Most modern companies have at least several internet of things (IoT) devices that they use on a regular basis. As one of your cybersecurity measures, you should make it a point to segment these IoT devices, so they are on a separate network segment or a guest Wi-Fi network. Taking this action will reduce the risk of a cyber attacker gaining access to connected devices and using that access to gain entry to your corporate network and the related customer data.
Understand Network Segmentation
To gain a better understanding of why you should segment the IoT devices that your company uses, you must first understand network segmentation. This term refers to dividing the network into various subnets. The goal of network segmentation is typically to enhance security and improve performance. There are many applications, including separating the traffic of guests or external contacts from those of internal users. It is even possible to fine-tune segmentation to deliver individual segments for employee devices, databases, and web servers.
Why Lack of Segmentation Is a Security Risk
Some of the logic behind segmentation is fairly obvious. If guests and IoT devices accessed the same network as your employees, it would be possible for a hacker to visit your property as a guest. They could then connect their IoT device to your network and use their skills and that connection to enter the main portion of the network where classified information can be stolen.
The risk of IoT devices connecting to your main network is not limited to connections done with malicious intent. It is also very possible that a cybercriminal will become aware of your lax policy and then hack a guest device to gain access to your network in a similar manner. Your team has taken steps to prevent hackers accessing company devices, such as multi-factor authentication and enforcing a patching policy, but you cannot do the same for guest devices. When guests connect their IoT devices to your network, you have no idea whether those devices are secure. Cybercriminals can exploit this by connecting to an unsecured device a guest uses.
With the expansion of the internet of things and possible devices, the risk of this occurring increases. Remember that with so many new IoT devices hitting the market every week, it is impossible to ensure that they all have strong security measures in place.
Learn About IoT Device Capabilities and Limitations
Your first step in establishing your IoT device policy, which covers segmentation, should be learning about devices, including their limitations and capabilities. That information will then help shape your policy both for IoT segmentation and security of IoT devices in general.
Create a Guest Network for IoT Devices
The most important step to segmenting IoT devices for your company’s cybersecurity is to create a guest network. This should be a network that is designed for visitors to use, letting them connect their IoT devices. This network will be fully separate or segmented from the network that your employees use, which has restricted access.
Ensure the Untrusted Devices Remain in the Guest Network
Simply setting up the guest network is not enough segmentation to give you peace of mind. You will also need to take some security measures to ensure that all the untrusted devices stay on the guest network. Start by giving the network a unique SSID with an isolated VLAN. This VLAN should connect with the internet in a separate manner than the internal network. You should also consider installing a dedicated circuit for this guest network.
For further security, make a requirement to enter passwords via a captive portal. This prevents the overuse of the network and lets you log each visitor. It can also add in other benefits, such as additional access controls or terminating a visitor’s session.
Establish Visibility
For many organizations, one of the biggest challenges in terms of IoT security is tracking and identifying the IoT devices that connect to your network. This is why the step of entering passwords in a captive portal is so important. You should make it a point to include Network Access Control, which will let your company securely authenticate and classify the IoT devices. With the right system, you can take advantage of classification and discovery of the devices in real-time, letting your IT team build up a risk profile. Based on that profile, they can automatically assign each new IoT device to the correct device group.
Monitor Guest Network Traffic
Even though you will put the IoT devices in the guest network, this does not mean you should forget about them. Instead, continue monitoring the traffic on this network, something which will go slightly easier with the above password recommendation since you can then log users. Take it a step further, so you do not ignore security risks that arise for IoT devices or the network as a whole. Consider solutions like SIEM (security information and event monitoring) and managed detection and response (MDR) to help you track network activity so you can quickly spot anomalies.
Consider Additional Segmentation of IoT Devices
If you want to take IoT security a step further, consider additional segmentation of the devices based on policy as well as secured network zones. This will make it possible for your network to grant then enforce baseline privileges for each specific IoT profile. You could even use inventory management tools to track the IoT devices as well as behavioral analytics to monitor the behavior. If you go this route, make use of Internal Segmentation Firewalls so that you can quickly and dynamically control the network segments and inspect traffic that needs to cross your segmentation boundaries. With this approach, you will be able to take advantage of multi-layered inspection, monitoring, and enforcement of your device policies depending on actual activity.
The Takeaway
The bottom line is that if you connect IoT devices to your network or allow visitor access, you must have segmentation. Otherwise, you will give every visitor and IoT device access to your full network, including its sensitive information.