Before the internet, the idea that objects like lightbulbs, heaters, and locks could be controlled from a phone or computer seemed like something from the pages of a science fiction novel. However, our daily lives are now full of things that connect to the internet, not just our mobile phones and laptops.
These everyday items with digital capabilities are commonly referred to as devices. When connected to a network they can have the ability to not be accessed online, such devices can also ‘talk to’ or exchange data with other devices, and in most cases the cloud, as well. Collectively, these devices and the links between them are what is known as ‘the Internet of Things’, or ‘IoT’ for short.
There’s some great benefits that come with implementing IoT in schools and kura. For instance, IoT can increase the efficiency of building operations, reduce maintenance costs, and speed up the detection of maintenance issues. Items like digital whiteboards and SmartTVs can enhance learning experiences.
However, IoT can also come with some cybersecurity risks and data privacy concerns. Below, we walk through some of these considerations and offer some tips on how to reduce the risks and use IoT more safely.
A day in the life of the IoT at a school
The year is 2030. A typical school day begins with lights and climate control systems activating as teachers and students arrive. Attendance is taken using Electronic Attendance Register (eAR) software, while teachers outline lesson plans on interactive smart whiteboards. Mid-morning, a temperature monitor confirms the outdoor pool is warm enough for swimming lessons. After lunch, students watch a documentary on a smart TV. Later, as a drama rehearsal wraps up, an electronic billboard announces ticket sales for the production. Finally, CCTV monitors the grounds as the last people leave, automatically locking doors and dimming the lights for the night.
All these devices are connected to the internet, share data and automate tasks.
The future is now
It may sound futuristic, however every electronic item mentioned above can potentially be in use at a school in the present day. From whiteboards, lighting, locks, and heaters, right down to the school bell, many schools and kura now run with the daily help of objects connected to the internet. It’s likely your school is already using one or more of these IoT devices. Your school may have been designed with a number of IoT devices incorporated into its operating systems, or devices may have been added ad hoc.
Not only do the devices on the IoT connect to the internet, but they can also potentially connect and ‘talk’ to one another. Ryan, one of our cybersecurity analysts explains: “Many IoT devices have the ability to periodically reach out to other devices or their respective servers to get updates, upload recordings or operational communications depending on their intended purpose.”
This feature of IoT can centralise operations at a school as every device can be managed from one place. Coordinating your school’s heating, lighting, and alarm systems from a dashboard that can be accessed remotely from a laptop can be highly practical from a building maintenance perspective.
However, as well as the benefits they bring, IoT devices may also carry risks, including for your school’s cybersecurity. It’s worth understanding the types of cybersecurity risks they may carry, as well as the best security practices to keep your school more secure while enjoying the benefits of IoT.
Considering the cybersecurity risks of IoT
Perhaps the most important thing to think about when connecting an IoT device to your school’s network is that it may have the potential to ‘talk’ or access other devices on that network. So if your IoT heating and lighting system is registered on the same network as your staff and student devices, there is a possibility they can connect with one another. This could impact your school’s cybersecurity because a security vulnerability in an innocuous lightbulb or heater can be exploited by a malicious actor to gain entry to your network.
Famous examples of this are the Mirai Botnet attacks, in which thousands of IoT devices were infected with malware that were then used in a DDoS attack against several companies across the world. The Mirai malware can initially infect IoT devices using a list of default passwords that had never been changed from factory settings.
“Some devices, like smart TVs, might come with vulnerable firmware,” Ryan says. “Many IoT devices come with default passwords that are not changed during set up, and this can be abused by attackers once a school has installed these on a network. If a school or business doesn’t update its firmware, or patch vulnerabilities, devices on the IoT can cause real damage.”
How to be safer with IoT devices
Fortunately, there are lots of simple ways to mitigate some of the risks attached to IoT devices and improve or maintain your school’s cybersecurity posture in the process.
The first step is to do due diligence and research before purchasing IoT devices for your school, making sure vendors follow best practices for security and privacy. Please make sure that when IoT devices are being installed, password reset is included as part of the installation process. Installation is also a good time to think about who needs access to the device. With many IoT devices, you can restrict access and interface permissions to only those who need to use them.
“Because IoT devices widely differ between function and manufacturer, there is no consistent security standard between them. There is also no current industry standard when it comes to IoT, so it’s crucial to connect these devices with the proper security and safeguards in place,“ says Ryan.
Make an inventory
If you already have IoT devices installed at your school, you can research their make and model, and check that they’re not still set up with default passwords. It’s helpful to maintain an inventory of IoT devices that records the date of their purchase, warranty, and installation. Many IoT devices have automatic security updates, but an inventory can help you make sure software is up-to-date with the latest firmware and patched. Once you have your inventory, set a reminder to review it regularly to ensure it stays up-to-date.
On this note, bear in mind that these security updates can stop running. “A lot of IoT devices get to an end-of-life stage in their updates and do not receive support from the manufacturer anymore,” says Ryan. “Things like CCTV equipment, smart TVs, and smart lighting, are able to work well past their manufacturing supported date, but could become more vulnerable to security threats after that time.”
One way to mitigate this is to make sure IoT devices are connected only to what is necessary.
“It’s best to not expose any IoT management interfaces to the internet beyond your school’s managed network if you don’t have to,” says Ryan. “If access to the device outside school is needed, consider VPN solutions or implement firewall rules to only allow certain IP ranges. Our Customer Support team can assist with this.”
Segment your network
A more long-term and overarching solution to keeping IoT devices safer is to connect them to separate VLANs and partitioned networks, such as the ones put in place by N4L’s Secure Access. Put simply, this means that rather than having every device at your school connected to one network, your devices can be allocated to separated subnetworks. Student devices such as Chromebooks might connect to a student network, staff laptops to another staff network, and shared and third-party devices like printers and Chromecasts might be on a separate network again.
“Through Secure Access, segmenting your school’s network is part of the process. This means that you can put all of the IoT devices into a cordoned-off section of your network and if anything goes wrong, this will limit the impact of any security breaches,” says Ryan.
Keep users informed and trained
Lastly, keeping staff trained and informed about cybersecurity best practices always boosts your school’s cybersecurity posture. As the people regularly using IoT devices they’re in a great position to spot any security concerns and help prevent any issues.
Ultimately, any device you connect to your school’s network brings with it an element of risk, but with careful device management and the right security posture in place, you can enjoy using the IoT at your school.
If you’d like to hear more from N4L, or see more blogs like this, why not subscribe?