Re: [EXTERNAL] [SECURITY] IoT Devices

[Gael Frouin <gfrouin () BERKLEE EDU>]

Hello,

1. We do not have a formal official policy
2. While there are still some rogue implementations, new implementations
(e.g. digital signage solution) are segmented in their own VRF and our
network team migrated a lot of the existing devices in dedicated VRFs (e.g.
security systems like cameras, badge systems are in a different VRF as
well).
3. They are connected directly to the network in their own VRFs, depending
on the sensitivity of the information processed

Gaël Frouin
*Berklee*
*Information Security Officer*

On Tue, Apr 11, 2017 at 7:24 AM, Klein Keane, Justin <Klein_KeaneJ () mlhs org>
wrote:

> Hello,
>
>   In considering IoT it's easy to focus on consumer electronics and
> overlook systems like building automation control, access control systems,
> camera systems, and the like. Very likely these systems need to
> interconnect between their components and the internet but hardly ever to
> central systems like HR, data warehouses, etc. Segmenting and isolating
> networks for these, and other IoT devices, is key.  These alternate IoT
> devices often suffer from the same vulnerabilities as consumer IoT but have
> a much higher risk profile (think about triggering your BC plans due to an
> uninhabitable building in the middle of summer because the building cooling
> control device is bricked).
>
>   I always find it helpful to draw a line in the sand around regulated
> data and systems (PCI, FERPA, HIPAA) and deny requests to attach devices to
> these same network unless devices can be justified, managed, and monitored.
> Pointing to examples like Mirai as support for keeping IoT off of these
> networks make the case easier. If a dedicated IoT network doesn't exist use
> demand to justify that investment, but the risk of sitting these devices on
> critical networks is clear.
>
> Cheers,
>
> Justin C. Klein Keane
>
> Security Architect
> Main Line Health Information Technology
> https://www.mainlinehealth.org/
> klein_keanej () mlhs org<mailto:klein_keanej () mlhs org>
> 484-596-2203
>
>
>
> On Mon, Apr 10, 2017 at 5:34 PM -0400, "Christopher Jones" <
> Christopher.Jones () UFV CA<mailto:Christopher.Jones () UFV CA>> wrote:
>
> Just wondering what others are doing concerning IoT devices like smart
> TVs, web cams, and even automated controls that may be connected to your
> university network?  Specifically:
>
>
> 1.       Do you have a formal security policy or guidelines for IoT
> devices?
>
> 2.       Are your connected IoT devices scattered across your network, or
> do you have a dedicated subnet for them?
>
> 3.       Are your IoT devices connected directly to the network or via
> other devices such as a cable/streaming boxes?
>
> Given the rise of malware such the Mirai and BrickerBot botnets, use of
> IoT devices on campus has become a serious security concern.  Any responses
> would be appreciated.  Thanks.
>
>
> Christopher
>
> Christopher Jones     IT Security Analyst
> UFV – Information Technology Services  |  33844 King Road  |  Abbotsford,
> B.C.  V2S 7M8
> Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>   |
> 604.854.4566  |  www.ufv.ca  |  blogs.ufv.ca/it-security