The US government is working toward establishing IoT security guidelines, and a very public dispute about a particular IoT device demonstrates why they are necessary. Credit: Thinkstock You will have more connected devices than ever on your network in 2021, especially if you’re in healthcare, retail, or logistics, industries that are among the early adopters of the Internet of Things (IoT). You’ll have devices on your network edge, in your headquarters, on vehicles, in machinery, in your stores, in employees’ homes, and on public property. And there’s a good chance that some or many of these IoT devices have built-in security vulnerabilities that can endanger your network. In trying to capitalize on the voracious global appetite for connected commercial devices, many IoT manufacturers and developers are shoveling out enterprise IoT devices with, shall we say, varying levels of regard for security. Enterprise pros in the U.S. may have some help in the near future if new mandatory minimum security standards for connected devices are established under the IoT Cybersecurity Improvement Act, which was signed into law by President Trump on Dec. 4, 2020. The Act directs the National Institute of Standards and Technology (NIST) to create and systematically update IoT security standards for any device purchased by a government agency. The reason that may be helpful to enterprise pros outside the government is the standards are expected to influence private-sector enterprises. Still, the law won’t help with the billions of older IoT devices already connected to a network or waiting to be purchased, or those that will be manufactured between now and whenever standards are set and manufacturers and developers begin adhering to them. So what’s an enterprise professional to do? For its part, NIST has already been working on IoT security, and has prepared four draft documents it says “will help address the challenges raised” in the IoT Cybersecurity Improvement Act. Three of them are written for manufacturers and suggest guidelines they might follow in designing and building secure IoT devices. The fourth is about what organizations that might buy these devices should ask for when they’re buying them. “The document has background and recommendations to help agencies consider what security capabilities an IoT device needs to provide for the agency to integrate it,” NIST says in announcing the four documents. Despite being drafts, the documents in their current form can provide valuable guidance. Another good step: Familiarize yourself with the eight key security principles of IoT devices created by the Internet of Secure Things, an industry alliance advocating for security standards and compliance: No universal passwords Secured interfaces Proven cryptography Security by default Verified software Automatic security updates Vulnerability reporting program Security expiration date If the IoT device you’re considering for your own network fails to meet one or more of the principles above, you probably should look for a safer alternative, even if that means getting nothing. At least you won’t be jeopardizing your network with an insecure IoT device. If you have the time and resources, another option is to test devices yourself to assess their trustworthiness, as did Laurens Leemans, cofounder, co-owner, and lead developer of SignIPS, whose experience is a cautionary tale. Back in February, Leemans recounts, in a tweet thread titled “Infosec fail thread”, doing a quick assessment of an IoT device his company was considering offering its customers. The device is a counter system for tracking how many people are in a building or public venue. First, Leemans makes clear that he is cautious. “As per usual, I usually do some basic security/sanity checks on a product before offering it to our customers,” he writes. Then it was a recounting of “best practices” in action. “So, we powered it on, and followed the instructions to set it up. It gets powered over Ethernet, but also has Wi-Fi to count the number of devices passing it. “The first thing that caught our eye, is that it sets up a network, with a broadcasted SSID and a default password. Bit strange, since it’s also connected over Ethernet, but fine. Whatever. Except: you can’t change the SSID or the password!” Things quickly unraveled from there, to the point where the SignIPS and the device manufacturer were in a nasty public spat that involved accusations of extortion, a police report, a newspaper article, and, somehow, the music of Bruno Mars. You don’t have to go public with your IoT due diligence, as Leemans did. But he offers an excellent example of how IT pros can and should run a connected device through its paces, get under the hood, and really vet it instead of plugging it into the network and hoping for the best because you are optimistic and trusting. Related content news 6G cellular doesn’t exist, but it can be hacked Academic researchers have found a way to eavesdrop on 6G wireless transmissions using common, inexpensive, off-the-shelf components. By Chris Nerney May 31, 2022 3 mins Cellular Networks Network Security opinion When quantum computers forget: Overcoming decoherence Quantum computing faces many technology challenges, but some researchers say they’ll be solved soon to usher in the Quantum Decade. By Chris Nerney Jan 03, 2022 4 mins Data Center opinion LoRa takes a trip to the moon and back, chirping all the way LoRa wireless that's used in IoT networks is known as a low-power, long-range technology—long-range enough to carry a message between Earth and the moon. By Chris Nerney Dec 02, 2021 3 mins Internet of Things WAN Networking news Drone demo shows it’s possible to protect 5G-managed devices from DDoS, exfiltration attacks Using software developed by the Open Networking Foundation, Stanford researchers thwart wireless attacks in less than a second. By Chris Nerney Nov 10, 2021 3 mins 5G SDN Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe