ment to ensure academic , operational , and cybersecurity needs get continuously addressed as new IoT considerations arise .
Developing IoT Device Guidelines : Collaboration is Key Before the intermingling of IoT devices on IT networks , device connectivity was siloed into Operational Technology ( OT ) and IT networks , each of which was separately managed . With IoT devices now connecting to IT LAN and WLAN networks , institutions need to rethink their security paradigms around collaborative IoT and IT security guideline development . In addition , obtaining buy-in for the guidelines across your institution ’ s constituencies is essential for enabling enforcement without inhibiting innovation or efficiency .
Although every institution approaches enterprise-wide guideline establishment differently , assembling a cross-divisional committee is a common denominator . At large institutions , this includes all of your various groups , such as those dedicated to separate colleges , sports facilities , medical centers , and research facilities .
Regardless of your institution ’ s size , facilities management and physical security are important constituencies to include . In the past , these groups relied on IT to assist with any technology needs . However , the ease with which IoT devices can be deployed , and the value they provide , liberates these groups from dependence on IT , and vice versa ; but the devices they connect must still comply with institutional rules . Engaging them in guideline-making reduces barriers to compliance .
In addition to following well-known security best practices , include the following components in your IoT device guidelines to deliver full protection :
• Profiling . Fingerprint / classify devices as they connect to differentiate between device types and detect imposters .
• Identity . As device MAC addresses can be spoofed , the identity of IoT devices must be supplemented with strong authentication protocols , like 802.1X , plus contextual data such as location , time of day , day of week , and current security posture .
• Posture . Conduct regular health checks on devices based on active interrogation to determine open ports , OS version , and potential known vulnerabilities . Conducting checks routinely helps ensure compliance .
For a practical example , consider a research lab that upgrades a monitoring device . It ’ s likely that device will immediately attempt to phone home post-upgrade , but it will be unrecognized by your network in its upgraded state . Rather than establishing a guideline requiring researchers to notify IT every time they upgrade a device before they connect it , your rule could be that unknown devices are automatically quarantined until an established verification process is completed . An automated notice is sent to the appropriate user who then completes the verification , releasing the quarantine so the device can connect .
A similar process can be applied to other connection scenarios , such as during routine posture checks . Should a device be out of compliance , such as needing an OS update , quarantine and notification occur automatically , including instructions for releasing the quarantine .
In other words , devise guidelines and standards that streamline IoT connections during initial onboarding and all along device lifecycles to ensure smooth operations and delightful user experiences .
Adopt a Connect-and-Protect Methodology To apply the guidelines your institution establishes , you ’ ll need to translate them into IT policies and establish a protection methodology for addressing and building trustworthiness into the IoT data that devices collect . Begin by using the red-black model for trust definition . For example , data from a building temperature sensor is considered untrusted ( red ) until it ’ s protected , at which point it ’ s trusted ( black ). ( See Figure 1 : Red-black Architecture )
�
Figure 1 : Red-black Architecture
15 Winter 2017 ACUTA Journal