Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [EXTERNAL] [SECURITY] IoT Devices

From: "Klein Keane, Justin" <Klein_KeaneJ () MLHS ORG>
Date: Tue, 11 Apr 2017 07:24:19 -0400
Hello,

  In considering IoT it's easy to focus on consumer electronics and overlook systems like building automation control, 
access control systems, camera systems, and the like. Very likely these systems need to interconnect between their 
components and the internet but hardly ever to central systems like HR, data warehouses, etc. Segmenting and isolating 
networks for these, and other IoT devices, is key.  These alternate IoT devices often suffer from the same 
vulnerabilities as consumer IoT but have a much higher risk profile (think about triggering your BC plans due to an 
uninhabitable building in the middle of summer because the building cooling control device is bricked).

  I always find it helpful to draw a line in the sand around regulated data and systems (PCI, FERPA, HIPAA) and deny 
requests to attach devices to these same network unless devices can be justified, managed, and monitored. Pointing to 
examples like Mirai as support for keeping IoT off of these networks make the case easier. If a dedicated IoT network 
doesn't exist use demand to justify that investment, but the risk of sitting these devices on critical networks is 
clear.

Cheers,

Justin C. Klein Keane

Security Architect
Main Line Health Information Technology
https://www.mainlinehealth.org/
klein_keanej () mlhs org<mailto:klein_keanej () mlhs org>
484-596-2203



On Mon, Apr 10, 2017 at 5:34 PM -0400, "Christopher Jones" <Christopher.Jones () UFV CA<mailto:Christopher.Jones () UFV 
CA>> wrote:

Just wondering what others are doing concerning IoT devices like smart TVs, web cams, and even automated controls that 
may be connected to your university network?  Specifically:


1.       Do you have a formal security policy or guidelines for IoT devices?

2.       Are your connected IoT devices scattered across your network, or do you have a dedicated subnet for them?

3.       Are your IoT devices connected directly to the network or via other devices such as a cable/streaming boxes?

Given the rise of malware such the Mirai and BrickerBot botnets, use of IoT devices on campus has become a serious 
security concern.  Any responses would be appreciated.  Thanks.


Christopher

Christopher Jones     IT Security Analyst
UFV – Information Technology Services  |  33844 King Road  |  Abbotsford, B.C.  V2S 7M8
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>   |  604.854.4566  |  www.ufv.ca  |  
blogs.ufv.ca/it-security
Previous By Date Next
Previous By Thread Next

Current thread: