IoT Security: Protecting Connected Devices in the Enterprise

The Internet of Things has moved from a consumer novelty to a critical enterprise infrastructure component. Smart building systems, IP cameras, industrial sensors, medical devices, and connected printers now outnumber traditional endpoints in many organisations—yet they receive a fraction of the security attention. This guide provides a practical framework for securing enterprise IoT.

The IoT Security Problem

Scale

Gartner forecasts over 25 billion connected IoT devices globally by 2025. In a typical enterprise, IoT devices can outnumber laptops and smartphones 3-to-1. Each device is a potential attack vector.

Device Limitations

Most IoT devices were designed with functionality and cost in mind, not security:

• Fixed or hardcoded credentials
• No secure boot mechanism
• Infrequent or absent firmware update capability
• Limited processing power (insufficient for traditional security agents)
• Long operational lifetimes (10–20 years) with software that quickly becomes obsolete

Expanded Attack Surface

IoT devices create new attack paths:

• Lateral movement: Compromise an IP camera to reach the corporate LAN
• Botnets: Enlist devices in DDoS attacks (Mirai botnet compromised 600,000+ devices)
• Data exfiltration: Medical devices or building management systems with access to sensitive networks
• Physical safety risks: Compromise of industrial control systems or medical equipment

IoT Security Framework

1. Asset Discovery and Inventory

You cannot secure what you do not know exists. Implement automated IoT discovery:

• Passive network monitoring: Tools like Claroty, Armis, or Forescout identify devices by their network behaviour without requiring agents
• Active scanning: Nmap or vendor-specific scanners to enumerate connected devices
• CMDB integration: Maintain a continuously updated asset inventory including device type, location, firmware version, and network connection

Target state: 100% visibility into every connected device within 48 hours of connection.

2. Network Segmentation

Never allow IoT devices on the same network segment as corporate systems or sensitive data. Implement dedicated IoT network zones:

• Separate VLANs for each device category (cameras, HVAC, printers, medical, industrial)
• Firewall rules controlling exactly what traffic each IoT VLAN can send and receive
• Default deny: IoT devices should only communicate with their required management systems, not freely across the network
• No direct internet access from IoT VLANs; route through a controlled proxy if cloud connectivity is required

3. Secure Configuration

Before any IoT device joins your network:

• Change all default credentials (username AND password)
• Disable unused services and protocols (Telnet, FTP, UPnP, unnecessary HTTP interfaces)
• Enable encryption for management interfaces where supported (HTTPS, SSH over Telnet)
• Register device with vendor for security advisories and update notifications
• Document the device's intended communication pattern for anomaly detection baselining

4. Firmware and Patch Management

IoT patch management is harder than traditional endpoint patching but equally critical:

• Establish a firmware inventory tracking current version vs latest available for every device
• Subscribe to vendor security advisories (CVE feeds, vendor mailing lists)
• Define patch SLAs: Critical vulnerabilities patched within 30 days; high within 90 days
• For devices that cannot be patched (legacy, end-of-life), implement compensating controls:
• Virtual patching via IPS/WAF rules
• Enhanced network monitoring
• Physical isolation if risk is unacceptable

5. Authentication and Access Control

• Replace shared credentials with individual accounts where the device supports it
• Implement certificate-based authentication for device-to-server communication
• Use a Privileged Access Workstation (PAW) for IoT device administration
• Review and revoke IoT device credentials during staff changes

6. Anomaly Detection and Monitoring

Traditional signature-based detection is ineffective for IoT. Instead, use behavioural analytics:

• Baseline normal communication patterns for each device type (what IPs does a camera connect to? What protocols? What time of day?)
• Alert on deviations: unexpected outbound connections, unusual protocols, off-hours activity
• Platforms: Darktrace, Claroty, Microsoft Defender for IoT, Armis

7. Physical Security

IoT devices are often physically accessible in exposed locations:

• Disable unused physical ports (USB, SD card, console)
• Tamper detection for critical devices
• Secure device mounting to prevent theft or physical tampering
• Cable locks for portable or high-value devices

IoT Security by Industry

Healthcare

Medical IoT (MIoT) devices—infusion pumps, patient monitors, imaging equipment—are directly connected to patient safety. Apply HIPAA Technical Safeguard requirements, segment medical devices from administrative networks, and engage biomedical engineering teams in security reviews.

Manufacturing and Industrial

Operational Technology (OT) and Industrial IoT (IIoT) environments require an IT/OT convergence strategy. Apply the Purdue Model for ICS/SCADA network segmentation and engage OT security specialists (distinct from IT security).

Smart Buildings

Building Management Systems (BMS), HVAC, access control, and lighting systems are increasingly IP-connected. Ensure BMS vendor support contracts include security patching obligations and conduct annual penetration tests of building systems.

Incident Response for IoT

Develop IoT-specific incident response procedures:

1. Isolate the compromised device network segment immediately
2. Capture network traffic logs before containment (critical for forensics)
3. Identify blast radius: what did the device have access to?
4. Coordinate with device vendor for firmware analysis and remediation guidance
5. Restore from known-good configuration (factory reset + secure re-provisioning)
6. Review and strengthen network segmentation rules before reconnecting

IoT security is not a separate discipline from enterprise security—it is an extension of the same principles (least privilege, patch management, monitoring, segmentation) applied to a more constrained and diverse device landscape. The organisations that treat IoT as a first-class security concern are the ones that avoid it becoming a first-class breach vector.