin devices don't get much post-sales support from small vendors in the space. In addition, IoT is becoming ubiquitous. Besides the hospital use cases mentioned earlier, office buildings are adding IoT to conference rooms, along with building controls such as HVAC and elevators. Kirstein adds, "IoT for operation in manufacturing is often overlooked as critical infrastructure."
Kirstein recommends using U.K.-based IoTSecurityFoundation.org as a resource. The NIST regulations from the Cybersecurity Improvement Act will roll out slowly, with plenty of attention with each iteration.
In the meantime, Kirstein advises monitoring IoT devices for compliance purposes with the same rigor you apply to other network devices, but remember that device resources will limit security functions, and "patching and upgrading may not be viable."