IoT devices bring many of the same basic security challenges as we face with BYOD technologies. That is, you need to think about how they are deployed and configured, functionality and maintenance updates, encryption of data in transit and at rest, authentication and authorization, and general administration. They also bring some new challenges.
What adds to the complexity is that many of these devices are “headless” and meant to run autonomously. Because of that, special planning has to be in place to understand how they communicate the data they are collecting to other devices, gateways, or back to the cloud. In addition, since they are largely autonomous and often do not have any physical user interface, you need to have a plan for identifying just how many of them there are. This identification process needs to be automated so you’re monitoring the IoT population on an on-going basis.
IoT devices, just like virtually any other resource you have on the network, need to be continually maintained to ensure they are running up to date versions of software and firmware. Like any other system, their installation needs to be hardened so they are not running default “off the shelf” configurations. It’s also important to limit access to the devices both from a physical point of view (have them isolated) and also from a network management point of view (through firewall and access control mechanisms).
Your disaster recovery or data breach policies must be updated to have specific plans and instructions on how to handle the IoT infrastructure and devices. These policies and plans need to be regularly practiced to ensure that recovering from a problem will be successful and up to date.
In the end, you are likely to adopt a defensive strategy for adding IoT devices into your enterprise network. That is, you should assume they are likely to foster security threats and opportunities for data disclosure, so therefore plan and analyze accordingly.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.