The Internet of Things is taking college campuses by storm. From a Google Home in a professor’s office to a control system in a campus power plant, IoT devices are rapidly spreading, with no sign of slowing down. Within three years, analysts project, IoT devices may outnumber traditional computing devices by a 2-to-1 ratio. These devices offer diverse benefits, but they also introduce new security concerns.
In fall 2016, hackers drove these concerns home when they harnessed thousands of video cameras and other IoT devices to conduct the largest distributed denial of service (DDoS) attacks in internet history. Those attacks highlighted the question of IoT security in the minds of many IT leaders. Campuses should learn from this experience and take steps to keep their networks secure in the IoT era.
IoT devices aren’t entirely new. Colleges often deploy sensors for physical plants that transmit data about temperature, humidity and other issues to centralized control systems, which use this data to optimize functionality. Such devices were once hard-wired to control systems, but many institutions now connect them to the network.
IoT is also arriving on campus in the same way most new technologies arrive: with students and faculty who connect personal consumer devices to the network without consulting anyone. A walk through any residence hall or faculty office suite quickly shows that IoT is everywhere: wireless speakers, game systems and personal assistants, among others.
Administrators are rapidly deploying IoT devices in the form of “smart everything.” From soda machines to parking card readers, it’s hard to find an administrative function that doesn’t incorporate some connected technology. Almost every physical system upgrade involves connecting replacement devices to the network to support payment collection, permission validation, inventory review or another administrative function.
In the IoT era, cybersecurity and networking teams must protect devices from compromise and insulate the rest of the network from a device that’s fallen into the wrong hands. Attackers using IoT botnets in DDoS attacks seek out devices with high bandwidth connections, making college campuses attractive targets. Fortunately, campus technologists have several ways to keep their institutions from becoming unwitting accomplices to a DDoS attack.
A good first step is to inventory IoT deployments, keeping in mind that it won’t be comprehensive (it’s difficult to secure devices if you don’t know where they are). This inventory can serve as the basis for a risk assessment that looks at the known technologies deployed on the campus network, their vulnerability to attack, and the risk that any disruption would pose to public safety, information confidentiality and network health. Cybersecurity teams performing these assessments should also conduct vulnerability scans that complement the risk assessment with ground-truth technical information on the devices’ security status.
Network segmentation is one of the strongest controls in the security arsenal. Placing IoT devices on a tightly controlled network reduces the risk that they will become compromised and limits the damage they can cause if compromised. IT staff can secure administrative deployments by placing IoT devices on special-purpose virtual local area networks populated by similar devices.
Segmenting faculty-, student- and guest-owned consumer devices may seem more difficult, but most campuses already have the technology to do this. Typically, IoT devices can’t join wireless networks that require enterprise authentication, so users join guest networks instead. Provided those networks are segmented from other campus networks, the rest of campus is protected against a compromised device.
Perhaps most important, security teams should ensure that IoT devices are properly patched and don’t use default passwords. Most IoT compromises occur because a user failed to apply critical security updates or never changed the factory default password. Vulnerability scans are key to seeking out and remediating systems with these security flaws.
Benefits of the IoT are substantial: Administrators gain access to real-time information that lets them to improve service and increase efficiency. Students enjoy the convenience of modern technology. Faculty researchers may gather information that was once impossible to collect. By taking critical security measures, technology teams can help their campuses take advantage of these benefits without compromising security.