Domino's Takes a Methodical Approach to IoT

The success of Domino's Flex IoT project can be attributed in large part to the security best practices it followed.

Deral Heiland, Principal Security Researcher (IoT), Rapid7

August 9, 2022

4 Min Read
Internet of Things
Source: Aleksey Funtap via Alamy Stock Photo

The Internet of Things (IoT) has created a great deal of opportunity for the enterprise — and equal possibility for risk. We have witnessed vulnerable IoT technologies leak personal data, fall victim to cyberattacks, and face exploitation in dozens of ways — in "things" ranging from medical devices to smart hot tubs. Security must be at the foundation of every plan, and for organizations to reap the full benefits of IoT technology, they must incorporate it from acquisition to deployment.

I recently had the opportunity to partner with Domino’s Pizza and evaluate firsthand the security implications at work around a large-scale enterprise IoT project — the company's IoT-based ecosystem solution, Flex. Flex is a platform comprising various small services that allow stores to leverage diverse Web experiences and digital products on different kiosk screens.

Through the assessment and review of Flex, Domino’s stakeholders and I were able to build a comprehensive understanding of security vulnerabilities and best practices for implementing IoT in the enterprise environment. Here’s what we found together — and what organizations implementing IoT should consider every step of the way.

Security Considerations for the Acquisition Phase

Making security a priority in an IoT acquisition plan helps prevent problems down the road, but security is often left out or ineffectively executed during this phase.

An organization's security team is critical to successful planning and implementation of a large-scale IoT project. The security team's role is to help define the security expectations and requirements for IoT technology to ensure that they match the organization's security policies. Introducing new IoT technologies may highlight gaps in governance, so having the security team involved paves the way for installing new security protocols and controls.

Organizations' enterprise-level IoT initiatives, including Domino's, often require external vendor services. Before entering into such a relationship, organizations must conduct a vendor risk assessment because vendors often need direct access to an organization's network or VPN access to manage resources or corporate data. The risk assessment process should extend from conception to deployment, with regular re-evaluations of each vendor and its products to ensure they continue meeting base requirements and security expectations. This will help protect the organizations implementing IoT as well as the supply chain.

Security Considerations for the Design and Implementation Phases

When it comes to implementation and support of a new IoT solution, it may be necessary to make modifications. An important first step is to determine how the new IoT solution maps to current security control processes and compliance needs. For example, Domino's security control solution uses NIST SP 800-53 and Center for Internet Security (CIS) Controls. CIS provides a companion manual that can help with the mapping process and is handy for any organization deploying an enterprise IoT project.

External services can also help design IoT technology at the highest security level. Domino’s partnered with expert services from Google for its Flex solution to ensure that baseline configuration met industry best practices and mapped to internal security policies.

Security Considerations for the Deployment and Support Phases

When it is time to deploy, it's necessary to evaluate the entire product ecosystem: firewalls, routers, embedded hardware, back-end server systems, cloud API and Web services, and more. The security of any component within the ecosystem can ultimately affect the security of all other parts — such is the nature of IoT. All security testing needs to be holistic.

Following deployment is the support phase, where the solution should continue to operate and meet business needs, using management and support infrastructure. Ideally, this is how organizations can avoid outages and other security incidents that lead to loss of services or data or that impact production.

The key to this support plan is patch management, which many organizations overlook with embedded appliances. It's important to develop a regularly cadenced patch management cycle, with QA testing and changes piloted to a small production test group before rolling out official updates. Enterprises should also consider integrating new IoT technology with logging and monitoring processes. Tackling security through these channels should allow for better detection and action on security incidents.

The Value in Planning Ahead

There is a great deal of complexity and difficulty when tackling a project as all-encompassing as Domino’s IoT implementation, but with a bit of foresight comes success.

With threat actors taking advantage of any vulnerabilities — across a range of industries — it’s critical to follow holistic security processes before adding any technology to an enterprise ecosystem. While there is no one-size-fits-all strategy when designing, implementing, and deploying new solutions within the enterprise, best practices exist and should be considered. Domino’s successful Flex project is a testament to the value in planning — carefully — ahead.

About the Author(s)

Deral Heiland

Principal Security Researcher (IoT), Rapid7

Deral Heiland, CISSP, serves as a Principal Security Researcher (IoT) for Rapid7. Heiland has more than 25 years of experience in the Information Technology field, and over the last 15+ years his career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. He has conducted security research on numerous technical subjects, releasing white papers and security advisories, and presenting the information at numerous international security conferences including Black Hat, DEF CON, ShmooCon, DerbyCon, RSAC, and Hack In Paris. Heiland has been interviewed and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, and The Register.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights