Our office is full of smart thermostats, cameras, and printers that don't support traditional security agents. These unmanaged devices seem like a massive backdoor for attackers. How are you all handling IoT security without a dedicated budget? Is simple VLAN isolation enough, or should we be looking at more advanced Network Access Control (NAC) solutions?
3 answers
VLAN isolation is the absolute bare minimum. You should move all IoT devices to a dedicated, restricted segment that has no route to your internal production data. However, for a more proactive approach, you need to use passive network monitoring. Tools like Armis or Claroty can "fingerprint" these devices and alert you if a smart fridge suddenly starts trying to port-scan your domain controller. Since you can't install agents on these devices, you must rely on traffic analysis to detect anomalies. Also, always change the default credentials and disable UPnP on every device before it hits the wire.
If you use VLANs, how do you manage the "shadow IoT" problem where employees bring in their own smart gadgets and plug them into the nearest Ethernet port?
Don't forget to keep their firmware updated! Many manufacturers release security patches that people never install because there's no "update" button on the physical device.
Dorothy is right. Many IoT breaches occur via old vulnerabilities that were patched years ago. Setting a quarterly schedule to manually check for and apply firmware updates for your printers and cameras is a simple but highly effective way to reduce your attack surface.
Daniel, that's where Port Security and MAC filtering come in. You should configure your switches to only allow authorized MAC addresses on specific ports, or use a NAC like PacketFence to automatically shunt unrecognized devices into a "quarantine" VLAN until they can be vetted. It requires some manual effort initially, but it completely prevents unauthorized hardware from gaining a foothold on your primary network.