TMC's Advisor

The Advisor is published by TMC

IoT Cyberattack Risks

Businesses often consider IoT as a non-IT responsibility. We take a look at how wrong that perception is. IoT devices connect to IT infrastructure and cause an increasing cyber-security risk. We recommend what you need to do to protect your enterprise.

By Peter Aggus

Peter is a technology management consultant who specializes in security and radio systems. He has developed innovative & cost-effective solutions for clients in many industries.

The IoT Invasion

Look ‘under the hood’ of many modern systems used in office buildings today, and you’ll find an IoT component. This includes such systems as:

Older systems may have connected to phone lines, but modern versions connect to the LAN or WiFi, communicating to and from their “mother ship”. Some systems communicate between their components (such as door locks and keypads), some have local servers, others strictly use your network to gain access to the internet to use cloud services. This can be set up without local IT knowledge or approval – they simply connect as ‘guest’ users, just like BYOD devices. You may never know that you are hosting an IoT web of connectivity.

More than ever, this shows that it is vital to make sure that ‘guest’ access is carefully partitioned, using isolated subnets, VLANs and separate WiFi SSIDs.

Back Doors

With the demise of PSTN backup options, many systems, such as security systems and fire alarms, are now shipping with built-in cellular backup. The devices have an ethernet port but also, they have a simple internal router and a cellular data modem. The device uses the LAN if it can but falls back to cellular if the LAN path fails.

Like a lot of things, there is a hidden risk. The simple internal router in the IoT device is only built to deliver the required functionality – failover communication. Little thought is given to including security features like firewalls. It is fairly easy for a skilled hacker to find the IP address of the cellular port and enter the device through it, pretending to be its cloud server. Then they can hack the router and jump on the internal network. The next step depends on how well partitioned the network is. If there are ways to bridge from the guest environment to the office service then they will eventually be found – enabling the sort of IT hack that is becoming a lot more commonplace.

Network Partitioning

Well-prepared IT managers have a good network diagram showing all devices, with MAC addresses and WAN links. They also have good subnet mapping such that all devices in a group, like security cameras, are on their own isolated subnet if they are not installed on the guest subnet. Switches are programmed to enable required paths and block others – so activity is contained and controlled. This requires careful design of the DHCP servers such that IP addresses are correctly allocated based on ethernet ports or WiFi SSIDs.

There is certainly a great, and growing, need for IoT devices to have simple and easy communication but it is essential that IT maintains control over what is and is not allowed on each subnet/VLAN.

Required Action

Ideally, you would create a separate subnet for each device group – one for HVAC devices, one for security devices etc. However, that would mean gaining agreement on ports to be used or MAC addresses to be authenticated – neither of which is likely easy.

Guest access is fine – but must be controlled. Set up your DHCP servers to put all such unknown devices on a separate subnet and give them access only to the guest subnet plus device-initiated internet access.

Lock down switch ports to subnets, so that unauthorized devices cannot obtain access to enterprise servers etc. Mostly, inbound data flow can be handled by the device polling the cloud server. However, it is possible that the device may want inbound access – so that a server can independently connect to it. Treat ANY such inbound access as a major design issue. Remember such access can be built into devices with cellular modems. You need to be sure that any inbound access is contained to the device subnet.

Use a network scanner to routinely check what IP addresses are active on the network and chase down any you do not know. This is every bit as important as doing regular backups. That way, you can build security based on a philosophy of ‘if you don’t know it – don’t trust it’.

If you’d like to discuss developing an IoT network drawing layer, or to comment on this article, please email me at .

This article was published in the May 2024 edition of The TMC Advisor
- ISSN 2369-663X Volume:11 Issue:4

©2024 TMC Consulting