Some Things just aren't meant to be (on Internet of Things networks). But we can work around that

Plus: Did you know 'shadow IoT' was a thing? It is

Analysis What exactly is the Internet of Things? According to Gartner and IDC, it's a network of endpoints capable of interacting with each other and the world via IP connectivity.

Consultant McKinsey & Company defines IoT as sensors and actuators embedded in physical objects, from roadways to pacemakers, that churn out huge amounts of data.

From the point of view of an IT pro on the sharp end, it's more than that: it's a set of network-connected devices that are more eclectic than ever before, and that weren't necessarily originally intended to be connected to the network.

So how do you manage a Network of Things so it keeps working and stays secure? IoT might be a new and diverse idea, but the principles for managing it aren't. In fact, you can draw on existing techniques and practices to see you right.

Question every type of device

It may sound a little odd, but when you're considering how to manage IoT devices, decide first of all whether you actually want to have them at all. For example, a former colleague of mine has the option of adding Ethernet adaptors to the emergency generators on his data room but has decided not to – simply so the vendor's engineers have to visit to do maintenance rather than being allowed to break and crash things from afar. You should be installing devices based on requirements, and one of the requirements must be manageability.

Watch like a hawk for shadow IoT

One of the great things with IoT devices is that they're often very straightforward to get connected and set up. One of the less great things, however, is that they're often very straightforward to get connected and set up. You've heard of "shadow IT" – where users install their own stuff without the approval, knowledge or assistance of the IT department – and now we have Shadow IoT. Shadow IoT is a bigger worry than shadow IT because many of the devices – networked cameras and the like – cost only a few tens of pounds, so anyone can afford to buy them or can get away with slipping them on a company credit card.

Your network management package will generally be able to spot rogue devices – stuff that you haven't specifically configured it to watch over – and you absolutely must turn on rogue device alerting. Wi-Fi is the connection method of choice for IoT kit, which means security nightmares thanks to radios that could well be accepting connections from anything that wants to emit a signal at them.

Network admission control

As well as watching for shadow IT, be proactive if you can. While you should watch for stuff that connects, you should also do what you can to prevent it from connecting in the first place. Sometimes you'll be lucky and the kit you're using will support a nice NAC protocol like IEE802.1x; sometimes not, in which case you can consider more basic approaches such as "sticky MAC" (in which you can configure LAN switch ports not to admit new devices). I'd always recommend a combination of prevention and detection – just to cater for those circumstances when someone misconfigures a switch and doesn't turn on all the safeguards, or other circumstances where someone circumvents your protection and manages to connect a dodgy device.

Figure out the protocols

Different devices will have different management protocols. SNMP will be pretty common, but some gadgets may have custom interfaces – REST APIs, XML over HTTP/HTTPS, and the like. Check out the documentation to see whether any of the management interfaces have more functionality than others: pick the ones you want to use and most importantly turn the rest off – never, ever leave a device able to talk to a network in a way that you don't need it to.

Sort out the security

I'm going to get all Cyber Essentials on you now: change all the default passwords, SNMP community strings, the lot. Many IoT devices don't even have passwords set by default: you just fire up the management application which magically finds the devices and auto-configures them.

Security of IoT

If you're serious about securing IoT gadgets, may as well start here


Scour all the configuration screens for anything vaguely resembling a password and change them all from the defaults. Note also that a lot of IoT devices don't use standard default passwords ("admin", "password", and the like) but instead have more cryptic ones... that are printed on the back of the device. Always, always change the out-of-the-box password.

Manage your IP addresses

IoT devices tend to hunt in packs, and their dead-easy-to-set-up nature means that they'll just grab an address from DHCP and run with it. Before you know it, you'll have dozens of devices scattered around your IP address space.

If you're feeling energetic, or you have too much time on your hands, or you've got a work experience lad in from the local secondary school, you could consider assigning static IP addresses to the IoT devices so you know exactly which is which. Because you're probably not, you don't and you haven't, you can at least define address ranges for the different types of IoT kit to live in. To do this you'll need to engage in subnetting.

Subnet the IoT stuff

Subnetting is your friend. Although you've done as we told you and changed the default passwords, and turned off the unwanted services, you should still secure the network that the IoT kit lives in. Define a collection of subnets for the various IoT devices and assign DHCP ranges: it's dead easy to do and it'll help make things manageable. Most importantly, though, because you have subnets you can define access control lists (ACLs) to limit the traffic that can get in and out: ensure that the only traffic permitted is what the devices need to work and be managed. If they're connecting wirelessly, use a dedicated SSID that lands them in an IoT subnet too – again, if you're lucky enough to have kit that supports it you should turn on 802.1x; if not, use MAC address blocking to admit only the devices you want to permit. Work on the basis that you don't trust the kit, and that you don't trust anyone not to try to connect to it.

Understand how the devices connect to the world

If you're to manage and monitor your IoT devices, you need to understand how they work. Now, some devices sit and listen for connections: all very straightforward but you end up having to configure inbound firewall or ACL rules to permit the packets to get in. Other types of device call out to a master server (my NetGear Arlo cameras are an example). Whatever the case, establish what is meant to generate connections to what and let your network monitor alert you if it starts seeing unexpected traffic going to and from the IoT subnets.

Watch for security releases

IoT has a reputation, and rightly so, for being susceptible to security attacks. Ancient firmware seems to be the order of the day in the world of IoT, and it's absolutely critical that you have a schedule for upgrading the software on your devices. Some kit will happily update itself, in which case you can either decide to let it (if you don't mind it rebooting itself at random) or schedule a manual exercise. And where stuff doesn't update automatically, it's crucial to ensure that you do an update regularly.

Keep an eye on the IT press and the hardware vendors' websites, too: you really want to know about security issues as soon as they're discovered.

Have a hardware refresh policy

Although, as we mentioned earlier, IoT devices are often very inexpensive this doesn't mean you don't treat them like your other hardware. When something becomes end-of-life it means there are no more security updates – so just as you'd replace your firewalls when the vendor no longer supported them, you should look at the same with your IoT kit.

Like I already said: out-of-date firmware with no security patches available is an accident waiting to happen.

Do regular risk (re)assessments

And finally, remember: IoT devices are for life, not just for Christmas. Your network management regime should be one of continual improvement and regular re-assessment. Time marches on, and your entire setup evolves along with it: even if you're not changing your IoT world, changes to other parts of the infrastructure may alter the risk level (and, for that matter, the organisation's risk appetite may well change over time too). So re-assess the risk of all this IoT stuff at least a couple of times a year, and have a programme of continual improvement to ensure that your equipment keeps up with everything else. ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022