Protect Your Network: Use Caution with IoT Data Sources
Internet of Things devices are becoming more common in every organization. Make sure you are implementing at least minimum standards for IoT security.
- By Mike Schiff
- October 9, 2017
Over the past decade our potential data sources have grown exponentially. They will continue to grow as we augment them with Internet of Things (IoT) data sources. Many organizations realize that sensor data, even data originally intended to monitor industrial machines for operational purposes (such as preventive maintenance, fault alerts, or quality control), can also provide data for analytical purposes.
IoT sources encompass a wide variety of devices. They might include traditional office equipment such as routers and printers, radio frequency identification devices (RFID), sensors such as smart thermostats and humidity sensors, utility (e.g., electric, gas, and water) meters, smart locks, onboard automobile or airplane status and tracking devices, GPS tracking devices and apps, toll-paying devices such as EasyPass, water quality measurement devices, and data collected from drones. In our homes, IoT data could even be coming from our children's toys and baby monitors.
It is safe to predict that any data that in the past could have been collected by human observation will ultimately be able to be collected and transmitted by smart devices and thus serve as additional big data sources. In fact, it was recently revealed that some employees of a Wisconsin company had microchips embedded in their hands that, in addition to their use for cafeteria payments or allowing access to secure areas, could also monitor and track their activities.
Avoiding Security Hazards
We must be aware that although additional data sources can serve as fuel for additional and/or more accurate analytics, they can also compromise the security of our networks and provide an entry point for hackers. In recognition of the potential vulnerability, the U.S. Senate introduced the "Internet of Things Cybersecurity Improvement Act of 2017" in early August.
The bill specified a set of minimum security requirements for IoT devices purchased by the U.S. government. Among the requirements:
- Devices must be capable of being updated or patched to address newly discovered security vulnerabilities
- Devices must not include fixed or hard-coded credentials (i.e., passwords) that cannot be changed
- Devices must be free of known security vulnerabilities including those on the National Vulnerability Database maintained by the National Institute of Standards and Technology (NIST)
The bill also requires all executive agencies to keep an inventory of all Internet-connected devices used by the agency.
Although this bill pertains to vendor sales to the U.S. government, you should view it as a minimum set of standards for any devices connected to your organization's and even your home's network. In fact, you should strongly consider extending them even further.
For example, the bill calls for device passwords that can be changed, but you need to make certain that default passwords such as "password" or "1234" are reset to something more secure. Furthermore, although you can hopefully monitor and thus enforce discipline on known IoT devices, you need to take steps to ensure that unknown and perhaps unsanctioned devices are not connected to your networks by naïve users.
Your organization needs to establish and publish rules as to what devices are allowed (or, perhaps more important, forbidden) and keep an accurate and up-to-date inventory of all connected devices. Remember, a hacker only needs to compromise a single unsecured entry point; you must take steps to secure and harden all of them.
About the Author
Michael A. Schiff is founder and principal analyst of MAS Strategies, which specializes in formulating effective data warehousing strategies. With more than four decades of industry experience as a developer, user, consultant, vendor, and industry analyst, Mike is an expert in developing, marketing, and implementing solutions that transform operational data into useful decision-enabling information.
His prior experience as an IT director and systems and programming manager provide him with a thorough understanding of the technical, business, and political issues that must be addressed for any successful implementation. With Bachelor and Master of Science degrees from MIT's Sloan School of Management and as a certified financial planner, Mike can address both the technical and financial aspects of data warehousing and business intelligence.