Nick Barendt directs the Institute for Smart, Secure and Connected Systems at Case Western Reserve University, which focuses on the Industrial Internet of Things.

Oct 07 2021

Colleges Secure the IoT With Proactive Solutions and Strategies

Mitigating risks related to the Internet of Things requires the right solutions, policies and best practices.

Nick Barendt, executive director of the Institute for Smart, Secure and Connected Systems (ISSACS) at Case Western Reserve University, illustrates the challenge of protecting Internet of Things devices by comparing them to more traditional IT assets.

“It’s still hard to, say, secure a web server, but it’s a limited scope of work,” Barendt notes. “I have to worry about a few ports, and I can control ingress and egress for those ports. I also control the physical device in a data center. The issue with IoT is that it spreads your surface area of attack infinitely. Anyone can walk up to a device, if they can access it, and either brute-force attack the device or use the compromised device to launch other types of attacks.”

As a result, Barendt says, many IoT vendors have begun to take security more seriously, building cybersecurity solutions into their products and eliminating risky practices such as shipping all devices with the same default password. Higher education institutions can further protect themselves, he says, by using zero-trust networking methodologies, storing passwords securely and encrypting traffic to and from IoT devices.

The vulnerabilities associated with the IoT are amplified by the explosive growth in the number and types of devices.

“It’s a huge number,” Barendt says. “Our campus has had high-speed internet to every dorm since the ’90s. It’s been common for students to have multiple IP-connected devices in their rooms for a long time.”

According to some estimates, there were nearly 12 billion connected IoT devices worldwide at the end of 2020, surpassing non-IoT connections (such as smartphones, laptops and desktops) for the first time.

“For years, the IT environment was separate from the operational technology environment,” Barendt says. “More and more, those things are bleeding together, and groups that are not thoughtful about it are opening up holes in their systems from a security standpoint.”

MORE ON EDTECH: A proactive approach to avoiding zero-day attacks in higher education.

Navigating Higher Ed IoT Cyber Risks 

Alan Mihalic, president of the IoT Security Institute, notes that IoT technologies “will change the way our society operates.”

Along with significant benefits, he notes, this change will bring challenges related to privacy and security.

“IoT will be at the core of the smart cities we live in, the smart buildings we occupy and even the smart bodies we inhabit,” he says. “Our privacy will be under scrutiny like never before, and our right to protect it will be under threat from an ever-growing field of threat agents.”

To secure its IoT environment, the University of Alabama at Birmingham relies on a mix of network segmentation, asset management and vulnerability management tools, says Curtis Carver Jr., vice president for IT and CIO. These strategies are supported by policies, first adopted by the 
university in 2019, that put parameters around IoT practices.

Nick Barendt
Our campus has had high-speed internet to every dorm since the ’90s. It’s been common for students to have multiple IP-connected devices in their rooms for a long time.”

Nick Barendt Executive Director of the ISSACS, Case Western Reserve University

“For each of the IoT devices, we know what site it’s supposed to connect to for patching. We turn off everything else,” Carver says. “Is there a possibility that one of the IoT sites gets corrupted? They could. We just haven’t seen that level of sophistication yet. It’s like running away from a bear: You don’t want to be the slowest one.”

For network segmentation, the university relies on Palo Alto Networks firewalls, says CISO Rob Ferrill. Attacks on some IoT devices themselves — such as those used in healthcare — could result in catastrophe, he notes. But for most IoT devices, he says, the greatest danger of an attack is that the device will be used as a launching point for hackers to infiltrate portions of the network that house sensitive data.

“If you get in a situation where your IoT equipment can be compromised on a large scale and used to attack something else, then it becomes a big deal,” Ferrill says.

UAB’s policies call for all default credentials to be changed on IoT devices, the creation of standard user accounts for the operation of IoT devices when possible, and rapid identification and patching of vulnerabilities.

Click the banner below to get a free checklist on preventing and remediating zero-day exploits.

Lessons Learned from a Suspicious IoT Device

At Troy University in Virginia, the IoT environment includes streaming media devices in residence halls, facility monitoring technologies and classroom multimedia displays.

W. Greg Price Sr., chief security officer and CTO, recalls a time several years ago when IT staffers noticed an extra device popping up on the IoT network and then disappearing again. 

Initially, staffers thought it was a bad sensor or thermostat, but additional digging revealed that a student laptop was “impersonating” a thermostat and hacking into the network to lower the temperature of some students’ dorm rooms. Officials confirmed their suspicions by standing outside the residence hall and identifying windows that were more fogged up than the others.

“If they’d had a malicious mindset, given the level of access they’d acquired, they could have created some havoc with our maintenance crew, or burned up some hardware,” says Price. “Thankfully, the students just wanted their rooms cooler.”

To shore up its IoT security, Troy relies on Fortinet network scanning tools, Palo Alto Networks firewalls and network assessments from Rapid7.

EXPLORE: Tips for establishing a long-term security plan for remote staff and faculty.

“One of the biggest things we do is an inventory,” Price says. “Our philosophy of security is that you can’t manage what you don’t know about. We keep a really active database of all IoT devices, and that allows us to take a look at the manufacturer and to subscribe to and watch for patches.”

The university also relies on extensive network segmentation, pushing IoT devices to a segment separate from administrative and research networks, says Price.

“We keep those hardware components in their own world, completely restricted from the other computing areas of the university,” he says.

Although many IoT vendors have started paying more attention to cybersecurity in recent years, it is still up to institutions to protect themselves, Price notes.

“You just have to come to terms with the fact that vendors are mostly concerned with functionality, so you have to manage your network space in such a fashion that you deal with the security problems,” he says.

Roger Mastroianni