Securing IoT Devices on School Networks

As technologies evolve, the number of internet-enabled devices connected to school networks increases exponentially. Many of these devices, however, were not designed with strong cybersecurity protections. This includes devices that fall into the category of the Internet of Things (IoT), which are everyday objects that connect to the Internet so they can talk to back end applications and/or each other.

IoT devices can include:
  • Enterprise-level equipment used to control facility systems, such as HVAC, lighting, video cameras, door sensors, alarms, and badge readers
  • Learning tools, such as sensors or microscopes used in science or engineering classes, robots used for programming, assistive devices used by students with special needs, projectors, interactive whiteboards, or document cameras
  • Consumer technologies such as connected refrigerators in the cafeteria or devices owned by students, staff, and visitors which connect to the school network
It is critical for school technology leaders to protect their networks against the security vulnerabilities posed by these devices.
 
Best Practices for Securing IoT Devices
Procurement: Best practices for securing school networks start with the procurement process. Ensure that IT is involved in the process of evaluating and authorizing all devices that will connect to the school network. Internet-connected equipment being considered for purchase should be carefully evaluated to ensure it meets IT security and student data privacy requirements. Before purchase, determine what data will be collected, how it will be stored, who will have access, and what will happen to the data when the equipment reaches end-of-life or is no longer in use.
 
Vendor access: Determine what level of device access the vendor requires (if any) after installation and implement VPN access when possible. Consider limiting access to prescribed maintenance windows and require vendors to sign an acceptable use policy before allowing network access. Monitor vendor network activity and when possible require vendors to confirm scheduled network access in advance.
 
Device and network management: Network segmentation is critical; put IoT devices on a separate VLAN to safeguard the school network. Register and track each device and limit network access; utilize MAC address filtering or other security measures to prevent rogue devices from connecting to the network. Categorize IoT devices by function (i.e. curriculum and instruction, facilities, security, etc) and designate primary “gates” for each device or service to pass through. Proactively monitor network activity to identify traffic anomalies that may indicate a security breach and include IoT technologies in regular IT security reviews. In addition, disable network-related services not needed for day-to-day operations and ensure software and firmware updates are installed regularly.
 
Password management: Change all default device passwords and limit administrative access to key technical personnel. Utilize role-based device access to minimize security risks and give users the minimum permissions needed to do their jobs.
 
Consumer Devices
Consumer devices owned by students, school employees and visitors are making their way onto school campuses. In addition to laptops, tablets, and smartphones, IoT devices such as fitness/smartwatches, cloud-based voice assistants such as Amazon Alexa or Google Home, and medical devices such as glucose level monitors are increasingly common. School systems should develop and promote BYOD policies for both students and school employees. If allowing personally owned devices to connect to a school network, consider limiting the number of devices each user can connect and utilize network segmentation to segregate the network traffic.
 
Key Take-Aways
Although IoT devices have great potential from both an operational and education perspective, the technology is still in its infancy and is often not designed with cybersecurity in mind. School system IT leaders must actively partner with other departments, such as facilities and curriculum and instruction, to ensure that IoT technologies are deployed thoughtfully and safely. Thoughtful procurement processes, well-designed policies and procedures, and technical network safeguards can maximize the potential of IoT technologies while mitigating the security risks.