Securing Connected Devices

Office devices:

• Smart printers and copiers: Often connected to your network with weak default passwords
• Security cameras: IP cameras that can be accessed over the internet
• Access control systems: Electronic door locks and card readers
• Smart TVs and displays: Conference room displays and digital signage
• VoIP phones: Internet-connected phone systems
• Wireless presentation systems: Devices for screen sharing in meetings

Building systems:

• HVAC controllers: Heating, ventilation, and air conditioning systems
• Lighting controls: Smart lighting systems
• Fire safety systems: Connected smoke detectors and alarms
• Energy management: Smart meters and power monitoring
• Security systems: Alarm systems and motion sensors

Manufacturing/production (if applicable):

• Industrial control systems: Programmable logic controllers (PLCs)
• Sensors and monitors: Temperature, pressure, and quality sensors
• Automated equipment: Robotic systems and conveyor controls
• Inventory systems: RFID readers and barcode scanners

Common vulnerabilities:

• Default passwords: Many devices ship with "admin/admin" or similar weak credentials
• No security updates: Old firmware with known vulnerabilities
• Weak encryption: Unencrypted data transmission
• No access controls: Anyone on the network can access the device
• Poor authentication: No multi-factor authentication options
• Insecure communication: Devices that communicate over unencrypted channels

Potential attack consequences:

• Network access: Criminals use IoT devices to access your business network
• Data theft: Cameras and sensors can reveal sensitive business information
• System disruption: Attackers can disable critical building or production systems
• Ransom attacks: Criminals lock industrial systems until you pay
• Physical damage: Malicious control of heating, cooling, or machinery
• Privacy violations: Security cameras and microphones can be used for surveillance

Device inventory and discovery:

1. Walk through your premises: List every device that connects to your network
2. Use network scanning tools: Tools like Fing or Advanced IP Scanner can find hidden devices
3. Check your router logs: Look for unknown devices in your network logs
4. Document device details: Record IP addresses, manufacturers, and firmware versions
5. Create a device register: Keep a spreadsheet with all connected devices
6. Review regularly: Update your inventory monthly

Basic device security:

1. Change default passwords: Replace factory passwords with strong, unique ones
2. Update firmware: Check for and install device updates monthly
3. Disable unnecessary features: Turn off unused services and ports
4. Enable encryption: Use WPA3 for wireless devices
5. Limit network access: Don't allow devices to communicate with the internet unless necessary
6. Use device certificates: Implement certificate-based authentication where possible

Network segmentation:

1. Create IoT VLANs: Put connected devices on separate network segments
2. Isolate critical systems: Keep production systems separate from office networks
3. Use guest networks: Put visitor devices on isolated networks
4. Implement firewall rules: Block unnecessary communication between network segments
5. Monitor network traffic: Watch for unusual communication patterns
6. Regular network audits: Check that segmentation is working properly

Access control:

1. Use strong authentication: Require complex passwords and change them regularly
2. Implement role-based access: Give users only the device access they need
3. Enable multi-factor authentication: Where supported by the device
4. Monitor access logs: Track who accesses devices and when
5. Remove default accounts: Disable or delete factory-set user accounts
6. Regular access reviews: Check who has access to which devices quarterly

Maintenance and monitoring:

1. Regular health checks: Test device functionality monthly
2. Monitor device behavior: Watch for unusual activity or performance changes
3. Backup configurations: Save device settings before making changes
4. Document procedures: Keep records of how to manage each device type
5. Plan for replacement: Know when devices reach end-of-life
6. Test disaster recovery: Ensure you can restore device functionality quickly

When a device is compromised:

1. Isolate the device: Disconnect it from the network immediately
2. Assess the impact: Determine what data or systems may be affected
3. Check other devices: Look for signs of lateral movement to other systems
4. Document the incident: Record what happened and when
5. Contact vendors: Report the incident to device manufacturers
6. Restore from backup: Reset the device to known good configuration

Recovery procedures:

1. Factory reset: Restore the device to original settings
2. Apply security updates: Install all available firmware updates
3. Reconfigure security: Set strong passwords and disable unnecessary features
4. Test functionality: Verify the device works properly
5. Monitor closely: Watch for continued suspicious activity
6. Update procedures: Improve security based on lessons learned

What happened: A Darwin law firm discovered their smart printer was being used to scan and steal client documents after criminals accessed it through the default admin password.

How it happened: The printer was connected to the business network with factory default credentials and no security updates, making it an easy target for network scanning attacks.

The damage: Criminals accessed the printer's internal memory and retrieved copies of confidential legal documents that had been scanned and printed.

What they fixed: Changed all device passwords, updated firmware, put IoT devices on a separate network, and implemented regular security audits.

Source: ACSC Small Business Cyber Security Guide

Security requirements when buying:

• Regular security updates: Vendor commits to providing firmware updates
• Strong authentication: Supports complex passwords and ideally MFA
• Encryption support: Data is encrypted in transit and at rest
• Access controls: Allows you to control who can access the device
• Audit logging: Tracks who accessed the device and when
• Network security: Supports modern network security protocols

Questions to ask vendors:

1. "How long will you provide security updates?"
2. "What security certifications does this device have?"
3. "Can we change the default passwords?"
4. "Does it support network segmentation?"
5. "What data does the device collect and store?"
6. "How do we securely dispose of the device when it's retired?"

Initial setup:

• Change all default passwords
• Update firmware to latest version
• Disable unnecessary features and services
• Configure network segmentation
• Enable encryption where available
• Document device configuration

Ongoing maintenance:

• Check for firmware updates monthly
• Monitor device access logs
• Review network traffic patterns
• Test device functionality regularly
• Update inventory documentation
• Review access permissions quarterly