Cyber Hygiene: What it Looks Like for IoT Devices

Cyber Hygiene: What it Looks Like for IoT Devices

Understanding an Internet of Things security program takes careful consideration and study. We are pleased to bring you this first online post; others will follow each week, discussing the four core tenets. This is Part 2 of the Four Core Tenets of Any IoT Security Program. The remainder will follow weekly.

For our second pillar about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices. We’ll dive into the maintenance, care and management of these devices since they are often deployed with a kind of “set it and forget it” mentality and left alone unless they malfunction.

However, to run a good cybersecurity program, we must apply the same principles to IIoT devices as we do to computers or any other network device. IIoT devices need their firmware and software updated regularly, their passwords need to be changed, and scanned for vulnerabilities.

Consider this for just a minute: at home you probably have a router that you purchased or that your internet service provider gave you. When was the last time that you updated the software on that device, the firmware or have you ever changed the default password that came on it? For most people, the answer to that question is that they have never updated the software or firmware on their home router, and they have never changed the default password.

Now I know that a home router isn’t an IIoT device, but it is something relatable for everyone reading this. Many IIoT devices are treated the same, they are deployed and initially configured, but just kind of left to run after that.

I have identified 8 keys to effective cyber hygiene for IIoT devices which are listed below, but I warn you that it is easier said than done.

1. Have a full inventory of all IIoT devices on your network. All cameras, security system components, SCADA devices, sensors, programmable logic controllers, etc. Be sure to include manufacturer information and model numbers, that way if there is a vulnerability announcement you’ll know if it applies to your environment.

2. Hot tip: Consider setting up vulnerability alerts for your IIoT devices, that way whenever there is a vulnerability disclosure, you’ll be the first to know. My favorite is to subscribe to the CISA vulnerability alert bulletins, and you can even customize which alerts you sign up for – that can be done here Cybersecurity and Infrastructure Security Agency (govdelivery.com).

3. Check for firmware and software updates for these devices on a routine basis

  • Routine basis is a bit of a generic timeline, but it really does depend on the type of device. Typically, IIoT devices only release updates once or twice a year so they don’t need to be updated as often as other devices on your network.

4. Update or change passwords on IIoT devices on a routine basis

  • Routine basis in this case is a generic timeline as well. In my opinion, updating passwords for IIoT devices every 90 days is a bit unrealistic for most organizations. So, figure out something that is manageable.

5. Conduct vulnerability scanning looking for critical vulnerabilities

  • Be careful when conducting vulnerability scans on IIoT devices, especially for the first time because the scans may cause the devices to fail. I recommend testing the devices before deploying them so that you’ll know if they are ok to scan in the future.
  • I also recommend scanning in small segments at a time, that way if devices do fail, it doesn’t knock everything offline.

6. Conduct vendor and device risk assessments when purchasing new IIoT devices

  • Take a close look at the vendor selling the device and see if they have a good reputation for updating their products when vulnerabilities are found.
  • Check to make sure the vendor does some type of code analysis to ensure they are deploying a secure product.
  • Pick a device that has the right settings and protocols for your network.

7. Conduct configuration backups of devices

  • Make sure these backups are stored offsite or in the cloud.

8. Ensure IIoT devices are covered in your Policies and Plans (incident response, change management, config management, patch management, business continuity)

I think the best way to summarize cyber hygiene is to think of it as creating a culture of cybersecurity in your organization. Baking cybersecurity into every physical security, IT, or other function in your business. So just like you shower and brush your teeth on a routine basis (hopefully), consider grooming your IIoT devices on a routine basis. In the next issue we’ll discuss product security.

Join us in the next issue when we cover the last two pillars: Product Security and Proper Configuration.

Featured

  • Pragmatism, Productivity, and the Push for Accountability in 2025-2026

    Every year, the security industry debates whether artificial intelligence is a disruption, an enabler, or a distraction. By 2025, that conversation matured, where AI became a working dimension in physical identity and access management (PIAM) programs. Observations from 2025 highlight this turning point in AI’s role in access control and define how security leaders are being distinguished based on how they apply it. Read Now

  • Report: Cyber Attackers Continue to Turn to AI-Based Tools to Avoid Detection

    Comcast Business recently released its 2025 Cybersecurity Threat Report, a comprehensive analysis of 34.6 billion cybersecurity events detected between June 1,2024 and May 31, 2025. Now in its third year, the report offers business leaders a unique perspective into the evolving threat landscape and provides actionable insights to help organizations strengthen their defenses and align cybersecurity with business risk. Read Now

  • Axis Communications Creates AI-powered Video Surveillance Orchestra

    What if cameras could not only see the world, but interpret it—and respond like orchestra musicians reading sheet music: instantly, precisely, and in perfect harmony? That’s what global network technology leader Axis Communications set to find out. Read Now

  • Just as Expected

    GSX produced a wonderful tradeshow earlier this week. Monday was surprisingly strong in the morning, and the afternoon wasn’t bad at all. That’s Monday’s results and asking attendees to travel on Sunday. Just a quick hint, no one wants to give up their weekend to travel and set up an exhibit booth. I’m just saying. Read Now

    • Industry Events
    • GSX
  • NOLA: The Crescent City

    Twenty years later we finds ourselves in New Orleans. Twenty years ago the aftermath of Hurricane Katrina forced exhibitors and attendees to look elsewhere for tradeshow floor space. Read Now

    • Industry Events
    • GSX

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.