The shape and organization of many corporate networks have changed radically in recent times. One particular area is that of the Internet of Things (“IoT”). Simply put, IoT is connecting different Internet-enabled devices over the Internet. Not just smart devices such as desktops, laptops, and smartphones, but devices not normally considered network devices like fridges, cookers, and manufacturing production equipment.
However, the Cyber Security of IoT devices is not as well developed as that of other devices. This is an area that must be addressed. If malware attacks an electronically managed aircraft or vehicle the results are potentially fatal. Interrupting operations during a manufacturing process can be equally devastating.
What can be done to increase cyber security in an IoT environment? Here are four tips.
Take it Seriously
The first and most important step is to take cyber security in an IoT environment seriously, just as you do in a regular network environment. Draw up a security plan for the IoT environment and ensure that your IoT kit is managed and secured properly.
Because you can never be sure exactly what devices are going to make up your IoT environment, create policies that regulate Bring Your Own Device (BYOD). If you are an employer, make sure that you also have a policy setting out what employees can and cannot do in respect of IoT.
In principle, isolate your IoT network from other networks in your business, so if things go wrong they are limited to the IoT environment and your other business systems can continue to operate.
- In the manufacturing environment, IoT devices managing a manufacturing process can generate very large numbers of transactions needing immediate processing. If they need to go to the core and back for processing they flood the corporate network and degrade service levels. The answer is “Fog Computing”, where the IoT devices are held in small self-contained clouds, and the local transactions are not sent back to the core.
- Change all default passwords. A common failing with managing networked devices is to leave the default passwords in place. Replace the defaults with strong passwords and change them regularly.
- Don’t broadcast your wireless network SSID. Keep it hidden from prying eyes.
- Use automatic update facilities on the IoT network. Schedule regular checks and manual updates for devices that do not have an automatic software and firmware refresh capability.
- Closely monitor network activity involving IoT devices. Some new malware exploits target IoT devices, believing, with some justification, that they are less secure than other devices.
- Implementing a policy setting out a regular programme of activities to make sure that all countermeasures are in place and valid. The policy should also include the activities needed to remedy any errors.
- Carry out incident tests to check security regularly. Security audits can also be useful.
- Backup, backup, backup. Do this regularly to secure locations. Take multiple copies to different locations, some offsite. It won’t be the first time that backups have proved unusable, so check them regularly by restoring them to a dummy network.
Training and Education
The FBI among others has reported that the greatest threat to cyber security sits between the keyboard and the chairback. More cyber threats arise through user errors and omissions than from any other cause. You need to have your users understand why and how to recognise and avoid malware in standard networks and an IoT environment:
- Education should start at induction and be regularly reinforced during employment. Have a newsletter for example.
- Education should cover what malware and credential theft is, how to recognise them, both electronically and by impersonation. Users must be able to understand what information is being collected by the devices in your regular and IoT networks and why.
- What to do if the suspect they have encountered malware or an attempt to steal user credentials.
Simply put, security in an IoT environment is as essential as that of a regular network environment. Indeed, when looking at some applications, for example, aircraft, driverless vehicles and manufacturing processes, it is vital to ensure that these IoT systems cannot be tampered with.