IoT Security: Protecting Smart Devices on Your Network

When people think of IoT, they often picture consumer gadgets like smart speakers and robot vacuums. But in a business environment, IoT is far more pervasive — and far more consequential if compromised. Common business IoT devices include:

• IP cameras and CCTV systems — Surveillance cameras connected to NVRs (Network Video Recorders) over your LAN.
• Building Management Systems (BMS) — HVAC controllers, energy meters and environmental sensors that manage climate, lighting and power.
• Access control systems — Badge readers, electronic locks and intercom panels that control physical entry to premises.
• Network printers and multifunction devices — Often overlooked, printers are fully networked computers with storage, web servers and email capabilities.
• Smart lighting — PoE-powered or wireless lighting systems controlled via a central management platform.
• Environmental sensors — Temperature, humidity and water-leak sensors in server rooms and warehouses.
• Point-of-sale terminals and digital signage players — Dedicated-purpose devices running embedded operating systems.

IoT devices introduce a unique set of security challenges that traditional IT security controls are not designed to handle:

• Default credentials — Many devices ship with well-known default usernames and passwords (e.g., admin/admin, root/root) and do not force users to change them during setup. Attackers maintain public databases of default credentials for thousands of device models.
• Infrequent or absent patching — Unlike Windows PCs that receive monthly updates, many IoT devices receive firmware updates rarely, if ever. Some manufacturers abandon firmware support within a year or two of release.
• Limited encryption — Budget IoT devices may transmit data in plain text or use weak, outdated encryption protocols.
• Large attack surface — Every IoT device on your network is another potential entry point for an attacker. A single compromised camera can become a pivot point for lateral movement into your core infrastructure.
• No endpoint protection — You cannot install antivirus or EDR agents on most IoT devices because they run proprietary or stripped-down operating systems.

The Mirai botnet, first discovered in August 2016, remains the most important case study in IoT security. The malware scanned the internet for IoT devices accessible via Telnet, attempted to log in using a hardcoded list of default credentials, and enrolled successfully compromised devices into a botnet capable of launching massive Distributed Denial of Service (DDoS) attacks. At its peak, Mirai generated attack traffic exceeding 1 Tbps — enough to overwhelm even the largest internet infrastructure providers.

The lesson from Mirai is stark: IoT devices with default credentials, open management ports and no firmware updates are not just a local risk — they become weapons that attackers use against others. Organisations have both a self-interest and an ethical responsibility to secure their IoT devices.

Securing IoT requires a layered approach that combines network architecture, device hardening and ongoing monitoring. Here are the essential steps:

The single most effective IoT security measure is network segmentation. Place all IoT devices on a dedicated VLAN (Virtual LAN) that is separate from your corporate data network. Configure firewall rules between VLANs so that IoT devices can reach the internet for updates and cloud services but cannot initiate connections to your servers, workstations or file shares. If a camera is compromised, the attacker is confined to the IoT VLAN and cannot pivot to your Active Directory server.

For Wi-Fi-connected IoT devices, create a separate SSID on your wireless network that maps to the IoT VLAN. This SSID should use WPA3 or at minimum WPA2-Enterprise, and should not be advertised to general users. Avoid placing IoT devices on the same SSID as employee laptops and mobile phones.

Apply the following hardening steps to every IoT device before connecting it to your network:

• Change default credentials — Set a unique, strong password for every device. Store credentials in your organisation's password manager.
• Update firmware — Apply the latest firmware before deployment and establish a schedule for ongoing firmware checks (quarterly at minimum).
• Disable unnecessary services — Turn off Telnet, UPnP (Universal Plug and Play), SNMP with default community strings, and any other services that are not required for the device's function.
• Disable UPnP on your router and firewall — UPnP allows devices to automatically open firewall ports, which IoT malware exploits to expose devices to the internet.
• Enable HTTPS for management interfaces — If the device has a web-based admin panel, ensure it uses HTTPS rather than HTTP.
• Limit management access by IP — Restrict access to device admin interfaces to specific management workstations or a jump host.

You cannot secure what you do not know about. Maintain a complete inventory of every IoT device on your network, including its make, model, firmware version, MAC address, IP address and physical location. Use network monitoring tools to watch for unexpected traffic patterns — for example, a camera that suddenly starts making outbound connections to an unfamiliar IP address in Eastern Europe is a strong indicator of compromise.

Network Access Control (NAC) solutions can automatically detect new devices connecting to the network, profile them, and place them on the correct VLAN. Products like Cisco ISE, Aruba ClearPass, FortiNAC and Portnox provide this capability. For smaller environments, MAC address filtering on managed switches offers a simpler (though less scalable) alternative.

As IoT security has matured, dedicated platforms have emerged to address the unique challenges of securing non-traditional devices. Solutions like Palo Alto IoT Security, Cisco Cyber Vision and Microsoft Defender for IoT use machine learning to profile IoT device behaviour, detect anomalies and enforce micro-segmentation policies. These platforms are typically deployed in enterprise environments with hundreds or thousands of IoT devices, but the principles they embody — behavioural baselining and anomaly detection — can be applied at smaller scales using standard firewall logging and SIEM tools.

The IoT industry has historically suffered from fragmentation — dozens of proprietary protocols, inconsistent security practices and poor interoperability. Two emerging standards aim to address this:

• Matter — An application-layer protocol developed by the Connectivity Standards Alliance (formerly the Zigbee Alliance) with backing from Apple, Google, Amazon and Samsung. Matter provides a unified standard for smart-home and smart-building devices, with security built in from the ground up — including device attestation, encrypted communications and secure over-the-air updates.
• Thread — A low-power mesh networking protocol that operates on the 802.15.4 radio standard. Thread provides the network layer that Matter runs on (alongside Wi-Fi and Ethernet). Its mesh architecture eliminates single points of failure, and its use of IPv6 simplifies network management. Thread also includes built-in AES encryption and device authentication.

While Matter and Thread are still maturing in the commercial space, they represent a significant step toward a more secure and interoperable IoT ecosystem. When evaluating new IoT devices, prefer those that support these standards.