Network Segmentation: A Key Measure for IoT Security
One day, the number of connected devices within the Internet of Things (IoT) will easily eclipse the worldwide installed base of PCs and smartphones combined. IT research firm Gartner estimated this could happen as soon as 2020, when there could be approximately 21 billion IoT devices.
There are several reasons why IoT is expanding so rapidly. At its core, it offers virtually endless options for extending IP network connectivity to domains that have traditionally lacked it. Every sector from health care to manufacturing will be able to leverage IoT to connect disparate systems and achieve new operational efficiencies. For example, hospitals could use noninvasive IoT sensors to monitor patients and send key information to the cloud for delivery to other systems.
However, the IoT also creates many new security-related complications. IT administrators must now manage an increasing variety of IoT devices – some without traditional interfaces for receiving patches. Small and medium enterprises (SMEs), in particular, face challenges in ensuring their IoT initiatives are safe enough to use. What are their options?
A Smart IoT Security Practice for SMEs
We’ll dive further into a number of these challenges in a virtual conference hosted by SC media, which will be focused on endpoint protection through controlled access and privileges. As a prelude to that event, let’s examine one of the most effective countermeasures to the vast spectrum of IoT threats: network segmentation.
The basics of network segmentation
Network segmentation refers to the division of a network into subnets, typically for purposes of improved performance and enhanced security. With a segmented network, you can separate the traffic of internal users from that of guests and external contacts. Moreover, you can further fine-tune the segmentation so that there are individual segments for your web servers and databases, as well as employee devices.
Physical segmentation is even mandated under specific regulations such as PCI DSS. In addition to standardized compliance, segmentation also makes it more difficult for outsiders to penetrate your network via an unsecured IoT device, while shielding sensitive data from overly curious insiders.
Why segmenting your network mitigates IoT risks
How does network segmentation work? Consider a guest Wi-Fi network, which is the IT equivalent of a visitors’ parking lot. It has a limited, self-contained scope, as well as key restrictions on its use.
Visitors log on to this guest Wi-Fi, while employees use a restricted access network. The separation is critical, since outsiders inevitably use unmanaged hosts and endpoints not provisioned by IT. This issue will only become more pronounced as IoT expands the overall number and variety of possible devices.
To keep all untrusted devices in the guest network, it’s important to:
- Create a unique SSID for the network, leading to an isolated VLAN that connects to the internet separately from the internal network. A dedicated circuit for the guest network may also be installed.
- Require passwords be entered through a captive portal. This not only prevents network overuse, but also enables logging of every visitor and the enhanced access controls – including session termination – that comes with it.
- Monitor all traffic on the guest network. It may be segmented and have its own circuit, but you don’t want it to become a blind spot in your IoT defenses. Managed detection and response (MDR) via a security information and event monitoring (SIEM) solution can ensure you keep tabs on network activity and spot anomalies quickly.
These measures and others help reduce the total attack surface, even as your IoT infrastructure expands. Your internal network structure remains invisible to guest users. Plus, if there is a security incident involving a guest, it’s relatively easy to contain and won’t spread to more important assets.
Ultimately, network segmentation works by restricting the flow of traffic between zones. Your security team gains granular control over who has access to what, allowing them to head off common IoT threats such as botnet-enabling malware that thrive on easy proliferation across devices.
For example, IoT endpoints like IP cams and “smart” home security devices are notorious for their security vulnerabilities. The Persirai botnet alone, discovered in 2017, exposed 120,000 such cameras according to Dark Reading. Implementing network segmentation and MDR and SIEM within a security operations center (SOC) is your best defense against these types of cyberattacks.
What to Do Next to Secure Your IoT Initiatives
Segmentation is just one of many actions you can take to better protect your organization from IoT vulnerabilities. Having a diverse set of cybersecurity protections is ideal, in light of today’s abundance of attack vectors, which are always evolving.
Learn about four more IoT security practices in our presentation at the upcoming IoT virtual conference; (you can still register via that link to the official SC Media site). In the meantime, read this white paper to find out about SIEM and SOC options from AWN.