As I ponder recent conversations I’ve had around data and cybersecurity, I can’t help but recall several energy-driven discussions on the Internet of Things (IoT). These discussions revolve around several key questions: What really is IoT? Why does it matter? How is IoT used in education? And, is IoT really a risk?
When schools think about the Internet of Things (IoT), many think about teachers using digital assistants, laptops, or cell phones. IoT indeed includes personal devices and items around our homes, such as video doorbells, home automation, networked thermostats, smart televisions, and now even my blender. Still, it is so much more than these personal devices.
IoT devices are everywhere in school and can include assistive devices, glucose monitoring devices, security cameras, access control doors, networked HVAC and lighting control, vending machines, freezer/refrigerator monitors, and projectors, to name a few. When overlooked, they can lead to network and data privacy vulnerabilities. Additionally, if not managed properly, these networked devices can open the door to your network that may allow a malicious person to leverage them for a DDOS attack or mine your network and servers for valuable data. One example can be found in the EdScoop article Ransomware used HVAC to infect Michigan K-12 district.
The requests for IoT on our networks are not slowing down. Advances in technology make these devices easier to deploy, making them harder to manage. There is hope that by following a few best practices, you can minimize your risk and begin embracing the devices that help to make the business of education more effective and impactful.
- Adopt a data security framework that includes these five steps: Identify, Protect, Detect, Respond, Recover. For risk mitigation, your focus should be on the first three steps.
- Have a procurement process in place that requires someone to evaluate all devices that attach to the network before purchase and installation. Knowing what is on your network is critical—evaluating the devices before the investment is even better.
- Protecting your network from IoT devices can be as much of an art as it is a process. Know your network and determine the best path for your system.
- Segment IoT devices on their own virtual network so they cannot communicate in your production (computing, servers, etc.) environments.
- Ensure that new or stray devices cannot connect to your production environments.
- Change the password on all IoT devices from the manufacturer’s default. If the device does not allow a root password, do not allow it on your network or isolate it so that it cannot be reached from other devices.
- Stay current on software and firmware updates. Suppose the manufacturer does not release firmware updates. In that case, you may want to question their security practices and how the device is connected to the network to determine your level of risk.
- Ensure you have the correct tools to detect “rogue” devices or services on your network. This may include network monitoring to alert to new traffic and reviewing log files. Knowing your “normal” network traffic makes it much easier to identify a new device and/or abnormal traffic.
- Explore Cyber Malpractice insurance and ask your vendors what coverage they offer if their device is compromised on your network.
- Note that consumer devices are just that – intended for consumers, not institutions. Check the terms of service and privacy policy to see if commercial, and specifically, educational use is allowed and what protections they offer.
- Check the privacy. Determine what data a device is collecting and if it could potentially cause exposure of biometric, PII or other data protected under FERPA and other applicable privacy laws.
- If the device allows or requires a vendor to connect to your network, be sure to secure that connection and ensure that they can only access the minimally necessary equipment/systems to manage the device.
- Manage staff, student and vendor personal devices separately. These may include smart/fitness watches, phone voice assistants, and glucose monitoring devices. School systems should have privacy and security policies and procedures that address the use and configuration of these devices and limit their level of access on the network.
To help educational leaders navigate this complex challenge, the Consortium for School Networking (CoSN) has released a guide on Securing IoT Devices on School Networks that discusses these practices as part of their cybersecurity initiative. More information can be found at https://cosn.org/cybersecurity.
About the author: Melissa Tebbenkamp has served as the Director of Instructional Technology and now the Chief Information Officer for Raytown Quality Schools since 2006. Raytown Quality Schools is a tier-one suburb of Kansas City, Mo. and educates 9,000 students a year. Melissa is a CoSN national Board member, a founding member and a past chair of CoSN’s Missouri state chapter and was one of the first people in the U.S. to attain certification as a Certified Education Technology Leader. She also led the Raytown Quality Schools (Missouri) to become one of the first cohorts to receive the CoSN Trusted Learning Environment Seal.