Deploying IoT Devices

Deploying IoT Devices

Best practices for managing and securing IoT networks

The number and breadth of devices that make up the Internet of Things (IoT) continues to grow rapidly, with everything from kitchen appliances to video surveillance and access control systems offering the ability to connect to a network. Each of these offers tremendous value, but the true power of the IoT lies in the ability to connect disparate systems and devices to leverage the combined data they produce to generate some valuable insight and actionable intelligence.

Integrations between IP-based surveillance, access control, intercoms, speakers, traffic management, HVAC and many others offer the potential to share useful information between connected devices to deliver a fuller view of a situation across multiple locations than any one system could possibly provide on its own.

The effectiveness of IoT networks relies on understanding how devices can work together to capitalize on the combined strengths of each sensor to deliver value and solve specific challenges by collecting widely dispersed data from disparate sources to provide a complete view of security and operations. Given the billions of IoT sensors deployed around the world and the value of the data they provide, the need to properly deploy, manage and secure those devices has become more urgent.

It’s one thing to have all this technology at your fingertips, but it’s another thing to understand the problems you’re trying to solve with that technology. Therefore, it is vital to start with the problem and identify the technologies that offer solutions to those challenges.

Additionally, there is the fact that the more devices an organization has connected to the network, the greater the potential for network breaches, as well as the need to manage the continually-growing number of devices on the network. By following some best practices, organizations can mitigate potential concerns in these and other areas to harness the true power of their IoT networks.

Addressing Vulnerabilities

All devices connected to a network represent potential back doors that hackers could exploit to gain access to a network and the various systems to which it’s connected. Therefore, as evidenced by the number of high-profile breaches that seem to be occurring with alarming regularity, cybersecurity is a top priority for everyone.

Unfortunately, all networked devices and systems can be vulnerable, and in our connected world, the cybersecurity of a network is only as strong as the weakest device connected to it. Therefore, it is essential that all networked devices provide the level of security necessary to protect the overall system from the potentially catastrophic effects of a breach.

Perhaps the biggest concern with networked devices is that they could be used by cybercriminals as a platform to breach other parts of a system, which could then be used to gather data or take down or hijack a system. In theory, any networked device can be used to attack another network device. For example, a vulnerable networked HVAC system could be used to gain access to a retailer’s overall network, which could provide hackers with access to POS and financial data, including customer names and credit card information that could be used for identity theft or other crime. Unfortunately, this is becoming more of a reality with each passing day.

Organizations can reduce the likelihood of a breached device serving as a back door for hackers to access other devices by segmenting it, hardening it or isolating it in some way that protects the device to the best of their ability and keeps it separated from other systems and the sensitive information they contain. It is also necessary to continually re-assess cybersecurity methods and procedures to make sure they’re adequate for the threats that continue to emerge daily.

A great example of this would be surveillance cameras, which are different from other devices in that they often run on a segmented surveillance-only network and are not designed to tap into other systems. A much easier target would be a Windows computer, given that it might have access to more systems and probably has an Active Directory domain that provides access to a larger file system or to sensitive data itself. So when properly deployed and connected to the network, it would be highly unlikely that someone could use a camera to gain access to sensitive or personal information contained in another networked system.

Overcoming the Human Element

While strong tools, technologies and features are vital to supporting cybersecurity, they aren’t capable of addressing what tends to be the weakest link in cybersecurity: the human element.

That’s why it’s so important for organizations to set and apply standards and enforce policies across their systems, and to put policies in place to ensure best practices are followed throughout the organization. This should include guidelines regarding connecting personal devices like mobile phones or wireless access points to the network.

One of the biggest challenges organizations face is simply knowing what’s deployed on their network. Depending on its size and specific needs, an organization may have hundreds or thousands of IoT devices and sensors deployed in one or multiple locations.

Thankfully there are technologies available that can scan the network to identify every device that’s connected to it. In some cases, these solutions will even ensure that all devices from a particular manufacturer are properly configured according to a company’s requirements and policies.

Armed with a solid understanding of the hardware, systems, and devices that are deployed on the network, organizations can then develop the processes and procedures for securing them. Part of this is making sure devices offer appropriate security features and can be hardened or updated through firmware.

Once policies have been put in place, it’s also important for an organization to have someone who can communicate IT policies and work with the integrator to ensure that devices are configured to fit within that policy. For example, a primary policy would be that any device that’s installed on the network, whether it’s a server, workstation or an IoT device, must communicate using encryption over the customer’s local area network in order to lower the risk of cyberattacks.

Based on that policy, any IP camera that’s installed must enable encryption, and the video management system will need to be able to read the encrypted communication from that camera. Going a step further, when drafting these policies, end users also have to take mobile devices into account and establish a policy that protects the organization’s network from being compromised by an individual’s personal device.

Policies play an integral part in overcoming the human element. Another factor is having tools that make it easy to maintain consistency when deploying cybersecurity features in IoT devices. For example, if someone has to individually configure hundreds of different devices one by one to make them secure—especially if you have multiple people doing it—the human factor takes over, and mistakes can be made.

Finding the Right Fit

For integrators, the road to strong cybersecurity starts with selecting products that can deliver strong cybersecurity for protecting customers’ networks. When selecting solutions for end users, it’s important to look for products that offer features that fit into the customer’s security policy. This could include encryption, IP address filtering to restrict who and what can access a device, digitally signed firmware, or secure booting, which will halt the boot process if foreign code is introduced to the device.

However, when installing and deploying devices, it’s not practical to simply turn on all the security features, drop it into an enterprise environment and hope that it works. IoT relies on interconnectivity and communication between devices, so there needs to be coordination between the necessary connections, and communication has to be encrypted.

Keep in mind that not all encryption is the same, meaning that whatever encryption is running on the edge device must also be running on the server it’s connecting to. Otherwise, they simply can’t communicate, which completely undermines the core benefit of the IoT.

This means each end user will require some degree of customization in the configuration of devices, so integrators have to make sure they and their staff have the right skills and that they’re properly communicating with the end user to make sure their security needs are heard and addressed. Additionally, the level of customization and the end user’s cybersecurity needs must be dictated by established policies.

Many manufacturers also provide a hardening guide that details how to best secure their devices. This can be an invaluable tool for integrators and end users, but it can’t replace the need for an organization to have a security policy in place and then use the hardening guide to determine which specific features can be implemented to fit into that policy.

Another key factor when looking at products is to identify a manufacturer that adheres to cybersecurity best practices such as strong encryption and a variety of additional security features that deliver the highest level of protection for devices. They must also be open and transparent so that when a vulnerability is discovered in one of their devices, they will alert customers and provide a fix as soon as possible.

Managing IoT Device Lifecycles

An unfortunate reality is that all devices will eventually expire or at the very least, reach the end of their useful life. For example, an IP camera could have a functional lifetime of upward of 10 to 15 years. However, security vulnerabilities will change quickly and dramatically over that period, which makes it difficult for manufacturers to keep providing the updates required to keep those cameras protected in an evolving cybersecurity threat landscape.

The good news is that in many cases, this can be predictable, provided an organization is engaged in some sort of structured lifecycle management program. Implementing, monitoring and managing life cycles provides organizations with the ability to better plan for introducing new technology into their environment. Lifecycle management also allows organizations to keep pace with new and emerging cybersecurity threats while ensuring they are using the appropriate and most advanced technologies to minimize security threats and vulnerabilities and avoid the negative costs associated with cyber breaches.

This process also allows organizations to identify those devices that may be nearing the end of their useful life or that are too outdated for the manufacturer to provide supportincluding firmware and operating system updates-making them susceptible to risk.

Regardless, these devices must be replaced with newer solutions that offer up-to-date cybersecurity features and are supported by the manufacturer. In addition to security, the hallmark of a good lifecycle management program is the ability for an organization to plan and budget for replacing a certain number or percentage of devices each year rather than facing an expensive replacement of an entire system or major component.

Given the number and variety of networked devices available today, applications of IoT networks would seem to be limited only by the imagination. The combined data generated by these interconnected systems offer tremendous potential to deliver deep insights and intelligence that have never before been possible, provided IoT devices and networks are properly designed, deployed, managed and secured. These best practices will help manufacturers, integrators and end users harness the true power of the IoT.

This article originally appeared in the September 2019 issue of Security Today.

Featured

  • ISC West Is Two Months Away

    ISC West Is Two Months Away

    The annual “vacation” to Las Vegas is less than two months away. I anticipate it will be an amazing show, and furthermore, I expect the show hall to be teeming with interested security professionals. Read Now

    • Industry Events
  • Security Today Launches 2023 Government Security Awards

    Security Today Launches 2023 Government Security Awards

    Security Today is proud to announce the launch of the 2023 Government Security Awards. The Govies honor outstanding government security products in a variety of categories. For this year’s awards program, participants can choose from 38 different categories to enter their product(s) into. Read Now

  • Back to the Basics

    Back to the Basics

    Security is a continuous evolution of practices and procedures. The developments in technology and advancements in threats make security difficult at times. Although security from one location may look different from another location, there is a common goal applied to security measures. The common goal is protection. Read Now

  • The Top Three Security Trends in 2023

    The Top Three Security Trends in 2023

    As security technology has become more widely used, the interest in new capabilities and increased security measures has increased. As we head into 2023, these three trends will shape the security landscape. Read Now

Featured Cybersecurity

New Products

  • VideoEdge 2U High Capacity Network Video Recorder

    VideoEdge 2U High Capacity Network Video Recorder

    Johnson Controls announces a powerful recording solution to meet demanding requirements with its VideoEdge 2U High Capacity Network Video Recorder. This solution combines the powerful capabilities of victor with the intelligence of VideoEdge NVRs, fueled by Tyco Artificial Intelligence, for video management that provides actionable insights to save time, money and lives. 3

  • SecureAuth

    SecureAuth

    The acceleration of digital transformation initiatives as a result of COVID-19 has created a lasting impact on how businesses empower their workforce and engage customers. 3

  • D-Tools System Integrator (SI) Software

    D-Tools System Integrator (SI) Software

    D-Tools Inc. has announced the availability of System Integrator version 16, which adds powerful new project and service management capabilities to its award-winning, end-to-end business management solution. 3