IoT is Everywhere

by Melissa Tebbenkamp – Director of Instructional Technology – Raytown Quality Schools

As I ponder recent conversations I’ve had around data and cybersecurity, I can’t help but recall several energy-driven discussions on the Internet of Things (IoT). These discussions revolve around several key questions: What really is IoT? Why does it matter? How is IoT used in education? And, is IoT really a risk?

When schools think about the Internet of Things (IoT), many think about a teacher using a digital assistant, laptops or maybe even cell phones.  It is true that IoT includes personal devices and items around our homes, such as video doorbells, home automation, networked thermostats, smart televisions, and now even my blender, but it is so much more than these personal devices. 

In school, IoT devices are everywhere and can include student learning and assistive devices, glucose monitoring devices, security cameras, access control doors, networked HVAC and lighting control, vending machines, freezer/refrigerator monitors, and projectors, just to name a few. When overlooked, they can lead to network and data privacy vulnerabilities. If not managed properly, these networked devices can open a door to your network that may allow a malicious person to leverage them for a DDOS attack or mine your network and servers for valuable data. An example can be found in the EdScoop article Ransomware used HVAC to infect Michigan K-12 district.

The requests for IoT on our networks are not slowing down. Advances in technology make these devices easier to deploy, which at times, makes them harder to manage. There is hope, by following a few best practices, you can minimize your risk and begin embracing the devices that help to make the business of education more effective and impactful.

 

  • Adopt a data security framework that includes these five steps: Identify, Protect, Detect, Respond, Recover. For risk mitigation, your focus should be on the first 3 steps. 
    • Have a procurement process in place that requires someone to evaluate all devices that attach to the network prior to purchase and installation. Knowing what is on your network is critical, evaluating the devices before purchase is even better.
    • Protecting your network from IoT devices can be as much of an art as it is process-related. Know your network and determine the best path for your system.
      • Segment IoT devices on their own virtual network so they cannot communicate in your production (computing, servers, etc) environments.
      • Ensure that new or stray devices cannot connect to your production environments. 
      • Change the password on all IoT devices from the manufacturer default. If the device does not allow a root password, do not allow it on your network or isolate it so that it cannot be reached from other devices.
      • Stay current on software and firmware updates. If the manufacturer does not release firmware updates, you may want to question their security practices and how the device is connected to the network to determine your level of risk. 
    • Ensure you have the correct tools to detect “rogue” devices or services on your network. This may include network monitoring to alert to new traffic as well as reviewing log files. If you know your “normal” network traffic, it is much easier to identify a new device and/or abnormal traffic.
  • Explore Cyber Malpractice insurance and ask your vendors what coverage they offer if their device is compromised on your network.
  • Note that consumer devices are just that, intended for consumers, not institutions. Check the terms of service and privacy policy to see if commercial/educational use is allowed and what protections they offer.
  • Check for privacy concerns. Determine what data a device is collecting and if it could potentially cause an exposure of biometric, PII or FERPA data.
  • If the device allows or requires a vendor to connect to your network, be sure to secure that connection and ensure that they can only access the necessary equipment/systems to manage the device.
  • Manage staff, student and vendor personal devices separately. These may include smart/fitness watches, voice assistants on phones and glucose monitoring devices. School systems should have a policy and procedure around these devices and limit the level of access they have on the network.

To help educational leaders navigate this complex challenge, the Consortium for School Networking (CoSN) recently released a guide on Securing IoT Devices on School Networks that discusses these practices as part of their cybersecurity initiative. More information can be found at https://cosn.org/cybersecurity

 

About the author: Melissa Tebbenkamp has served as the director of Instructional Technology for Raytown Quality Schools since 2006.  Raytown Quality Schools is a tier one suburb of Kansas City, Mo. and educates 9,000 students a year. Melissa is a CoSN national Board member, a founding member and chair-elect of CoSN’s Missouri state chapter and was one of the first people in the U.S. to attain certification as a Certified Education Technology Leader. She also led the Raytown Quality Schools (Missouri) to becoming one of the first cohort to receive the CoSN Trusted Learning Environment Seal.