Imagine a nation-state being able to covertly control medical equipment used to treat a high-profile politician or a country capable of accessing industrial controls used to provide electricity to millions of customers. Now consider the fact that there are billions of business devices — from basic security cameras, HVAC systems, barcode readers, smart locks and smart lighting through more sophisticated building automation systems and industrial machines — all connected within the larger Internet of Things, or IoT. The devices often go unnoticed or, if they are noticed, they are often left without adequate security controls. Cyber Security Services research suggests the following:
Top 10 IoT Security Strategies
- Change default passwords. The first step to improving IoT security can seem commonsense. But as security consultants, we run into default passwords all the time. We recommend that businesses establish and enforce procedures to change default passwords for every IoT device on the network. The updated passwords should be changed over a period of time. The passwords can be stored in a password vault similar to how service accounts and privileged user passwords are protected.
- Separate the corporate network. Whenever possible, separate the corporate network from vendor-managed and unmanaged IoT devices. This might include HVAC systems, security cameras, temperature control devices, electronic signage, smart televisions, media centers, security DVRs and NVRs, network-connected clocks, and network-connected lighting. Use VLANs to separate and keep track of various IoT devices on the network. Lastly, apply an Access Control List, or ACL, to VLANs or network access ports whenever possible to limit communication to the least amount that is required for device operation.
- Prevent IoT devices from communicating with the internet unless absolutely necessary. Many devices run archaic operating systems and many embedded operating systems can be used to reach out to command-and-control locations. Systems can be compromised during the manufacturing process. While it’s impossible to completely eliminate an IoT security threat, businesses can prevent IoT devices from communicating outside of the organization unless absolutely necessary.
- Control which vendors are allowed remote access to IoT devices. To improve IoT security, businesses can put controls in place to limit the number of vendors granted remote access to IoT devices. Access can be limited to those individuals performing tasks under the supervision of knowledgeable employees, which might include access through remote hands, such as WebEx. When remote access is absolutely necessary, ensure those vendors use the same solutions as would in-house personnel.
- Implement a Network Access Control (NAC) solution. A NAC solution with proper switch and wireless integrations can help an organization improve IoT security by detecting most devices and identifying rogue connections to the network. It can also apply controls to the devices that are not authorized or granted merely limited access to the network.
- Implement a vulnerability scanner as soon as possible. Vulnerability scanners from commercial vendors are effective in detecting the types of devices connected to a network and are, thus, useful tools for organizations looking to enhance their IoT security.
- Run an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) on the network. While continually running an IDS or IPS on the network will not detect all malicious network traffic, it can offer a good indication when an IoT device has been compromised should it traverse the IDS/IPS.
- Ensure proper management of all IoT devices. Proper device management includes both patch management at the local device level along with enterprise-wide inventory management. Inventory management will ensure remotely managed devices are cataloged, with records in place detailing registration, configuration, authentication, and other pertinent device data.
- Restrict internal and external port communication on firewalls. To elevate IoT security, Cyber Security Services also recommends that companies prevent outbound communication unless that communication is specifically required.
- Remove unsupported operating systems, applications, and devices from the network. To improve IoT security, conduct an inventory that reveals which operating system a device might be running.