In the last three years approximately one in five organizations has been subject to an IoT-based cyber-attack, according to Gartner Research. The IoT attack surface continues to grow quickly as more IoT endpoints are connected online. Perhaps IoT adoption has not affected your organization’s security just yet, but in this context I would like to call attention to your Wi-Fi network’s security before it becomes a problem.
Previously, I have discussed the security risks that come with IoT adoption and why it is easy to hack into these devices, as well as best practices in IoT security. Today, let’s look at Wi-Fi authentication methods and best practices to use for your IoT devices.
Unfortunately, enterprise IoT and Wi-Fi security are not always carefully planned and monitored. As with BYOD, organizations are oftentimes dealing with IoT without even knowing it. Still, as IoT endpoints are being added to many organizational Wi-Fi networks, IT administrators are already using visibility and authentication tools to protect against IoT security threats. The end-goal should be to incorporate enterprise-grade Wi-Fi security to avoid network breaches.
Wi-Fi network segmentation
Older IoT devices do not support advanced authentication mechanisms. Therefore, the best approach is to make sure that they connect to a separate segment of the Wi-Fi network that is dedicated exclusively to IoT, where at all possible. This means making sure that this segment is not used by any end users, including employees, guests and contractors.
In general, setting up segmented sections and guest networks enables IT teams to separate network traffic by user, and assign credential-based access privileges, thereby increasing security levels and keeping guests and IoT devices off of the main business network. Creating separate Wi-Fi networks for IoT endpoints has the added benefit of keeping network performance at its best, and doesn’t bog down the business Wi-Fi bandwidth and capabilities.
Use the right Wi-Fi authentication protocols
Open authentication and Wired Equivalent Privacy (WEP) should never be used in the enterprise — large or small — as the first is not encrypted and WEP is easily hacked. WPA-PSK should be used only as a last resort where WPA-Enterprise — also known as 802.1X — is not available on a device. Due to radio frequencies, oftentimes IT teams must setup a dedicated service set identifier for IoT, which is not a security requirement necessarily but rather an operational need.
Some organizations onboard IoT endpoints with WPA2-PSK — pre-shared key technology that is an authentication and encryption method based on a shared password among all devices. These organizations grant Wi-Fi access by using WPA2-PSK, which is advancing to WPA3-PSK, for IoT devices such as printers, security cameras, smart refrigerators, smart TVs, HVAC sensors and more. This is not my recommended approach to use, but sometimes there is no other way. In this case, be sure to keep these Wi-Fi networks separated or segmented from end users, and make sure that the access password is known only to the most trustworthy employee, or to your IT contractor.
By far the most advanced authentication methods to use are based on 802.1X/WPA2-Enterprise. Authentication to Wi-Fi is done by using different identities instead of a single password; this is based on digital certificates or on credentials — user and password — that are preferably unique for each device.
If the device is lost, stolen or launches a distributed denial-of-service attack, the WiFi network security system can kick the device off the network, restrict its access to specific segments or quarantine it.
Controlled access for IoT devices on your Wi-Fi network
Your IT team cannot protect the wireless network unless they have awareness of IoT endpoints or, preferably, they have a system in place that keeps track of which devices are connecting to the network at any given time. With the right Wi-Fi security monitoring system in place, you can — and should — set up automatic access controls based on WPA2-Enterprise. Once an IoT device is identified and tagged, your Wi-Fi security mechanism can assign it to a particular virtual LAN, set limits and other protections.
Include scalability when it comes to your IoT and Wi-Fi network security
Prepare your wireless network security as you would prepare your company for growth. With the growing number of locations, user and employees, you are adding more devices that must be accounted for and authenticated when planning your IoT network. To adapt to the rising number of locations, apps and devices, Wi-Fi security scalability can easily be provided by using SaaS solutions. This way, as wireless networks and IoT technologies evolve in the upcoming years, your security will be able to scale and suit the needs of the time.
Using WPA2-Enterprise will turn your business Wi-Fi into a safer IoT network
As IoT usage has increased, having a secure Wi-Fi network to onboard and connect your IoT devices has become more crucial. The best authentication method to secure the network is WPA-Enterprise, and the easiest way to implement this method is via a SaaS platform. IoT Wi-Fi security SaaS implementations can be done quickly with enterprise-grade security for all organization sizes, including large and small. Thanks to the new access and control systems now available, businesses can incorporate new IoT devices and sensors into their networks with more confidence and ease than ever before.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.