IoT Security Solutions for Intelligent Workspaces

In today's digital age, smart offices have become an integral part of modern office networks. From lighting systems to vending machines, these offices are brimming with Internet of Things (IoT) devices that collect data and automate tasks, optimizing energy use, security, and maintenance. However, this increased connectivity also presents a larger attack surface, making it essential to prioritize IoT security.

Visibility and Lifecycle Thinking

Organizations often underestimate the number of IoT devices they operate. To mitigate against IoT-centric threat campaigns, visibility and lifecycle thinking are crucial. This means maintaining a network inventory of IoT devices, including device type, location, business purpose, firmware version, network segment, data handled, and support status.

Strengthening IoT Security

The weakest point in IoT security is often lack of proper management. Unknown or poorly owned devices running default credentials on flat networks with outdated firmware pose a digital hazard to the entire office network. To strengthen security, eliminate default passwords and enforce unique per-device credentials. Disable unnecessary services such as UPnP and SSDP/mDNS across segments, change administration portals to non-default URLs/ports when supported, and enforce multi-factor authentication (MFA) for dashboards and cloud portals.

Procurement as a Security Control

Treat procurement as a security control and ask vendors to meet certain core baselines, such as secure update, device identity, advanced logging, and secure communications. Vendor solutions from companies like Cisco, Microsoft, and Palo Alto Networks commonly implement these baselines, aligning with standards such as NIST's IOT work and ETSI EN 303 645.

Network Segmentation and Zero Trust

Segment your network mindfully to limit dangerous situations and pair segmentation with a Zero Trust approach. This means verifying identity and posture per request, not just at the time of joining the network. Use VLANs and ACLs to restrict device-to-device communication to what's strictly necessary, and separate IT from OT/facilities networks.

Keeping Software Updated

Prioritize keeping software updated and having a coordinated vulnerability process. Follow standards such as NIST's IOT work and ETSI EN 303 645. Keep a calendar for update windows for various devices and test updates in a staging VLAN before deployment.

Monitoring and Response

Stream logs to Security Information and Event Management (SIEM) systems and watch for DNS beacons and network traffic anomalies. Monitor network traffic continuously for anomalies and respond promptly to any suspicious activity, such as cameras contacting random IP addresses.

Additional Measures for Small Offices

For small offices using prosumer gear, consider enabling NETGEAR Armor for additional router-level threat blocking and safe-browsing filters. Adopt a Zero Trust approach, verifying identity and posture per request, not just at the time of joining the network.

Regulations and Policies

Align your requirements to modern IoT policies and regulations, and for consumer-grade devices, look for ETSI EN 303 645 conformance. Require TLS everywhere and prioritize mutual TLS (client certificates) for device-to-broker communications in smart-office systems that communicate over MQTT/HTTP to cloud services. Enforce topic-level ACLs and least privilege on the broker.

Maintaining and Retiring Devices

Insist on firmware update policies and vulnerability disclosure processes from vendors before purchase. Implement an End of Life (EOL) policy that flags devices no longer receiving security updates, quarantines EOL devices to a heavily restricted network, or replaces them, and securely wipes storage on decommissioned devices.

By implementing these measures, you can ensure that your smart office remains secure and efficient, mitigating against IoT-centric threat campaigns and protecting your network from digital hazards.