Prepare yourselves because the Internet of Things isn’t going away.
IoT will continue to be a hot topic in the months — even years — ahead, as devices ranging from light bulbs to door locks arrive in offices fully network-enabled. Meanwhile, more typical network-ready devices, such as printers and notebooks, now reach out to the cloud to provide value-added services. To be clear: All of these devices present extreme security risks when they live and play together on existing networks.
Many companies manufacturing IoT devices have little experience (and sometimes, little interest) in security. This is especially true for devices aimed at the home market, where time to market and lowest cost edge out security features. Trouble is, businesses use many of these same products — coffeemakers, refrigerators and the aforementioned light bulbs, for example.
A chief challenge IT faces in securing IoT devices is that these items often have limited CPU, memory and storage, which restricts the ability to update firmware or add security features. Many of these devices also begin their lifecycle with old (and vulnerable) open-source software and so can never receive a firmware update, even if significant security problems arise or are discovered.
All these factors make IoT devices desirable targets for hackers and therefore have the potential for creating significant risk to organizations.
But it is possible to avoid introducing security problems if the IT team follows three simple rules: segregate, control and monitor. Now, let’s walk through what each rule entails.
1. Segregate Untrusted Devices
Start by keeping IoT devices off trusted corporate networks. Treat these devices about the same as guest users: untrusted and generally blocked from any access to enterprise resources.
Most devices that have no reason to connect to enterprise networks — such as alarm systems, energy management, environmental controls and the like — are easy to segregate using virtual LAN technology relying on managed switches or multiple service set identifiers on existing wireless networks.
You will want to keep IoT devices away not only from corporate resources but also from other guest users. For networks with a large number of devices, it would be wise to further segregate specific device types into their own wired or wireless networks too. That way, you will lessen the chance that a hacked device can further attack other IoT devices.
Network managers should also be concerned about traditional IT devices, such as networked printers and storage area network switches, which have not been thought of as significant risks.
This perception is misguided for two reasons: First, many of these devices are becoming intelligent and powerful enough to be significant hacking targets. Second, patching and updating firmware on devices such as printers falls pretty low on the to-do list for most IT professionals. Segregating existing devices of this type is harder, but just as important.
2. Control Devices' Network Access
Once the IT team has segregated IoT devices onto their own wired and wireless networks, you will want to install access control devices (usually firewalls) so that you can fully manage traffic in and out.
IoT devices do not need inbound Internet connections, so traditional or next-generation firewall technology is overkill for this type of access control. But using existing firewalls provides advantages: All access controls and logging will reside together, and the technology will constantly be updated and managed. Because IoT devices don’t use much bandwidth, they don’t stress existing infrastructure at all and are unlikely to affect performance.
Occasionally, existing firewalls will be located in the wrong place on the network, or other organizational constraints will make them ill suited for IoT use. In that case, network managers can use Layer-3 access controls in high-end managed switches, recently retired firewalls that have low performance or even “build your own” firewalls based on open-source tools.
Whatever device you chose, the desired tactic is to control every single connection, both inbound and outbound. Any outbound connections to software update servers or cloud management tools must be entered in the firewall — and all other traffic forbidden. Inbound connections from the Internet should never be allowed. If a device seems to need them, it’s not right for the job. Any communications from your enterprise networks, typically for management or monitoring, should also be controlled based on destination IP addresses and port numbers.
Additionally, you will want control to extend to addressing, which should be based on Dynamic Host Configuration Protocol. IoT devices usually start with dynamic addresses, but once the device is up and running, a static address assigned via the DHCP server will simplify the logging, management of firewall rules and problem-tracking.
3. Monitor Activity
Once IoT devices are segregated behind firewalls, detecting misbehaving devices should be a snap because your logs will reveal any denied connections.
The biggest focus should be outbound connections. The IT team should investigate any denied outbound connection. It could be a change in IP address by a device’s manufacturer, or it could be a sign that the device has been compromised and is now being used to attack other Internet sites or worm its way into your network.
In either case, an investigation is called for, which makes log monitoring an important part of any sound IoT security strategy.
By exercising precaution and being vigilant, an IT team should be able to thwart most attempts to use IoT devices from becoming weak points on the network.