Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] IoT Devices
From: "Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>
Date: Tue, 11 Apr 2017 07:24:19 -0400
Hello, In considering IoT it's easy to focus on consumer electronics and overlook systems like building automation control, access control systems, camera systems, and the like. Very likely these systems need to interconnect between their components and the internet but hardly ever to central systems like HR, data warehouses, etc. Segmenting and isolating networks for these, and other IoT devices, is key. These alternate IoT devices often suffer from the same vulnerabilities as consumer IoT but have a much higher risk profile (think about triggering your BC plans due to an uninhabitable building in the middle of summer because the building cooling control device is bricked). I always find it helpful to draw a line in the sand around regulated data and systems (PCI, FERPA, HIPAA) and deny requests to attach devices to these same network unless devices can be justified, managed, and monitored. Pointing to examples like Mirai as support for keeping IoT off of these networks make the case easier. If a dedicated IoT network doesn't exist use demand to justify that investment, but the risk of sitting these devices on critical networks is clear. Cheers, Justin C. Klein Keane Security Architect Main Line Health Information Technology https://www.mainlinehealth.org/ klein_keanej () mlhs org<mailto:klein_keanej () mlhs org> 484-596-2203 On Mon, Apr 10, 2017 at 5:34 PM -0400, "Christopher Jones" <Christopher.Jones () UFV CA<mailto:Christopher.Jones () UFV CA>> wrote: Just wondering what others are doing concerning IoT devices like smart TVs, web cams, and even automated controls that may be connected to your university network? Specifically: 1. Do you have a formal security policy or guidelines for IoT devices? 2. Are your connected IoT devices scattered across your network, or do you have a dedicated subnet for them? 3. Are your IoT devices connected directly to the network or via other devices such as a cable/streaming boxes? Given the rise of malware such the Mirai and BrickerBot botnets, use of IoT devices on campus has become a serious security concern. Any responses would be appreciated. Thanks. Christopher Christopher Jones IT Security Analyst UFV – Information Technology Services | 33844 King Road | Abbotsford, B.C. V2S 7M8 Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca> | 604.854.4566 | www.ufv.ca | blogs.ufv.ca/it-security
Current thread:
- IoT Devices Christopher Jones (Apr 10)
- Re: [EXTERNAL] [SECURITY] IoT Devices Klein Keane, Justin (Apr 11)
- Re: [EXTERNAL] [SECURITY] IoT Devices Gael Frouin (Apr 11)
- Re: [EXTERNAL] [SECURITY] IoT Devices Klein Keane, Justin (Apr 11)