Full Report
Assessing the cyber security threat to UK organisations using Enterprise Connected Devices.
Analysis Summary
# Best Practices: Securing Enterprise Connected Devices
## Overview
These practices address the security risks associated with **Enterprise Connected Devices (ECDs)**βnon-traditional computing devices such as smart printers, IP cameras, VOIP phones, and building management systems. Because these devices often lack robust built-in security, have long lifespans, and are difficult to patch, they are frequently targeted by threat actors as entry points or persistence mechanisms within a network.
## Key Recommendations
### Immediate Actions
1. **Change Default Credentials:** Immediately update factory-set usernames and passwords on all connected devices to unique, complex alternatives.
2. **Disable Unnecessary Services:** Turn off unused protocols and features (e.g., Telnet, UPnP, or web interfaces) that increase the device's attack surface.
3. **Perform a Discovery Scan:** Run a network scan to identify all currently connected ECDs. You cannot protect what you cannot see.
4. **Isolate Vulnerable Devices:** Move devices known to have unpatchable vulnerabilities to a restricted "guest" or isolated network segment immediately.
### Short-term Improvements (1-3 months)
1. **Network Segmentation:** Implement VLANs to separate ECDs from the primary corporate data network and sensitive servers.
2. **Establish a Patch Management Cadence:** Create a schedule to check for and apply firmware updates from manufacturers at least monthly.
3. **Implement Access Control Lists (ACLs):** Configure firewalls to restrict ECD communication. For example, a smart camera should only talk to its recording server, not the HR database.
4. **Formal Inventory:** Create a "Source of Truth" asset register including MAC addresses, IP addresses, firmware versions, and physical locations.
### Long-term Strategy (3+ months)
1. **Zero Trust Architecture:** Work toward a model where ECDs are never trusted by default and require continuous verification to access network resources.
2. **Supply Chain Policy:** Update procurement processes to require "Secure by Design" certifications for all new connected hardware.
3. **Decommissioning Plan:** Establish a lifecycle policy to replace devices that have reached "End of Life" (EoL) and no longer receive security updates.
4. **Automated Monitoring:** Deploy IoT-specific security monitoring tools that can detect anomalous behavior (e.g., a printer suddenly sending data to an external IP).
---
## Implementation Guidance
### For Small Organizations
- **Focus on Defaults:** Ensure the router firewall is active and all device passwords are changed.
- **Physical Security:** Ensure devices (like NAS drives or smart hubs) are not physically accessible to the public.
- **Use Guest Wi-Fi:** Place all smart office devices (coffee machines, TVs) on the "Guest" Wi-Fi rather than the main business network.
### For Medium Organizations
- **VLAN Segmentation:** Use departmental VLANs to separate office equipment (printers/VOIP) from core business operations.
- **Centralized Management:** Use a centralized management console if provided by the vendor to push updates across multiple devices simultaneously.
- **Audit Logs:** Enable and forward logs from critical ECDs to a central logging server.
### For Large Enterprises
- **Network Access Control (NAC):** Implement NAC (e.g., 802.1X) to ensure only authorized, profiled devices can join the network.
- **Forensic Readiness:** Ensure devices are configured to provide sufficient logging for digital forensics in the event of a breach.
- **Micro-segmentation:** Move beyond simple VLANs to micro-segmentation, preventing lateral movement between individual devices.
---
## Configuration Examples
* **Firewall Rule (The "Muzzle" approach):**
`DENY [Security_Camera_IP] to [Internal_Server_Network]`
`ALLOW [Security_Camera_IP] to [NVR_Server_IP] port 554 (RTSP)`
* **Hardening:** Disable **WPS (Wi-Fi Protected Setup)** and **SNMP v1/v2** (use v3 with encryption instead).
---
## Compliance Alignment
- **NIST SP 800-213:** IoT Device Cybersecurity Guidance for the Federal Government.
- **ISO/IEC 27001:** Controls for asset management and network security.
- **CIS Controls:** Specifically Control 1 (Inventory) and Control 15 (Network Monitoring).
- **Cyber Essentials (UK):** Requirements for firewalls, secure configuration, and patch management.
---
## Common Pitfalls to Avoid
- **"Set and Forget" Mentality:** Assuming a device is secure because it was configured correctly three years ago.
- **Shadow IoT:** Employees bringing in personal smart devices (e.g., voice assistants) and connecting them to the enterprise network.
- **Ignoring EoL:** Continuing to use mission-critical devices after the manufacturer has stopped providing security patches.
---
## Resources
- **NCSC Guidance:** [ncsc.gov.uk/guidance/connected-places-cyber-security-principles](https://www.ncsc.gov.uk/guidance/connected-places-cyber-security-principles)
- **CISA/NCSC Edge Device Security:** [ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring](https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring)
- **Manufacturer Documentation:** Always check the support portal for your specific device model for the latest firmware.