Some Things just aren't meant to be (on Internet of Things networks). But we can work around that
Plus: Did you know 'shadow IoT' was a thing? It is
Analysis What exactly is the Internet of Things? According to Gartner and IDC, it's a network of endpoints capable of interacting with each other and the world via IP connectivity.
Consultant McKinsey & Company defines IoT as sensors and actuators embedded in physical objects, from roadways to pacemakers, that churn out huge amounts of data.
From the point of view of an IT pro on the sharp end, it's more than that: it's a set of network-connected devices that are more eclectic than ever before, and that weren't necessarily originally intended to be connected to the network.
So how do you manage a Network of Things so it keeps working and stays secure? IoT might be a new and diverse idea, but the principles for managing it aren't. In fact, you can draw on existing techniques and practices to see you right.
Question every type of device
It may sound a little odd, but when you're considering how to manage IoT devices, decide first of all whether you actually want to have them at all. For example, a former colleague of mine has the option of adding Ethernet adaptors to the emergency generators on his data room but has decided not to – simply so the vendor's engineers have to visit to do maintenance rather than being allowed to break and crash things from afar. You should be installing devices based on requirements, and one of the requirements must be manageability.
Watch like a hawk for shadow IoT
One of the great things with IoT devices is that they're often very straightforward to get connected and set up. One of the less great things, however, is that they're often very straightforward to get connected and set up. You've heard of "shadow IT" – where users install their own stuff without the approval, knowledge or assistance of the IT department – and now we have Shadow IoT. Shadow IoT is a bigger worry than shadow IT because many of the devices – networked cameras and the like – cost only a few tens of pounds, so anyone can afford to buy them or can get away with slipping them on a company credit card.
Your network management package will generally be able to spot rogue devices – stuff that you haven't specifically configured it to watch over – and you absolutely must turn on rogue device alerting. Wi-Fi is the connection method of choice for IoT kit, which means security nightmares thanks to radios that could well be accepting connections from anything that wants to emit a signal at them.
Network admission control
As well as watching for shadow IT, be proactive if you can. While you should watch for stuff that connects, you should also do what you can to prevent it from connecting in the first place. Sometimes you'll be lucky and the kit you're using will support a nice NAC protocol like IEE802.1x; sometimes not, in which case you can consider more basic approaches such as "sticky MAC" (in which you can configure LAN switch ports not to admit new devices). I'd always recommend a combination of prevention and detection – just to cater for those circumstances when someone misconfigures a switch and doesn't turn on all the safeguards, or other circumstances where someone circumvents your protection and manages to connect a dodgy device.
Figure out the protocols
Different devices will have different management protocols. SNMP will be pretty common, but some gadgets may have custom interfaces – REST APIs, XML over HTTP/HTTPS, and the like. Check out the documentation to see whether any of the management interfaces have more functionality than others: pick the ones you want to use and most importantly turn the rest off – never, ever leave a device able to talk to a network in a way that you don't need it to.
Sort out the security
I'm going to get all Cyber Essentials on you now: change all the default passwords, SNMP community strings, the lot. Many IoT devices don't even have passwords set by default: you just fire up the management application which magically finds the devices and auto-configures them.
If you're serious about securing IoT gadgets, may as well start hereREAD MORE
Scour all the configuration screens for anything vaguely resembling a password and change them all from the defaults. Note also that a lot of IoT devices don't use standard default passwords ("admin", "password", and the like) but instead have more cryptic ones... that are printed on the back of the device. Always, always change the out-of-the-box password.
Manage your IP addresses
IoT devices tend to hunt in packs, and their dead-easy-to-set-up nature means that they'll just grab an address from DHCP and run with it. Before you know it, you'll have dozens of devices scattered around your IP address space.
If you're feeling energetic, or you have too much time on your hands, or you've got a work experience lad in from the local secondary school, you could consider assigning static IP addresses to the IoT devices so you know exactly which is which. Because you're probably not, you don't and you haven't, you can at least define address ranges for the different types of IoT kit to live in. To do this you'll need to engage in subnetting.
Subnet the IoT stuff
Subnetting is your friend. Although you've done as we told you and changed the default passwords, and turned off the unwanted services, you should still secure the network that the IoT kit lives in. Define a collection of subnets for the various IoT devices and assign DHCP ranges: it's dead easy to do and it'll help make things manageable. Most importantly, though, because you have subnets you can define access control lists (ACLs) to limit the traffic that can get in and out: ensure that the only traffic permitted is what the devices need to work and be managed. If they're connecting wirelessly, use a dedicated SSID that lands them in an IoT subnet too – again, if you're lucky enough to have kit that supports it you should turn on 802.1x; if not, use MAC address blocking to admit only the devices you want to permit. Work on the basis that you don't trust the kit, and that you don't trust anyone not to try to connect to it.
Understand how the devices connect to the world
If you're to manage and monitor your IoT devices, you need to understand how they work. Now, some devices sit and listen for connections: all very straightforward but you end up having to configure inbound firewall or ACL rules to permit the packets to get in. Other types of device call out to a master server (my NetGear Arlo cameras are an example). Whatever the case, establish what is meant to generate connections to what and let your network monitor alert you if it starts seeing unexpected traffic going to and from the IoT subnets.
Watch for security releases
IoT has a reputation, and rightly so, for being susceptible to security attacks. Ancient firmware seems to be the order of the day in the world of IoT, and it's absolutely critical that you have a schedule for upgrading the software on your devices. Some kit will happily update itself, in which case you can either decide to let it (if you don't mind it rebooting itself at random) or schedule a manual exercise. And where stuff doesn't update automatically, it's crucial to ensure that you do an update regularly.
Keep an eye on the IT press and the hardware vendors' websites, too: you really want to know about security issues as soon as they're discovered.
Have a hardware refresh policy
Although, as we mentioned earlier, IoT devices are often very inexpensive this doesn't mean you don't treat them like your other hardware. When something becomes end-of-life it means there are no more security updates – so just as you'd replace your firewalls when the vendor no longer supported them, you should look at the same with your IoT kit.
Like I already said: out-of-date firmware with no security patches available is an accident waiting to happen.
Do regular risk (re)assessments
And finally, remember: IoT devices are for life, not just for Christmas. Your network management regime should be one of continual improvement and regular re-assessment. Time marches on, and your entire setup evolves along with it: even if you're not changing your IoT world, changes to other parts of the infrastructure may alter the risk level (and, for that matter, the organisation's risk appetite may well change over time too). So re-assess the risk of all this IoT stuff at least a couple of times a year, and have a programme of continual improvement to ensure that your equipment keeps up with everything else. ®
Sponsored: Becoming a Pragmatic Security Leader