The Internet of Things, or IoT, is a broad label that talks about everything else on your network: It excludes your desktops, laptops, smartphones, routers, switches, servers and so on. They are the other devices that need access to the Internet, and are barely under your control: environmental sensors. Lighting automation. Projectors in conference rooms. PoE-powered NTP-controlled clocks.
And that’s what makes them huge security risks to your everyday technology equipment. IoT devices can pose as unsecured portals for three main reasons:
- You don’t have the same tools to manage and update them — and the vendor may not even have patches for security problems. All those lovely tools you have for desktop management, server orchestration, mobile device management … they don’t touch IoT devices, by definition. So you’ll be flying in the dark, coming up with an individual solution for every type of device on your network.
- Your normal security tools are ineffective. Anti-malware, intrusion prevention, sandboxing — none of them know about your special Wi-Fi-enabled thermostats and break room refrigerators. Many of your defenses are weaker with this type of technology.
- IoT often bridges to the physical world, making your threat scenarios different. It’s not a data breach if the building automation system gets hacked — it’s power or HVAC going out for an entire building.
Most (but not all) IoT devices will want to use Wi-Fi and must be isolated to their own network. They should be on their own SSIDs (Wi-Fi) or VLANs (wired), and security should be set to disallow peer-to-peer communications even on the same network. Wi-Fi engineering to help reduce the impact of these devices can also help, so set your access points to have a minimum RSSI (Received Signal Strength Indicator) and minimum speed. This will keep distant IoT devices from locking onto the wrong access point and affecting performance for everyone.
You could set up a separate Wi-Fi network with dedicated hardware, but this is usually overkill and represents a doubling of your management burden — not to mention the added cost of installing more access points. Simply isolating by SSID on your existing network is sufficient for most IoT uses and lets you leverage all of the Wi-Fi engineering you already have in place. Because most IoT devices are on the 802.11b (2.4 GHz) bands, pushing end users to an 802.11a (5 GHz) band, which has less interference and more bandwidth, will improve things immensely. All modern laptops and smartphones have 802.11a radios in them, allowing you to reserve the slower and more crowded 802.11b for IoT devices and legacy hardware.
IoT networks (wired and wireless) definitely need firewalls, and those firewalls should be configured for very strict controls. Given the low cost of firewall hardware, you may even want to have dedicated low-end firewalls for these networks, simplifying the process of change management and saving more expensive Next-Generation Firewalls for clients and servers, where they are more appropriate. IPSes may work on IoT networks, but don’t count on IPSes to provide much additional security and be on the lookout for false positives that may be breaking critical IoT communications.
Traffic outbound should be strictly controlled. IoT devices don’t need to roam all over the Internet. They usually have a small set of servers they talk to, and that’s all. Each new IoT device or class of devices should be monitored to see which communications are really needed (vendors often ask for either too much or too little). Then, firewall rules need to be placed to ensure that devices don’t stray outside of those limits. As this implies, IoT devices need static IP addresses — even if they are handed out via DHCP — so plan accordingly for those subnets with a good quality DHCP server.
IoT devices that are home-oriented but have made their way into business environments (think Chromecast and smart TVs, for instance) present additional challenges for network routing and security. Any IoT device that isn’t standalone may require special gateways and engineering to avoid a security hole or performance-killing network connection.
At the same time, keep an eye on your IoT firewall logs. If there are suddenly new communication attempts going out, either the software has changed or someone has cracked into the device and is trying to get back to their command-and-control servers. Any “deny outbound” logs must be investigated.
IoT deployment is a nightmare, and every single device gets configured differently. Therefore, tasks like changing WPA2-PSK passwords on Wi-Fi networks will be met with a lot of resistance — you’ll be lucky to even get away with annual changes. In theory, IoT devices could use digital certificates or WPA2-Enterprise username/password pairs, but few devices do. IT managers should plan for a mostly WPA2-PSK world, and insist on good documentation for every device that connects so that passwords can be changed quickly when needed.
Because the WPA2-PSK password will inevitably get out, a second layer of authentication based on MAC address (and those static DHCP IP addresses mentioned above) is a good defense-in-depth strategy.
IoT devices promise smarter rooms, buildings and even appliances. But they come with a bad reputation for security and management, and IT managers need to work to ensure that adding IoT to their network doesn’t compromise physical or information security.
Samsung’s Knox Platform for Enterprise is a full security stack that can be leveraged to protect mobile devices in every ecosystem, from E-FOTA enrollment to an all-encompassing EMM protocol. See how the full suite is protecting mobile endpoints.