Concern over vulnerabilities in Internet of Things devices has been a hot topic in the cyberdefense industry over the past few years. IoT poses an inherent risk to any organization due to the weak security controls and slow patch releases on many devices.

Many business owners don't think twice about securing their smart devices. To many, it may not even occur to them that they are vulnerable to cyberattacks. This oversight can lead to errors such as leaving default credentials intact and placing IoT devices on the same network segment as critical assets. However, IoT produces large amounts of data, and many devices control critical infrastructure within your organization, such as lights, heating, water, and even vehicle systems.

Regardless of how many smart devices are utilized in your organization, you must implement compensating controls for them.

Change Default Credentials

It can be very easy to overlook changing credentials for IoT devices. However, leaving the defaults in place creates an extremely easy way for attackers to find a way into your network. Make sure that every IoT device has a unique username and password. Make sure to store these credentials in a safe location such as a password manager.

Isolate IoT Devices

One of the most insecure things you can do to your network is install smart devices on the same network segment as your servers and workstations. Having a single point of compromise in one network segment means attackers will have full reign over all devices once they are in. Instead, ensure that IoT devices are set in their own dedicated VLAN. You can even get more granular and have multiple VLANs for multiple different vendors or functions of smart devices. This way, if an attacker compromises one IoT device, their attack surface will be limited to other IoT devices rather than critical business data.

Regular Firmware Updates

The update schedules for IoT devices can be confusing. Patch releases can be inconsistent, and automatic updates may not be available. As an admin, it is important to monitor your IoT vendor's websites for the newest patch releases. Have a pre-set maintenance window for applying updates and patches whenever they become available.

Network Traffic Monitoring

After IoT devices have been segmented properly, it is recommended to import some network infrastructure for monitoring and logging the traffic coming in and out of the segments. IoT devices perform specific duties with set network requirements. Therefore, it would be beneficial to place a dedicated firewall in front of the IoT segments and only allow the required ports inbound to the segment. Since these network segments are unique to IoT, firewall rules can be more granular without impacting the functionality of other devices, as would be the case if only one network segment were being used.

To further supervise activity occurring in IoT networks, you should look into implementing an Intrusion Detection System (IDS). An IDS device supervises network traffic coming into networks and will trigger an alert when suspicious traffic is detected. Admins can configure IDS devices to have varying definitions of suspicious or malicious traffic. In an IoT network segment, an IDS can be configured to trigger alerts for any traffic not part of a normal IoT device workflow.

Snort is a popular open-source IDS that can be implemented on small business networks as an alternative to pricier proprietary IDS.