Over the last few months, surveillance camera hacks of more than 150,000 cameras have brought to light the security of devices that reside on a network. Often referred to as the Internet of Things (IoT), connected devices via the internet are growing at a rate that is (quite frankly) mind-boggling.
The market for IoT is predicted to reach $520 billion in sales in 2021, according to Forbes. Research from Cisco predicts that we will hit 27.1 billion networked devices this year, indicative of the rate of connectivity that we are continuing to see. But this growth is not without some potential problems as cybersecurity and network security are critical to protecting sensitive data and privacy alike.
How IoT devices contribute to cybersecurity
In most cases, IoT devices collect and analyze data for a specific purpose. For example, in a food processing plant, a sensor can track cold-chain compliance for quality assurance purposes. In manufacturing, IoT devices can be used to increase efficiency and streamline operations.
One study from Merck Global estimates that 35% of U.S. manufacturers are using data from smart sensors within their businesses already. This means that there are already a number of IoT devices being used on networks that may have vulnerabilities present. But what can happen?
In 2017, a Las Vegas casino was hacked via a fish tank, which had sensors connected to a computer that regulated things like the cleanliness of the tank, food levels, and the temperature. Since the sensors were directly connected to the casino’s main network, the hackers were able to gain access to data stored in other parts of the network.
While it wasn’t immediately disclosed the kind of data that was stolen, instances like this one are no longer uncommon. In 2019, Ring cameras were hacked, allowing hackers to gain access to video taken inside of people’s homes and more recently, the hack involving Verkada surveillance cameras that exposed video being collected in sites such as hospitals and even Tesla opened up a broader discussion around the security of these devices and the role IT departments play in keeping the network safe.
What does IoT have to do with my business?
Think about how many devices your business uses as part of day-to-day operations: everything from laptops to tablets on a manufacturing floor, in addition to smart sensors, labeling devices, surveillance cameras, and even tracking devices enabled by RFID. Some of these devices are added by departments other than IT, such as procurement or operations.
In the case of surveillance cameras, it’s likely that an integrator brings in their own switches and connects a network video recorder (NVR) that records and stores video footage directly from the network it’s connected to. In some cases, other concerns arise when multiple people have access to the room where the NVR is stored, opening the business to additional risk. This is where IoT devices can become a problem.
Best practices for securing IoT devices
When we discuss adding IoT devices to a network, there are several best practices to keep in mind:
Build a firewall. It’s a good idea to set up a device that monitors traffic between the company network and the internet, or between different parts of the company network (a firewall). This can also be used to prevent data from being accessed by implementing a certain set of security rules. Additionally, access to the firewall should be restricted to an as-needed basis to help further protect the network from outside access.
Use a secondary network. Implementing network segmentation like a virtual local area network (VLAN) can help limit the endpoints available for a would-be attacker to gain access to a network. Segmenting the networks helps reduce the attack surface (or endpoints) within any particular broadcast domain, which is a collection of network devices that receive broadcast traffic from each other. Segmentation also makes it easier to detect anomalous traffic between devices. For example, UPSes should not be talking to database servers. Putting them on different VLANs makes prevention and detection easier.
Pay attention to default settings. For so many hardware manufacturers, default passwords are issued on connected devices to streamline setup. But sometimes these default passwords are not changed, giving hackers the ability to gain access to the device and, in most cases, the network. While it should be part of the setup process to force users to change the default password, this can be overlooked. Making it a priority with your organization’s best practices is an effective way to start.
Add multi-factor authentication. MFA (Multi-Factor Authentication) is one of the core ways that advanced password security can be achieved (and it is also why we recommend it across your organization and its applications). Maintaining strong password security is a core component to securing IoT devices that reside on a network and it is considered a best practice to require a multi-layered approach to security via a password.
Regularly update firmware and software. One of the best ways to ensure that devices are as secure as possible is to engage in regular software and firmware updates, which often contain patches for known vulnerabilities. At times, IoT device manufacturers may not have regular updates, so it’s important to engage with vendors that can provide ongoing patch management and firmware update strategy.
Choose the right vendor
So, what happens when you are ready to add more IoT devices to your network? Then you need to choose the right vendor.
This recommendation is two-fold: on the one hand, choosing a reputable hardware manufacturer (such as a well-known video surveillance camera manufacturer) will go a long way to help your business keep its IoT devices from becoming threat vectors.
Recently, several Chinese surveillance camera manufacturers and telecom equipment manufacturers were deemed as threats by the Federal Communication Commission’s Public Safety and Homeland Security Bureau. The FCC “said the companies produce telecommunications equipment and services that have been found to pose an unacceptable risk to U.S. national security or the security and safety of U.S. persons.”
On the other hand, engaging with a managed service provider (MSP) can help keep your business systems updated with active monitoring for necessary patches and firmware updates. The right vendor can also recommend monitoring solutions that can analyze the behavior of your IoT devices and assess vulnerabilities as they arise, as well as provide ongoing knowledge around who has access to your systems and what kind of security controls are in place. One way to help identify these partners is to look at certifications that provide regular audits and the achievement of standards and best practices on a regular basis.
Let’s talk about the next steps for incorporating IoT devices into your technology strategy. Learn more here.
* Information for this article provided by Karl T. Braun, Operations Strategist for the ZAG Service Delivery Team.