Deploying IoT Devices

Deploying IoT Devices

Best practices for managing and securing IoT networks

The number and breadth of devices that make up the Internet of Things (IoT) continues to grow rapidly, with everything from kitchen appliances to video surveillance and access control systems offering the ability to connect to a network. Each of these offers tremendous value, but the true power of the IoT lies in the ability to connect disparate systems and devices to leverage the combined data they produce to generate some valuable insight and actionable intelligence.

Integrations between IP-based surveillance, access control, intercoms, speakers, traffic management, HVAC and many others offer the potential to share useful information between connected devices to deliver a fuller view of a situation across multiple locations than any one system could possibly provide on its own.

The effectiveness of IoT networks relies on understanding how devices can work together to capitalize on the combined strengths of each sensor to deliver value and solve specific challenges by collecting widely dispersed data from disparate sources to provide a complete view of security and operations. Given the billions of IoT sensors deployed around the world and the value of the data they provide, the need to properly deploy, manage and secure those devices has become more urgent.

It’s one thing to have all this technology at your fingertips, but it’s another thing to understand the problems you’re trying to solve with that technology. Therefore, it is vital to start with the problem and identify the technologies that offer solutions to those challenges.

Additionally, there is the fact that the more devices an organization has connected to the network, the greater the potential for network breaches, as well as the need to manage the continually-growing number of devices on the network. By following some best practices, organizations can mitigate potential concerns in these and other areas to harness the true power of their IoT networks.

Addressing Vulnerabilities

All devices connected to a network represent potential back doors that hackers could exploit to gain access to a network and the various systems to which it’s connected. Therefore, as evidenced by the number of high-profile breaches that seem to be occurring with alarming regularity, cybersecurity is a top priority for everyone.

Unfortunately, all networked devices and systems can be vulnerable, and in our connected world, the cybersecurity of a network is only as strong as the weakest device connected to it. Therefore, it is essential that all networked devices provide the level of security necessary to protect the overall system from the potentially catastrophic effects of a breach.

Perhaps the biggest concern with networked devices is that they could be used by cybercriminals as a platform to breach other parts of a system, which could then be used to gather data or take down or hijack a system. In theory, any networked device can be used to attack another network device. For example, a vulnerable networked HVAC system could be used to gain access to a retailer’s overall network, which could provide hackers with access to POS and financial data, including customer names and credit card information that could be used for identity theft or other crime. Unfortunately, this is becoming more of a reality with each passing day.

Organizations can reduce the likelihood of a breached device serving as a back door for hackers to access other devices by segmenting it, hardening it or isolating it in some way that protects the device to the best of their ability and keeps it separated from other systems and the sensitive information they contain. It is also necessary to continually re-assess cybersecurity methods and procedures to make sure they’re adequate for the threats that continue to emerge daily.

A great example of this would be surveillance cameras, which are different from other devices in that they often run on a segmented surveillance-only network and are not designed to tap into other systems. A much easier target would be a Windows computer, given that it might have access to more systems and probably has an Active Directory domain that provides access to a larger file system or to sensitive data itself. So when properly deployed and connected to the network, it would be highly unlikely that someone could use a camera to gain access to sensitive or personal information contained in another networked system.

Overcoming the Human Element

While strong tools, technologies and features are vital to supporting cybersecurity, they aren’t capable of addressing what tends to be the weakest link in cybersecurity: the human element.

That’s why it’s so important for organizations to set and apply standards and enforce policies across their systems, and to put policies in place to ensure best practices are followed throughout the organization. This should include guidelines regarding connecting personal devices like mobile phones or wireless access points to the network.

One of the biggest challenges organizations face is simply knowing what’s deployed on their network. Depending on its size and specific needs, an organization may have hundreds or thousands of IoT devices and sensors deployed in one or multiple locations.

Thankfully there are technologies available that can scan the network to identify every device that’s connected to it. In some cases, these solutions will even ensure that all devices from a particular manufacturer are properly configured according to a company’s requirements and policies.

Armed with a solid understanding of the hardware, systems, and devices that are deployed on the network, organizations can then develop the processes and procedures for securing them. Part of this is making sure devices offer appropriate security features and can be hardened or updated through firmware.

Once policies have been put in place, it’s also important for an organization to have someone who can communicate IT policies and work with the integrator to ensure that devices are configured to fit within that policy. For example, a primary policy would be that any device that’s installed on the network, whether it’s a server, workstation or an IoT device, must communicate using encryption over the customer’s local area network in order to lower the risk of cyberattacks.

Based on that policy, any IP camera that’s installed must enable encryption, and the video management system will need to be able to read the encrypted communication from that camera. Going a step further, when drafting these policies, end users also have to take mobile devices into account and establish a policy that protects the organization’s network from being compromised by an individual’s personal device.

Policies play an integral part in overcoming the human element. Another factor is having tools that make it easy to maintain consistency when deploying cybersecurity features in IoT devices. For example, if someone has to individually configure hundreds of different devices one by one to make them secure—especially if you have multiple people doing it—the human factor takes over, and mistakes can be made.

Finding the Right Fit

For integrators, the road to strong cybersecurity starts with selecting products that can deliver strong cybersecurity for protecting customers’ networks. When selecting solutions for end users, it’s important to look for products that offer features that fit into the customer’s security policy. This could include encryption, IP address filtering to restrict who and what can access a device, digitally signed firmware, or secure booting, which will halt the boot process if foreign code is introduced to the device.

However, when installing and deploying devices, it’s not practical to simply turn on all the security features, drop it into an enterprise environment and hope that it works. IoT relies on interconnectivity and communication between devices, so there needs to be coordination between the necessary connections, and communication has to be encrypted.

Keep in mind that not all encryption is the same, meaning that whatever encryption is running on the edge device must also be running on the server it’s connecting to. Otherwise, they simply can’t communicate, which completely undermines the core benefit of the IoT.

This means each end user will require some degree of customization in the configuration of devices, so integrators have to make sure they and their staff have the right skills and that they’re properly communicating with the end user to make sure their security needs are heard and addressed. Additionally, the level of customization and the end user’s cybersecurity needs must be dictated by established policies.

Many manufacturers also provide a hardening guide that details how to best secure their devices. This can be an invaluable tool for integrators and end users, but it can’t replace the need for an organization to have a security policy in place and then use the hardening guide to determine which specific features can be implemented to fit into that policy.

Another key factor when looking at products is to identify a manufacturer that adheres to cybersecurity best practices such as strong encryption and a variety of additional security features that deliver the highest level of protection for devices. They must also be open and transparent so that when a vulnerability is discovered in one of their devices, they will alert customers and provide a fix as soon as possible.

Managing IoT Device Lifecycles

An unfortunate reality is that all devices will eventually expire or at the very least, reach the end of their useful life. For example, an IP camera could have a functional lifetime of upward of 10 to 15 years. However, security vulnerabilities will change quickly and dramatically over that period, which makes it difficult for manufacturers to keep providing the updates required to keep those cameras protected in an evolving cybersecurity threat landscape.

The good news is that in many cases, this can be predictable, provided an organization is engaged in some sort of structured lifecycle management program. Implementing, monitoring and managing life cycles provides organizations with the ability to better plan for introducing new technology into their environment. Lifecycle management also allows organizations to keep pace with new and emerging cybersecurity threats while ensuring they are using the appropriate and most advanced technologies to minimize security threats and vulnerabilities and avoid the negative costs associated with cyber breaches.

This process also allows organizations to identify those devices that may be nearing the end of their useful life or that are too outdated for the manufacturer to provide supportincluding firmware and operating system updates-making them susceptible to risk.

Regardless, these devices must be replaced with newer solutions that offer up-to-date cybersecurity features and are supported by the manufacturer. In addition to security, the hallmark of a good lifecycle management program is the ability for an organization to plan and budget for replacing a certain number or percentage of devices each year rather than facing an expensive replacement of an entire system or major component.

Given the number and variety of networked devices available today, applications of IoT networks would seem to be limited only by the imagination. The combined data generated by these interconnected systems offer tremendous potential to deliver deep insights and intelligence that have never before been possible, provided IoT devices and networks are properly designed, deployed, managed and secured. These best practices will help manufacturers, integrators and end users harness the true power of the IoT.

This article originally appeared in the September 2019 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3