Implementing Best Practices

If functionality exists, send all device logs to a centralized logging system.

Create alerts for the following:

1. Multiple failed logins followed by successful logins.

2. Device health, system reboots, and shutdowns.

Deny internet access from and to IoT devices.

Deny IoT systems access to corporate servers unless required for normal operation.

Deny access from unallocated IP addresses on IoT segments.

Deny DHCP leases to IoT MAC addresses except on their assigned segments.

Ensure root accounts are secured, and if functionality exists, utilize lower privileged accounts such as for embedded web servers.

Ensure any accounts used by IoT devices to authenticate communications or workloads have minimal privileges.

Isolate IoT devices in a dedicated protected segment of the network.

Prevent IoT segments from talking to non-IoT networks.

Ensure that IoT devices do not connect to other computers via alternate channels, including physical devices like keyboards, monitors, or mice.

Follow standardized patching hygiene for IoT.

1. If possible, enable automatic updates and periodically verify patches are successful.

Disable unused features and, if possible, software packages.

Assign IP addresses to authorized devices statically or via dedicated DHCP leases.

Change default passwords.

Utilize security best practice guidelines from manufacturers to harden devices and services.

For IoT with monitoring functions, improve alerting by adding detections for:

1. Interruptions in logging.

2. Application-related logging (if applicable).

3. Out of business hours activity.

Deploy network layer sensors to monitor IoT segments, and log all network activity. Alert on:

1. Sessions from and to any new system.

2. Access to any port associated with IoT configuration.

3. New devices attached to IoT segments.

4. Physical disconnection from the network.

5. Use of IoT assigned addresses on non-IoT segments.

Allow access to configuration capabilities only from networks dedicated to authorized administrative users.

Restrict IoT access to internal systems except those required for normal operation.

Ensure all services running on the device utilize non-superuser, low-privileged accounts.

Secure physical access to corporate IoT devices.

Segment IoT that requires internet access from others that operate properly without it.

Utilize random passwords.

Enforce password complexity if possible.

Disable unencrypted configuration channels.

The level of event alerting depends on what logs are available from the device. If possible, create alerts for administrator access patterns and actions taken, tracked with alerts for abnormal behaviors.

Profile logs from network-based monitoring and alert on abnormal:

1. Patterns of communication based on layer three (3) and layer four (4) details.

2. Amounts of data transfer.

3. Times of configuration access.

4. Duration of network sessions.

Deny any access to IoT devices from any unapproved network or service.

Focus on enforcing the minimal amount of user privileges that allow users to perform their roles. Apply this to processes.

Segment IoT based on device types, physical locations, or business functions.

If MFA functionality is available, configure access for all.