Beyond the surface: Securing IoT devices in the public sector

Shot of a group of businesspeople having a boardroom meeting in an office
Image: © pixdeluxe | iStock

Dominic Norton, Sales Director at Spitfire Network Services Ltd, discusses the evolution of security, focusing on the shift from physical to digital vulnerabilities, including securing IoT devices in the public sector

Not long ago, securing a public sector site, whether a government office, school, or transport hub, was largely a physical process. CCTV cameras connected via coaxial cables, alarm systems triggered by opening doors or windows, and access controlled by lock and key.

These systems, while basic, had a significant advantage: they were not connected to the internet and, therefore, secure by design – no passwords to hack, no firmware to update, and no risk of remote interference.

Today, however, the landscape is vastly different, with the rapid adoption of internet of things (IoT) devices across public infrastructure. From smart traffic systems to access control in public buildings or environmental sensors in social housing, these interconnected systems enable real-time monitoring, remote management, and smart automation. Still, they have also opened new gateways for cybercriminals, with each connected device representing a potential vulnerability.

This technological leap is both a blessing and a burden for organisations striving to enhance operational efficiency. While it delivers unprecedented control and data insights, it simultaneously expands the “attack surface” – every device, sensor, or gateway is now a potential entry point for hackers.

The invisible threats facing IoT devices

The scale of cyber threats facing IoT devices is alarming. We recently conducted a live experiment, ‘One Hour Under Attack’. The goal was to assess how quickly an exposed IoT device would face intrusion attempts when connected to the public internet. The device recorded 2,266 attacks from 120 different sources in just sixty minutes!

These attacks probed for default or weak usernames and passwords, targeted open ports, and attempted to exploit outdated firmware – all tactics commonly used by cybercriminals to gain remote access or deploy malware.

Common vulnerabilities include:

  • Default credentials:
    • Many IoT devices still use factory-set usernames and passwords, which are often publicly available.
  • Open ports:
    • Necessary for remote access, they are easy entry points for determined hackers.
  • Outdated firmware:
    • Devices that are not regularly updated are prime targets.
  • Lack of segmentation:
    • If a network is not properly segmented, a single compromised device can then provide access to other systems, exposing sensitive data.

This underscores the reality that any device left exposed and visible on the public internet is a target. Hackers now use artificial intelligence and machine learning techniques to rapidly identify and exploit these vulnerabilities, often before organisations know of any threat.

The public sector’s growing reliance on IoT means these risks cannot be ignored. Worse still, these types of cyberattacks aren’t just about stealing data; they can cause real-world disruption. Imagine a hacker gaining control of a city’s smart traffic system, energy distribution or even a school’s security cameras – the consequences extend beyond data loss to public safety.

As today’s cyber threats evolve, so must our approach to IoT security.

Why traditional cybersecurity measures fall short

Many organisations attempt to secure IoT devices using familiar tools like encryption and virtual private networks (VPNs). While these measures are essential, they have critical limitations when it comes to IoT:

  • Complexity of VPNs:
    • As the number of connected devices grows, configuring and managing VPN tunnels for each device becomes an administrative nightmare.
  • Human error:
    • Misconfigured devices, weak passwords, and delayed firmware updates often create vulnerabilities that traditional methods cannot fully mitigate against.
  • Internet exposure:
    • Even with strong encryption, devices using public IP addresses remain visible and susceptible to external scanning and attacks.

Ultimately, the issue stems from the public internet itself. If devices rely on it for connectivity and remote access, they will always be vulnerable.

A better solution: Private IoT networks

The most effective way to secure IoT deployments is to remove devices from the public internet altogether. Spitfire’s One Network solution offers a fully private, secure network that seamlessly integrates fixed-line, cloud, and mobile connectivity. This approach ensures that IoT devices remain invisible and unreachable to external threats.

Key advantages of private IoT networks include:

  • Network isolation:
    • Devices communicate through a private, closed network that is not exposed to the public internet.
  • Simplified management:
    • No need for multiple VPN tunnels or complex encryption schemes.
  • Enhanced security:
    • Devices are assigned private IP addresses, eliminating public exposure while allowing secure remote access through a single, enterprise-grade firewall or directly from another connected site.
  • Scalability:
    • Can accommodate the increasing number of IoT devices without adding management complexity.

This approach significantly reduces the attack surface by isolating critical infrastructure from external threats.

Use case: Securing public buildings

Consider the example of a local authority managing multiple public buildings equipped with IoT devices. These may include access control, building management systems (BMS), environmental sensors, and emergency lift lines. If these devices rely on the public internet, each becomes a potential entry point for hackers.

By implementing Spitfire’s One Network, the authority can:

  1. Isolate devices:
    • All devices operate within a private network, making them invisible and unreachable to external threats.
  2. Centralise security:
    • If external access is required, it is controlled via a single entry point VPN using a high- availability firewall, eliminating the need for multiple tunnels.
  3. Enablesecureremotemanagement:
    • Authorised personnel can manage devices securely, via a single portal login, without exposing them to external risks.

This improves security and reduces operational overhead and the likelihood of human error. IoT deployments remain secure, cost-effective, and easy to manage.

IoT security: Final thoughts

In a world where IoT rapidly reshapes public sector operations, security cannot be an afterthought. Hackers are leveraging AI and sophisticated attack methods to target vulnerable devices – but the solution lies not in adding more complex cybersecurity tools but in simplifying the connectivity itself.

By moving IoT devices off the public internet and into secure private networks, organisations can reduce risk, save time, and protect both their data and the communities they serve.

Public sector leaders must act now, because when it comes to IoT security, invisibility is the best form of defence!

For more information about securing your IoT network visit: https://www.spitfire.co.uk/iot-security/

Contributor Details

Stakeholder Details

Upcoming OAG Webinar

Editor's Recommended Articles

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here