Take Precautions So Your Smart Devices Don’t Introduce Stupid Security Risks
Smart cars that drive themselves and smart homes that let their owners inside without a key and adjust the temperature automatically are the visible face of the Internet of Things (IoT). Most of us still have to steer our cars by ourselves and adjust the thermostat to our liking, but there are many other IoT devices sneaking into our homes and offices. These smaller devices—things like smart lightbulbs or sensors that help manage industrial processes—are less noticeable, and that’s one of the factors that make them vulnerable.
Smart Doesn’t Mean Secure
Although these devices are smart, and were designed by smart people, they weren’t necessarily designed with an eye to security. IoT devices are typically small, so they don’t have a lot of computing capacity. That means they can’t always support typical security measures like strong encryption on the data they transmit over the network. There’s often no interface that enables their owners to install patches; you have to rely on the vendor downloading updates over the network. Devices are often supported or managed through mobile and web apps that have low levels of security around customer information.
Worse, each IoT device that connects to your network creates an endpoint that hackers can exploit to gain access. It’s not that the hacker can prompt the smart refrigerator in your break room to order unneeded milk that’s the risk; it’s that the hacker can use that connection to gain access to other systems that contain sensitive data. Hackers can use IoT devices to conduct distributed denial of service attacks or gain control of sensor-based systems that manage industrial processes and disrupt physical processes and impact real-world safety.
Many IoT devices are connected to the network by non-IT personnel, so IT often isn’t aware of their existence. But even if your IoT devices don’t pose a security risk, they still add load to your network that needs to be managed and accounted for in your capacity planning.
Tackling IoT Security
Many IoT vendors today are building more robust security measures into their new devices, but that doesn’t solve the problem of existing installed devices. You can try banning them, but as in the days before bring-your-own-device (BYOD) policies allowed employees to connect their mobile devices, that isn’t likely to last.
Instead, use BYOD as a model for how you handle IoT devices on the corporate network. Define a policy that identifies the devices that are allowed to connect to the network and take steps to manage them. There isn’t currently the equivalent of mobile device management software for the IoT, but you can implement a provisioning process that ensures that default settings are changed as needed and segregate the devices on their own network segment to isolate their traffic. Use firewall settings to monitor the data sent and received by these devices.
If you’re introducing IoT in a deliberate way as part of a project, make sure the security issues are considered during the project’s initial design reviews.
Related: It’s Bring Your Own Device (BYOD), Not Bring Your Own Support
Security Starts With An Assessment
Any security plan should start by assessing your network to identify your risks. Prescient Solutions can perform an infrastructure assessment that identifies your vulnerabilities, including those that come from IoT devices. Once the risks are identified, we can help you prioritize them and create a plan that lets these small, smart devices add value rather than adding vulnerability. Contact us to arrange your free assessment and learn about our other security services.
Related: Infrastructure Assessments are an Executive Physical for Your Systems