IoT Broke the Network Perimeter ? Audit Is Still Looking for the Fence..

 

IoT Broke the Network Perimeter : Audit Is Still Looking for the Fence

There is something quietly outdated about how many IT audits still “walk the network”. They trace boundaries, review firewall rules, validate segmentation, and confirm that traffic flows are controlled. The exercise assumes that somewhere in the architecture, a fence still exists — and that meaningful security assurance comes from checking its strength.

IoT makes that exercise increasingly symbolic.

The problem is not that organisations have added more devices. It is that they have introduced entities that do not behave like traditional IT assets, yet audits continue to assess them as if they do. Sensors, cameras, smart meters, medical devices, and embedded controllers operate continuously, authenticate weakly, and often communicate directly with cloud services outside organisational visibility. They are present everywhere and owned by no one in particular.

Audit, meanwhile, still looks for the fence.

From “Protected Zones” to Moving Pieces

Traditional audit logic is spatial. Systems are either inside or outside the trusted zone. Controls are evaluated based on placement: what sits behind the firewall, what is exposed, what is segmented. This worked reasonably well when assets were static and ownership was clear.

IoT introduces a different reality. Devices move. They sleep. They reconnect through different paths. They are commissioned by vendors, facilities teams, clinicians, or third parties. In many Sri Lankan organisations, IoT deployments grow opportunistically  driven by cost, convenience, or operational need rather than architectural intent.

The result is not a broken perimeter, but a meaningless one.

Audits that continue to validate perimeter controls in these environments are not wrong  they are simply asking questions that no longer determine risk.

The Audit Blind Spot: Control Without Context

One of the most uncomfortable truths about IoT assurance is that control presence no longer guarantees control relevance. A firewall rule may be correct. A network zone may be defined. A vulnerability scan may show low exposure. And yet, the environment can still be dangerously fragile.

This is because IoT risk rarely concentrates at the edge. It lives in trust assumptions:

  • Devices trusted because they are “internal”

  • Firmware trusted because it is vendor-supplied

  • Data trusted because it originates from “physical sensors”

  • Cloud connections trusted because they are encrypted

Audit evidence often validates these assumptions indirectly without ever challenging them.

In healthcare environments, for example, devices are frequently excluded from aggressive scanning or monitoring because availability is prioritised. In smart buildings, management interfaces are assumed to be low risk because they do not store “business data”. These are not technical oversights; they are governance choices that audit rarely interrogates deeply.

A Different Way to Visualise the Problem

The risk is not where traffic crosses a line — it is how trust is established, reused, and rarely revoked across dozens or hundreds of low-visibility components.

Why Zero Trust Is Mentioned — and Often Missed

Zero Trust is frequently cited as the answer to IoT risk, but in audit contexts it is often reduced to architecture diagrams or identity tooling. The deeper implication is more challenging: trust must be continuously justified, not assumed.

For audit, this means a shift away from static control validation toward questions such as:

  • How is device identity established and verified over time?

  • What happens when a device behaves unexpectedly?

  • How quickly can trust be withdrawn without breaking operations?

These questions are harder to evidence. They do not fit neatly into traditional working papers. But they align far more closely with how IoT environments actually fail.

Why This Matters for IT Audit Practice

IoT exposes a growing gap between what audit can comfortably verify and what actually determines security outcomes. As long as audits continue to prioritise boundaries over behaviours, they will produce confidence without resilience.

In Sri Lanka’s rapidly digitising sectors : healthcare, utilities, logistics, government services — this gap is especially dangerous. Assurance that reassures regulators but ignores real-world threat paths does not reduce risk; it delays its discovery.

The fence is gone. The map has changed.
Audit needs to stop searching for borders , and start understanding relationships.


References

[1] NISTConsiderations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NISTIR 8228), 2019
https://csrc.nist.gov/publications/detail/nistir/8228/final

[2] NISTZero Trust Architecture (SP 800-207), 2020
https://csrc.nist.gov/publications/detail/sp/800-207/final

[3] ENISABaseline Security Recommendations for IoT, 2017
https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

[4] VerizonData Breach Investigations Report (DBIR), 2023
https://www.verizon.com/business/resources/reports/dbir/

Comments

Post a Comment

Popular posts from this blog

Is Your SOC the New Internal Auditor? (And… Who’s Auditing the SOC Back?)

Image
  Let me start with a vibe you’ve probably felt. You walk into a SOC and it  looks  like control. Big screens. Live dashboards. Red alerts. Ticket queues. People moving fast. It gives that instant “we’re protected” feeling. Then the annoying thought arrives:  If the SOC is already detecting risk in real time, documenting actions, escalating incidents, and triggering fixes… what exactly is IT audit doing months later when we say we’re “reviewing controls”? Not disrespect — just reality. The center of gravity has shifted. 1) What a SOC really is (not just “a room with screens”) In practice, a SOC is a  decision factory  for security risk. It sits where signals become judgments: “Is this normal or hostile?” “Do we contain now or watch longer?” “Do we wake up management?” “Do we isolate a server and break business?” That’s not just technical work — that’s  risk governance happening at operational speed . And that’s why SOCs feel like audit sometimes: they’...
Read more

When Vulnerability Scanners Define Security, We Are Already Solving the Wrong Problem !!

Image
  When Vulnerability Scanners Define Security, We Are Already Solving the Wrong Problem ! Most organisations today feel confident about their security posture. Vulnerability scans run weekly. Penetration tests are scheduled annually. Dashboards track patch compliance. Audit reports show progress. And yet, breaches continue to tell a very different story. When major incidents are analysed, particularly in financial services and large enterprises attackers rarely rely on sophisticated zero-day exploits. Instead, they exploit weak identity controls, excessive privileges, implicit trust between systems, and human behaviour. These are not gaps that appear clearly in a vulnerability report. They are gaps in how threats are understood . This is where threat modeling should play a central role. In practice, it is often treated as optional, theoretical, or something that belongs only in early design phases. That mindset has consequences. Threat Modeling: The Discipline We Acknowledge b...
Read more