Cyber Hygiene: What it Looks Like for IoT Devices -- Security Today

Cyber Hygiene: What it Looks Like for IoT Devices

Understanding an Internet of Things security program takes careful consideration and study. We are pleased to bring you this first online post; others will follow each week, discussing the four core tenets. This is Part 2 of the Four Core Tenets of Any IoT Security Program. The remainder will follow weekly.

By Will Knehr
Mar 17, 2023

For our second pillar about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices. We’ll dive into the maintenance, care and management of these devices since they are often deployed with a kind of “set it and forget it” mentality and left alone unless they malfunction.

However, to run a good cybersecurity program, we must apply the same principles to IIoT devices as we do to computers or any other network device. IIoT devices need their firmware and software updated regularly, their passwords need to be changed, and scanned for vulnerabilities.

Consider this for just a minute: at home you probably have a router that you purchased or that your internet service provider gave you. When was the last time that you updated the software on that device, the firmware or have you ever changed the default password that came on it? For most people, the answer to that question is that they have never updated the software or firmware on their home router, and they have never changed the default password.

Now I know that a home router isn’t an IIoT device, but it is something relatable for everyone reading this. Many IIoT devices are treated the same, they are deployed and initially configured, but just kind of left to run after that.

I have identified 8 keys to effective cyber hygiene for IIoT devices which are listed below, but I warn you that it is easier said than done.

1. Have a full inventory of all IIoT devices on your network. All cameras, security system components, SCADA devices, sensors, programmable logic controllers, etc. Be sure to include manufacturer information and model numbers, that way if there is a vulnerability announcement you’ll know if it applies to your environment.

2. Hot tip: Consider setting up vulnerability alerts for your IIoT devices, that way whenever there is a vulnerability disclosure, you’ll be the first to know. My favorite is to subscribe to the CISA vulnerability alert bulletins, and you can even customize which alerts you sign up for – that can be done here Cybersecurity and Infrastructure Security Agency (govdelivery.com).

3. Check for firmware and software updates for these devices on a routine basis

Routine basis is a bit of a generic timeline, but it really does depend on the type of device. Typically, IIoT devices only release updates once or twice a year so they don’t need to be updated as often as other devices on your network.

4. Update or change passwords on IIoT devices on a routine basis

Routine basis in this case is a generic timeline as well. In my opinion, updating passwords for IIoT devices every 90 days is a bit unrealistic for most organizations. So, figure out something that is manageable.

5. Conduct vulnerability scanning looking for critical vulnerabilities

Be careful when conducting vulnerability scans on IIoT devices, especially for the first time because the scans may cause the devices to fail. I recommend testing the devices before deploying them so that you’ll know if they are ok to scan in the future.
I also recommend scanning in small segments at a time, that way if devices do fail, it doesn’t knock everything offline.

6. Conduct vendor and device risk assessments when purchasing new IIoT devices

Take a close look at the vendor selling the device and see if they have a good reputation for updating their products when vulnerabilities are found.
Check to make sure the vendor does some type of code analysis to ensure they are deploying a secure product.
Pick a device that has the right settings and protocols for your network.

7. Conduct configuration backups of devices

Make sure these backups are stored offsite or in the cloud.

8. Ensure IIoT devices are covered in your Policies and Plans (incident response, change management, config management, patch management, business continuity)

I think the best way to summarize cyber hygiene is to think of it as creating a culture of cybersecurity in your organization. Baking cybersecurity into every physical security, IT, or other function in your business. So just like you shower and brush your teeth on a routine basis (hopefully), consider grooming your IIoT devices on a routine basis. In the next issue we’ll discuss product security.

Join us in the next issue when we cover the last two pillars: Product Security and Proper Configuration.

HID Signs Agreement to Acquire Calmell Group
07/10/2025
HID and ASSA ABLOY Recognized with Renowned Red Dot Award for Innovative Biometric eGate Design
07/09/2025
Security Industry Association Announces Program for 2025 AcceleRISE Conference
07/07/2025
SIA Opens Applications for 2025 Denis R. Hébert Identity Management Scholarship
07/07/2025
Honeywell Makes Strategic Tuck-in Acquisition of Li-ion Tamer
07/01/2025
Defining SASE at the Largest Consumer Electronics Chain in the Nordics
06/26/2025
Elite Interactive Receives Strategic Investment from CIVC Partners
06/26/2025
ProdataKey’s Emergency Response Integrations: Integrated Access Control Made Easy
06/25/2025

Featured

Sustainable Video Solution Delivered for Landmark City of London Office Development

An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now
- Facility Security
DHS to End ‘Shoes-Off’ Travel Policy

Homeland Security Secretary Kristi Noem announced a new policy today which will allow passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. Read Now
- Airport Security
AI to Help Resolve Non-Emergency Calls Across Utah and Decrease 911 Caller Wait Times

The Utah Communications Authority (UCA), which oversees the state’s next generation 911 technology services, recently announced that public safety answering points (PSAPs) throughout the state plan to implement Motorola Solutions’ Virtual Response technology to automate the receipt and resolution of 10-digit non-emergency line calls in Utah with the help of AI. Read Now
- Government
Report: 2025 Video Surveillance Market Set to Grow After Small Decline in 2024

Novaira Insights has unveiled its latest report, “World Market for Video Surveillance Hardware and Software – 2025 Edition.” The research indicates that the global market for video surveillance hardware and software experienced a slight decline of 0.3% in 2024. This performance fell short of previous forecasts, primarily due to a significant decrease of 7.8% in the Chinese market. Conversely, the rest of the world saw a growth of 4.9%. The global market for video surveillance equipment was estimated to be worth $25.0 billion in 2024. Read Now
- Video Surveillance
Report Reveals Local Governments Face Surge in Ransomware Attacks with Minimal Resources

KnowBe4, the cybersecurity platform that comprehensively addresses human risk management, recently released new research highlighting the critical cybersecurity challenges facing state, local, tribal, and territorial (SLTT) governments. The report details how government organizations have become prime targets for cybercriminals while simultaneously facing severe resource constraints. Read Now
- Government

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

Compact IP Video Intercom

Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.
Luma x20

Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”
Camden CM-221 Series Switches

Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.