Embedded, IoT, OT, and Physical Device Security
Key Takeaways
- Embedded, IoT, and OT devices have long lifecycles, weak defaults, limited compute, and high availability needs that constrain normal controls.
- Segmentation is the primary network control because many devices cannot run EDR agents or full disk encryption.
- OT (ICS/SCADA/PLC) prioritizes safety and availability over confidentiality, so changes and scans require testing and coordination.
- Physical security protects devices from theft, tampering, rogue USB and console-port access, and unauthorized facility entry.
- Asset inventory is foundational: an unmanaged device cannot be patched, monitored, or securely retired.
Devices That Do Not Look Like Computers Still Create Risk
Embedded systems, Internet of Things (IoT) devices, and operational technology (OT) are everywhere: cameras, badge readers, printers, medical infusion pumps, environmental sensors, building automation, industrial controllers, and point-of-sale terminals. SY0-701 expects you to recognize why these devices are hard to secure with standard endpoint tooling.
| Characteristic | Security impact |
|---|---|
| Long lifecycle (10-20 years) | Devices outlive vendor patches and support |
| Default credentials | Trivial initial compromise if unchanged |
| Limited compute | Often cannot run EDR or full disk encryption |
| Proprietary protocols | Hard to monitor or scan safely |
| High availability need | Patching requires planned outage windows |
| Physical exposure | Attackers can reach ports, reset buttons, or storage |
IoT and Embedded Controls
Because agents often will not run, the exam favors network-side and lifecycle controls:
| Control | Purpose |
|---|---|
| Asset inventory | Track type, owner, firmware, location, and support status |
| Change default credentials | Remove the most common initial access path |
| Network segmentation / VLANs | Limit what a device can reach and who can reach it |
| Firmware updates | Fix known device-level vulnerabilities |
| Disable unused services | Shrink attack surface |
| Certificate-based device identity | Strengthen authentication where supported |
| Traffic monitoring | Detect unusual outbound or lateral activity |
| Secure disposal | Wipe credentials, keys, and stored data at retirement |
OT Inverts the CIA Triad
OT includes programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICS) that govern physical processes. The exam's key insight: OT flips IT priorities.
| IT priority | OT priority |
|---|---|
| Confidentiality often leads | Safety and availability lead |
| Frequent patching is normal | Patching needs testing and outage planning |
| Endpoint agents are common | Agents may be unsupported or unsafe |
| Bursty office traffic | Deterministic, predictable process traffic |
A well-meaning vulnerability scan can crash a fragile controller and halt a production line, so OT work must include operations engineers, safety owners, and change control. The Purdue Model is the classic reference for layering and segmenting OT networks away from IT.
Physical Device Security
| Risk | Control |
|---|---|
| Stolen device | Locks, cages, asset tags, secure mounting |
| Console-port misuse | Port blockers, locked cabinets, disabled ports |
| Rogue USB device | USB control policy, port locks |
| Tampering | Tamper-evident seals, cameras, inspections |
| Unauthorized facility access | Badges, guards, access control vestibules, visitor logs |
Worked Scenario
A warehouse runs network cameras, badge readers, and environmental sensors. The secure operations plan inventories every device, changes default passwords at onboarding, places devices on segmented VLANs, restricts management to an admin subnet, schedules firmware updates in planned windows, monitors traffic for unusual outbound connections, and physically secures devices mounted in public areas behind locked enclosures.
Common Exam Traps
| Trap answer | Better reasoning |
|---|---|
| "Install EDR on every IoT device." | Many cannot run agents; rely on segmentation and monitoring. |
| "Patch OT immediately, no testing." | OT changes need safety-aware testing and scheduling. |
| "A camera is not a real computer." | Networked devices are valid attack paths and pivot points. |
| "Physical access is irrelevant if the network is secure." | Physical access exposes ports, reset buttons, storage, and consoles. |
Specialized Systems the Objectives Name
SY0-701 objective 4.1 lists categories of specialized assets. Be able to match each to its dominant constraint.
| System type | Defining constraint |
|---|---|
| ICS / SCADA | Controls physical processes; safety and uptime are paramount |
| Embedded systems | Fixed-function firmware, little or no patch path |
| RTOS (real-time operating system) | Deterministic timing; cannot tolerate scan-induced delay |
| IoT consumer/commercial | Weak defaults, cloud dependence, irregular updates |
| SoC (system on a chip) | Compute and memory tightly bound, limited security headroom |
| Medical / HVAC / vehicle systems | Regulatory and safety oversight; vendor-controlled firmware |
Constraints That Shape Every IoT Control Choice
The exam expects you to reason from device constraints to control selection. Common constraints include limited compute power and memory, no room for cryptographic libraries, inability to patch, weak or absent authentication, constrained network bandwidth, and reliance on a vendor cloud. When a device cannot encrypt, authenticate strongly, or run an agent, the answer almost always shifts to compensating network controls: segmentation, monitoring, and strict access control rather than host hardening.
Segmentation Models and Defense in Depth
For OT and IoT, layered segmentation is the recurring correct answer. The Purdue Enterprise Reference Architecture separates enterprise IT (levels 4-5) from process control (levels 0-3) with a demilitarized zone in between, so a compromised office workstation cannot directly reach a PLC. Even outside formal OT, the pattern holds: put cameras, badge readers, and sensors on dedicated VLANs, allow only the specific flows they need, and deny everything else.
Pair segmentation with an accurate asset inventory that records firmware version and support status, because a device you do not know about is a device you cannot patch, monitor, or retire.
An IoT camera cannot run an endpoint agent. Which control most directly limits the damage if the camera is compromised?
Why should active vulnerability scanning in an OT environment be carefully coordinated?
Which controls help protect physical devices from tampering? Choose two.
Select all that apply