International. The "Internet of Things" will increase the connectivity of a wide variety of devices. What considerations should system integrators take in their deployments to ensure that security systems are not vulnerable?
The "Internet of Things" (IoT) is a network of physical devices (or an "end node", such as an IP camera) accessed from the Internet with the aim of interacting with their internal states (e.g. other devices) or external environment (e.g. the cloud).
These devices can interconnect, know their location or status, and communicate with other nodes, systems, or people. There is a lot of talk about the IoT, however, there is also concern about whether this new technological trend is prepared to face the latest security challenges.
A key point is that internet-connected devices are relatively new and security has not been the focus in product design. The main problem is not cloud security, but the lack of security in the devices themselves (e.g. IP cameras).
In fact, many IoT devices go on sale with old or unupdated embedded software and/or operating systems. Not to mention, in many cases users do not modify the passwords used by default in these devices, or if the passwords are updated, they may not be strong passwords.
What can we do to increase security in our network-connected security systems?
Here are some recommendations:
Lifecycle and updates: Make sure your devices have the latest firmware available, which may contain fixes to critical security vulnerabilities. Keep in mind that some manufacturers release very few updates. In these cases, you might even consider replacing the device with one that offers updates and more secure firmware.
Device access control and authentication: Implementing secure access control and authenticating devices sounds obvious, however many devices do not have a password or the default password was never changed. Consider a password with a certain level of complexity. If you want to go a step further, use devices with the ability to use digital certificates, and thus confirm that they are "trusted" entities on the network. This will require your network infrastructure to support network protocols such as IEEE 802.1x.
Data encryption: If data privacy is a concern, encrypt it. One method to use is persistence-based encryption technology, which encrypts data stored on devices (e.g. flash memory). Encrypted storage cannot be read by anyone who does not have the correct key(s). Encrypt all data sent by any means. A very common method is to use SSL to encrypt traffic on the network and thus prevent attacks such as "man in the middle" and "sniffing of network traffic".
Network Security: Ensure that the network itself is secure. A properly configured firewall is indispensable. If possible, close all ports. Many IoT devices generate outbound connections to the cloud, which is not only "plug and play, but also more secure since the firewall does not have to accept inbound connections and then route them internally on the network. It is important to install the appliance behind firewalls. Another consideration is to have different VPNs within your network to control access on the LAN.
The LAN depends on its weakest link. Also, ensure that you have anti-virus protection on connected devices as well as on the network. Be sure to audit your IT policies regularly and review that they strengthen IT security. Perform penetration testing on devices that must accept inbound connections from untrusted sources.
We will see more investment as the IoT market evolves. Better security will be available as the hardware matures. Until then, use the steps in this article to reduce the risks of being exposed.
*Information provided by Aimetis Corp.
**Watch video with related information HERE
