As consumer Internet of Things (IoT) devices inevitably find their way into the workplace, IT pros need to isolate them from the rest of the enterprise network, perhaps on a network of their own, so they don\u2019t become backdoors exploitable by attackers, according to the head of the Online Trust Alliance.\nJeff Wilbur, the director of the alliance, which is an initiative within the larger Internet Society, says that it is better to embrace employees\u2019 IoT devices and allow them to be used safely than to ban them and risk their unauthorized, unprotected use that could undermine network security.\n\nSimilarly, industrial IoT devices deployed by businesses should be firewalled off from the broader corporate network in order to minimize risk of compromise, he said in an interview with Network World senior writer Jon Gold.\nHere\u2019s a transcript of that conversation.\nNetwork World: How does the OTA\u2019s work with consumer-grade IoT security translate to the enterprise sector?\nWilbur: A few years ago, we took those general concepts of security and privacy, because every year we do an audit of about a thousand websites and organizations \u2013 email authentication practices, privacy and security, and we realized that the IoT market was growing, that there were going to be an order of magnitude more devices that were sending and receiving data, and generating data that needed to be secure and private as well, so we created a listing through a working group that eventually involved over a hundred different organizations. That (group) created a list of principles, mainly targeted at manufacturers, so security, privacy and lifecycle properties of IoT products, and what they should consider building into the product from the beginning, sort of the security and privacy by design.\nWe\u2019ve had that out for a few years now, and it gets updated as necessary, but if you take that list of principles, and then apply it to the other side, the users of these products, it can be used as a filter to decide \u201cwhat kind of products should I buy? What are the security and privacy characteristics that they should have?\u201d\nThe reality today is that not all products \u2013 in fact, not many of the IoT products \u2013 are conforming to that list of principles yet. And when consumer-grade products kind of sneak their way into the enterprise \u2026 IT folks may or may not know it\u2019s even there, and these products can be very chatty, they can be collecting data or being sort of a gateway vulnerability to the rest of the network if they\u2019re not properly isolated or dealt with.\nNetwork World: What\u2019s a good example of that type of consumer-type IoT sneaking into the enterprise?\nWilbur: I don\u2019t know that we\u2019re advocating to keep it out of the enterprise, we\u2019re advocating to manage it within the enterprise. Because if it comes through the side door or the back door, under the radar, whatever term you want to use, that\u2019s when it can be dangerous, but it can also, if managed properly, be just fine.\nThe examples I hear of late are, of course, smart TVs in conference rooms \u2013 they may mainly be used as monitors, you know, you hook your laptop to it for display, but they also are smart TVs, and depending on how much you allow that capability to be connected into your network, that\u2019s a potential vulnerability point.\nA lot of smart speakers are being used in those environments, so you\u2019ve just got to pay attention to the data flows and where they are in the network, and who\u2019s saying what. If you look at Alexa, for instance, and Google Home, for the most part it seems that they have pretty good security controls around it, but whoever owns those accounts, your voice queries get stored in your account. So a lot of people don\u2019t know exactly what data is being captured. For the most part, there has been concerned about all voice being transmitted on through, even when there\u2019s no wake word that initiates it, and that does not seem to be the case \u2013 it\u2019s only passed through when there\u2019s a real query involved, but it\u2019s good to be cautious, especially in an enterprise environment.\nAnother area that it seems like IoT devices are making their way into [the enterprise] is appliances in the breakrooms, and it might be for the purposes of energy control or just remote monitoring, but again, those potentially can create an entry point for an attacker if they\u2019re not managed properly. And then you\u2019ve got fitness trackers that individuals bring in \u2013 for the most part, those just connect to your phone, and often they don\u2019t hit the enterprise network, but depending on how you\u2019ve got them set up, if your phone is then on your corporate Wi-Fi, then who knows?\nNetwork World: This really DOES harken back to the BYOD challenges of several years ago, doesn\u2019t it?\nWilbur: Exactly. And a lot of these devices have either default or hardcoded passwords, and so, if they are reachable, they might be an attacker\u2019s entry point \u2013 they may or may not be software-updateable, so we have recommendations in [our checklist] like, if you\u2019re looking at it from the very beginning, you should set up some policies and rules for employees about what they can bring in and what characteristics it should have.\nThe danger, and this is the same as the BYOD thing, is that if you\u2019re too restrictive, you end up creating an under-the-table \u2013 they used to call it \u201cshadow IT,\u201d you can probably call this \u201cshadow IoT\u201d if you want \u2013 you can create that kind of thing where people say \u201cI\u2019m still gonna bring it in, but now it\u2019s really gonna be under the radar,\u201d as opposed to doing it with eyes wide open so you kinda know what you\u2019re getting into.\nWe recommend setting up a separate network for those devices. Most companies set up a guest network for Wi-Fi, so why not have an IoT-specific network, or why not have them on your guest network also? It depends on the company, and how they want to organize things.\nNetwork World: A lot of industrial IoT seems to involve connecting devices that were designed 10, 20, 40 years ago to the Internet, which they weren\u2019t really meant to do. How do companies go about addressing that kind of concern, given that they\u2019re not going to be able to simply replace giant pieces of industrial equipment that they may have been using for decades?\nWilbur: That\u2019s going to vary according to the project \u2013 it\u2019ll vary all the way from providing some gateway of connectivity from legacy systems into a network that gives them some sense of remote control of that, to whole new projects where you\u2019re able to start from scratch with the latest stuff. So, in those kind of environments, the thing to be careful of is, when you have a tightly controlled, highly secure gateway, where the communication is kind of crossing between the IT network and the operational network. There\u2019s a lot of attention these days being paid to that kind of IT\/OT blending.\nWhen you have situations like that, in a gateway, you can manage the traffic flow through that gateway very well if you want to, and so that\u2019s really the chokepoint where you can do that. When you go to the newer sort of environment, where you\u2019ve got new products and many of the individual devices are now connected, you can do similar things. Let\u2019s say you\u2019ve got a factory floor, and you have all your devices connected on that floor, you don\u2019t want that network wide-open to the rest of your corporate network, right? So you\u2019re going to have some kind of firewall into that, and it\u2019s really a matter of paying attention to what can be accessed by whom and from where.\nThe risks of having industrial applications exposed to the world in some way are great \u2013 there can be physical harm to individuals, there can be catastrophic-level attacks on machinery to make it fail, and all that kind of stuff. So the security aspect of the connectivity needs to be very strongly taken into account in those kind of environments.