Deploying IoT Devices
Best practices for managing and securing IoT networks
- By Ryan Zatolokin
- Sep 01, 2019
The number and breadth of devices
that make up the Internet
of Things (IoT) continues
to grow rapidly, with everything
from kitchen appliances
to video surveillance and access control
systems offering the ability to connect to a
network. Each of these offers tremendous
value, but the true power of the IoT lies in
the ability to connect disparate systems and
devices to leverage the combined data they
produce to generate some valuable insight
and actionable intelligence.
Integrations between IP-based surveillance,
access control, intercoms, speakers,
traffic management, HVAC and many others
offer the potential to share useful information
between connected devices to deliver a
fuller view of a situation across multiple locations
than any one system could possibly
provide on its own.
The effectiveness of IoT networks relies on
understanding how devices can work together
to capitalize on the combined strengths of
each sensor to deliver value and solve specific
challenges by collecting widely dispersed data
from disparate sources to provide a complete
view of security and operations.
Given the billions of IoT sensors deployed
around the world and the value of
the data they provide, the need to properly
deploy, manage and secure those devices has
become more urgent.
It’s one thing to have all this technology
at your fingertips, but it’s another thing to
understand the problems you’re trying to
solve with that technology. Therefore, it is
vital to start with the problem and identify
the technologies that offer solutions to
those challenges.
Additionally, there is the fact that the
more devices an organization has connected
to the network, the greater the potential
for network breaches, as well as the need to
manage the continually-growing number of
devices on the network. By following some
best practices, organizations can mitigate potential
concerns in these and other areas to
harness the true power of their IoT networks.
Addressing Vulnerabilities
All devices connected to a network represent
potential back doors that hackers could
exploit to gain access to a network and the
various systems to which it’s connected.
Therefore, as evidenced by the number of
high-profile breaches that seem to be occurring
with alarming regularity, cybersecurity
is a top priority for everyone.
Unfortunately, all networked devices
and systems can be vulnerable, and in our
connected world, the cybersecurity of a network
is only as strong as the weakest device
connected to it. Therefore, it is essential
that all networked devices provide the level
of security necessary to protect the overall
system from the potentially catastrophic effects
of a breach.
Perhaps the biggest concern with networked
devices is that they could be used by
cybercriminals as a platform to breach other
parts of a system, which could then be used
to gather data or take down or hijack a system.
In theory, any networked device can be
used to attack another network device. For
example, a vulnerable networked HVAC system
could be used to gain access to a retailer’s
overall network, which could provide hackers
with access to POS and financial data, including
customer names and credit card information
that could be used for identity theft or
other crime. Unfortunately, this is becoming
more of a reality with each passing day.
Organizations can reduce the likelihood
of a breached device serving as a back door
for hackers to access other devices by segmenting
it, hardening it or isolating it in
some way that protects the device to the best
of their ability and keeps it separated from
other systems and the sensitive information
they contain. It is also necessary to continually
re-assess cybersecurity methods and procedures
to make sure they’re adequate for the
threats that continue to emerge daily.
A great example of this would be surveillance
cameras, which are different from
other devices in that they often run on a
segmented surveillance-only network and
are not designed to tap into other systems.
A much easier target would be a Windows
computer, given that it might have access to
more systems and probably has an Active
Directory domain that provides access to a
larger file system or to sensitive data itself.
So when properly deployed and connected
to the network, it would be highly unlikely
that someone could use a camera to gain access
to sensitive or personal information contained
in another networked system.
Overcoming the
Human Element
While strong tools, technologies and features
are vital to supporting cybersecurity,
they aren’t capable of addressing what tends
to be the weakest link in cybersecurity: the
human element.
That’s why it’s so important for organizations
to set and apply standards and enforce
policies across their systems, and to put
policies in place to ensure best practices are
followed throughout the organization. This
should include guidelines regarding connecting
personal devices like mobile phones or
wireless access points to the network.
One of the biggest challenges organizations
face is simply knowing what’s deployed
on their network. Depending on its size and
specific needs, an organization may have hundreds
or thousands of IoT devices and sensors
deployed in one or multiple locations.
Thankfully there are technologies available
that can scan the network to identify
every device that’s connected to it. In some
cases, these solutions will even ensure that
all devices from a particular manufacturer
are properly configured according to a company’s
requirements and policies.
Armed with a solid understanding of
the hardware, systems, and devices that are
deployed on the network, organizations can
then develop the processes and procedures
for securing them. Part of this is making
sure devices offer appropriate security
features and can be hardened or updated
through firmware.
Once policies have been put in place, it’s
also important for an organization to have someone who can communicate IT policies
and work with the integrator to ensure
that devices are configured to fit within that
policy. For example, a primary policy would
be that any device that’s installed on the network,
whether it’s a server, workstation or an
IoT device, must communicate using encryption
over the customer’s local area network
in order to lower the risk of cyberattacks.
Based on that policy, any IP camera
that’s installed must enable encryption, and
the video management system will need to
be able to read the encrypted communication
from that camera. Going a step further,
when drafting these policies, end users also
have to take mobile devices into account and
establish a policy that protects the organization’s
network from being compromised by
an individual’s personal device.
Policies play an integral part in overcoming
the human element. Another factor is
having tools that make it easy to maintain
consistency when deploying cybersecurity
features in IoT devices. For example, if
someone has to individually configure hundreds
of different devices one by one to make
them secure—especially if you have multiple
people doing it—the human factor takes
over, and mistakes can be made.
Finding the Right Fit
For integrators, the road to strong cybersecurity
starts with selecting products that can
deliver strong cybersecurity for protecting
customers’ networks. When selecting solutions
for end users, it’s important to look
for products that offer features that fit into
the customer’s security policy. This could
include encryption, IP address filtering to
restrict who and what can access a device,
digitally signed firmware, or secure booting,
which will halt the boot process if foreign
code is introduced to the device.
However, when installing and deploying
devices, it’s not practical to simply turn on all
the security features, drop it into an enterprise
environment and hope that it works. IoT relies
on interconnectivity and communication between
devices, so there needs to be coordination
between the necessary connections, and
communication has to be encrypted.
Keep in mind that not all encryption is
the same, meaning that whatever encryption
is running on the edge device must also be
running on the server it’s connecting to. Otherwise,
they simply can’t communicate, which
completely undermines the core benefit of
the IoT.
This means each end user will require
some degree of customization in the configuration
of devices, so integrators have to make
sure they and their staff have the right skills
and that they’re properly communicating
with the end user to make sure their security
needs are heard and addressed. Additionally,
the level of customization and the end user’s
cybersecurity needs must be dictated by established
policies.
Many manufacturers also provide a
hardening guide that details how to best
secure their devices. This can be an invaluable
tool for integrators and end users, but
it can’t replace the need for an organization
to have a security policy in place and then
use the hardening guide to determine which
specific features can be implemented to fit
into that policy.
Another key factor when looking at
products is to identify a manufacturer that
adheres to cybersecurity best practices such
as strong encryption and a variety of additional
security features that deliver the highest
level of protection for devices. They must
also be open and transparent so that when
a vulnerability is discovered in one of their
devices, they will alert customers and provide
a fix as soon as possible.
Managing IoT
Device Lifecycles
An unfortunate reality is that all devices will
eventually expire or at the very least, reach
the end of their useful life. For example, an
IP camera could have a functional lifetime
of upward of 10 to 15 years. However, security
vulnerabilities will change quickly and
dramatically over that period, which makes
it difficult for manufacturers to keep providing
the updates required to keep those cameras
protected in an evolving cybersecurity
threat landscape.
The good news is that in many cases, this
can be predictable, provided an organization
is engaged in some sort of structured lifecycle
management program. Implementing,
monitoring and managing life cycles provides
organizations with the ability to better plan
for introducing new technology into their
environment. Lifecycle management also allows
organizations to keep pace with new and
emerging cybersecurity threats while ensuring
they are using the appropriate and most
advanced technologies to minimize security
threats and vulnerabilities and avoid the negative
costs associated with cyber breaches.
This process also allows organizations to
identify those devices that may be nearing the
end of their useful life or that are too outdated
for the manufacturer to provide supportincluding
firmware and operating system
updates-making them susceptible to risk.
Regardless, these devices must be replaced
with newer solutions that offer up-to-date
cybersecurity features and are supported by
the manufacturer. In addition to security, the
hallmark of a good lifecycle management
program is the ability for an organization to
plan and budget for replacing a certain number
or percentage of devices each year rather
than facing an expensive replacement of an
entire system or major component.
Given the number and variety of networked
devices available today, applications
of IoT networks would seem to be limited
only by the imagination. The combined data
generated by these interconnected systems
offer tremendous potential to deliver deep
insights and intelligence that have never before
been possible, provided IoT devices and
networks are properly designed, deployed,
managed and secured. These best practices
will help manufacturers, integrators and end
users harness the true power of the IoT.
This article originally appeared in the September 2019 issue of Security Today.