The woman on the videoconference screen looked at me in astonishment. “I didn’t think we had a call scheduled,” she said in alarm. The surprise was understandable, as she and another person seemed to be just lounging in the conference room. I disconnected the videoconferencing call immediately, and then checked my notes.
I’d transposed a digit, and I’d called an obviously unsecured videoconferencing machine somewhere. I didn’t wait to ask where, but that videoconferencing machine wasn’t the first device I’d found on the Internet. In fact, the Internet of things has been around for years, since long before the Web was invented.
In those days, network engineers took pride in their Internet connected soft drink machines, devices programmed to warn when their coffee pot was empty or to keep tabs on the fish in their aquarium at home. None of those things had any sort of security at all. Anyone who could find the right IP address could monitor the status of these unsecured devices.
Since then, tens of millions of new things have been connected to networks around the world. We have moved far beyond connecting soft drink machines and coffee pots to much more critical devices, including surveillance cameras, printers, security systems as well as water and gas meters.
My conversations with European security experts has revealed a deep concern over the spread of these devices and the difficulty in securing them.
Now, as my friend Pam Baker explained in her column in FierceBigData, security for the IoT is notable more for its absence than anything else. Baker explains that now there’s the Shodan search engine which is specifically designed to access unsecured IoT devices. It primarily targets online cameras, but it can be used to exploit pretty much anything. In fact, the makers of the Shodan browser also market it as a means of monitoring your own network security.
While I haven’t tested the Shodan browser, press reports indicate that it’s pretty good at revealing IoT devices far beyond cameras. Some of the things the company mentions are industrial control systems and power plants controls for example.
But let’s suppose that you’d rather not have random strangers monitor your surveillance cameras or gain access to your industrial automation devices. What do you do? You start actually thinking about IoT security in your own enterprise.
This is important because even a brief lapse in security can reveal far more than you might think. When I accidentally dialed into that conference room, there was a lot more than a couple of employees lounging in the conference room. On the wall behind the couple was a white board full of notes on a strategy session and a marketing presentation was displayed on an easel next to the white board.
Suppose I’d been a competitor instead of a wayward technology writer? That brief look could have told me a lot about the company’s competitive plans.
Why Your Enterprise Must Pay Close Attention to IoT Device Security
To prevent this from happening to you, the first thing you have to do is find all of your Internet-connected devices. This means you need to look at every IP address on your network to see what’s connected to it. Fortunately, most network management systems can scan for IP addresses in use and they can alert you when a new one shows up.
Once you’ve found all of the devices actually on your network, it’s time to figure out what they are. A good network scanner can give you the device’s IP address, its host name, and some sort of identification.
This will provide the information you need to compile a list of every device connected to your network. Next, you need to validate the list against what you know is supposed to be on your network.
When you do this you’ll probably find that nearly all of the devices on your network are things you already know about, such as workstations, printers and perhaps employee mobile devices. The scan may also reveal the existence of some shadow IT devices or rogue devices, such as routers brought to the office from an employee’s home. In addition, there will be some devices that may be identified by a name you don’t recognize or simply are simply not identified at all.
If any of those items turn out to be devices that aren’t computers, mobile devices and the like, then you need to investigate them. Each of the things you find on your network needs to have some level of security and you will need to go to each one of them to see what they do, if they are supposed to be there and if they are covered by adequate security.
Setting an adequate level of security means implementing user names and passwords that are stronger than stupidly simple defaults. It also means that in some cases you will have to take trouble of assigning user names and passwords, since not all such devices even have them.
Worse, some connected devices don’t even have the ability to set user names and passwords. Such devices should be booted off the network and replaced with devices that can be password-secured if they are performing some essential function.
You may need to be ruthless. That consumer webcam you have for monitoring the parking lot could be a weak spot in your security and if you really need to monitor the lot, then you have to use a device that matches your overall security level.
In addition, you will likely need to consign some of your devices to network segments with firewalls that keep them away from your network’s critical assets. With everyone from hackers to hobbyists trolling the Internet for IoT devices they can visit, the last thing you need is to put out the welcome mat for them.
Unfortunately, if you don’t take even those minimal steps, you risk becoming the butt of those IoT jokes making the rounds, and I’m pretty sure you don’t want that.