IoT devices are transforming modern businesses and bringing greater efficiency, but they also deserve careful attention when it comes to security.

From medical monitors and factory sensors to smart cameras, IoT devices have become an essential part of today’s hospitals, factories, and office buildings. While they boost efficiency and enable automation, they also introduce new security risks. Many of these devices are difficult to update, lack even basic protection, and are hidden deep within the network without proper segmentation. A single compromised device can open the door to serious damage.

To help you secure your IoT environment, we’ve compiled a set of essential best practices, along with guidance on how GREYCORTEX Mendel can help you put them into action through enhanced visibility, monitoring, and detection.

Best Practices to Protect Your IoT Ecosystem with Mendel

With the right foundations in place, securing your IoT environment becomes manageable. Below, we break down key practices to strengthen visibility, control, and response, and show you how each one can be implemented and visualized using GREYCORTEX Mendel.

Map all IoT devices and assess their risks

Start by identifying every IoT device connected to your network—smart sensors, medical equipment, and other smart devices. Once you can see the full picture, assess which devices are critical, which are exposed, and what could happen if one of them gets compromised. Not all devices need the same level of protection, but all need to be accounted for.

Steps to take:

• Scan your network to identify all connected devices
• Document IPs, MAC addresses, models, locations, and owners
• Classify devices based on criticality and exposure
• Evaluate known vulnerabilities

Mendel in practice
In Mendel’s inventory tab, you get a real-time view of all active devices in your network, automatically mapped to their segments. For each device, you can see critical details like IP address, hostname, OS, and the severity of detected events. Mendel also tags hosts (e.g., AD server, printer), helping you quickly identify their role and assess their risk level.

Segment your network and control access

Use network segmentation to separate IoT devices from other networks and enforce access controls to limit unnecessary communication. A hospital X‑ray should reside in a protected clinical segment, while non-critical devices such as smart lighting must be isolated from sensitive systems like medical records or operational platforms.

Steps to take:

• Group devices into segments by purpose, location, and risk
• Define strict access policies among segments
• Use firewalls, VLANs, or SDN to enforce segmentation
• Regularly review and update access rules

Mendel in practice
Mendel provides a clear view of all internal communications, allowing you to ensure each IoT device communicates only with approved segments. This helps maintain proper isolation and enforces your segmentation strategy.

For critical network segments, Mendel lets you define custom rules to alert you immediately when an unknown device connects. This real-time visibility enables fast response and strengthens your access control.

Monitor and detect threats across your network

Even properly configured devices can become a risk. Continuous monitoring provides real-time visibility into IoT communication patterns, revealing who connects, when, and how often. With behavioral baselines in place, you can quickly detect anomalies, unauthorized access, or lateral movement attempts before they escalate.

Steps to take:

• Monitor all traffic to and from IoT devices
• Investigate anomalies like new destinations, large data transfers, or off-hours activity
• Flag port scans or sudden traffic spikes from low-profile devices

Mendel in practice
Mendel automatically detects suspicious patterns like port scanning. If an IoT device suddenly starts reaching out to unusual services or systems, Mendel alerts you to possible malware activity or an attacker mapping your network.

Mendel monitors data flows and alerts you to anomalies. If a device suddenly begins transferring large volumes of data, especially to unfamiliar destinations, it could signal a compromise. Early detection helps you respond before any damage is done.

Prepare an incident response plan

When an unauthorized IoT device appears on your network, time matters. Having a clear response plan helps you react quickly by isolating the device, understanding its behavior, and preventing further damage without losing precious time to confusion.

Steps to take:

• Establish automated alerts
• Assign roles and responsibilities for investigation and containment
• Log all actions for future analysis and compliance

Mendel in practice
When Mendel detects suspicious activity from an IoT device, you can respond immediately—either manually or through automated rules. Block malicious traffic via integrated firewalls or isolate compromised devices using your NAC system to prevent further impact.

Build a Resilient IoT Environment with Mendel

IoT devices do not have to be your weakest link. With a clear inventory, proper segmentation, and real-time monitoring, you can reduce exposure and respond to threats before they escalate.

GREYCORTEX Mendel helps you put described practices into action. It gives you a complete picture of device activity, lets you detect unusual behavior early, and supports quick, informed responses. As IoT continues to grow across industries, having this level of control makes a big difference in keeping your network stable, secure, and ready for what’s next.

Security incidents often arise from seemingly minor mistakes—misconfigurations that could otherwise be easily avoided.

Unencrypted communication, plain-text authentication, weak network segmentation, outdated operating systems and applications, and unsecured services are common yet often overlooked vulnerabilities. These misconfigurations create entry points or exploitation opportunities for potential attackers, putting your entire organization at risk.

In this article, we’ll uncover the most common configuration errors and outline practical steps to fix them, helping you build a more resilient and secure network.

Unsecured Services in the Perimeter 

Configuration error: Services like web servers, Remote Desktop Protocol (RDP), or Secure Shell (SSH) exposed to the Internet without proper protection are easy targets for attackers.

Internet-exposed services are often overlooked, making them vulnerable. Attackers exploit these weaknesses through brute force attacks, unpatched software exploits, or simple misconfigurations, using unsecured services as entry points into your internal infrastructure.

The risk is further heightened by insufficient access restrictions, such as unrestricted global IP access. Without effective logging and monitoring, such breaches can go undetected for extended periods.

Recommended actions:

• Deploy a Next-Generation Firewall (NGFW) and Web Application Firewall (WAF) to detect and block malicious activities.
• Restrict access using IP whitelisting and geolocation rules (e.g., allow only IPs from trusted regions).
• Avoid exposing services to the Internet unless absolutely necessary. Instead, manage access using Zero Trust Network Access (ZTNA) or a client VPN.

Pro tip: Regularly audit your exposed services to identify weaknesses and bolster overall protection.

Remote access via VPN 

Configuration error: Improper VPN configuration often allows access to entire network segments rather than specific services, significantly increasing the risk of lateral movement or full network compromise.

Unrestricted access and lack of user activity visibility can turn your VPN into a weak security link. Transitioning to modern solutions like Zero Trust Network Access (ZTNA) or client VPN offers a much higher level of security by providing granular access control and minimizing exposure.

Recommended actions:

• Restrict VPN access to only necessary services and resources.
• Implement monitoring tools to track VPN activity and identify suspicious behavior.
• Switch to ZTNA or client VPN for granular access control and enhanced security.

Bypassing Security Policies in Remote Access 

Configuration error: Unauthorized devices or software used by vendors to bypass access policies creates direct access to your internal infrastructure, seriously compromising network security.

A common scenario involves “rogue” routers with cellular connectivity (4G/5G) that terminate VPN tunnels directly into your organization’s infrastructure. This undermines your existing security policies and grants direct access to the internal network.

Equally problematic is the use of software tools like SoftEther, which allow VPN connections over HTTPS from any device where the software is installed. This traffic mimics regular network communication, often bypassing detection by traditional firewalls. The result is hidden access, which can be exploited by attackers or even disgruntled employees for unauthorized activities or cyberattacks.

Recommended actions:

• Conduct regular audits based on network traffic analysis to identify unauthorized devices, detect suspicious behavior, and uncover anomalous communication patterns.
• Enforce the use of approved remote access solutions like ZTNA or client VPN.
• Proactively disable unauthorized remote access devices and software.

Pro Tip: Use tools like GREYCORTEX Mendel to detect unauthorized remote access and enforce security policies.

Unauthorized Access Between Network Segments 

Configuration error: Poor segmentation and inadequate communication control between networks allow devices from less secure environments to access your internal resources, significantly increasing security risks.

One of the fundamental principles of secure network design is proper segmentation and controlled communication between network segments. However, it is common to find devices from separate networks, such as guest Wi-Fi, gaining access to internal DNS or DHCP servers. These Wi-Fi devices, which often do not meet organizational security standards, pose a significant risk if communication is not properly restricted.

Recommended actions:

• Implement strict network segmentation and block unauthorized communication between segments.
• Monitor traffic between segments to detect unauthorized communication.
• Regularly audit your network infrastructure configurations to identify vulnerabilities.

Pro Tip: Visualize inter-segment communications with tools like GREYCORTEX Mendel to identify potential weak points.

Unencrypted Communication and Plain-Text Authentication 

Configuration error: Unencrypted protocols such as HTTP, Telnet, or TFTP, along with plain-text authentication, leave organizations vulnerable to eavesdropping and credential theft.

This issue often stems from legacy systems or misconfigurations that fail to support modern encrypted protocols. Attackers can intercept unencrypted communications to access sensitive data. For legacy systems that cannot be quickly replaced, it is essential to assess the risk, implement necessary safeguards, and develop a medium-term plan for mitigation.

Recommended actions:

• Switch to encrypted protocols, such as HTTPS, SSH, or SFTP.
• Identify systems lacking encryption support and create an upgrade plan.

Pro Tip: Regularly scan your network for unencrypted communication and plain-text authentication.

Outdated or Weak Encryption Standards 

Configuration error: Outdated encryption protocols, such as TLS 1.0/1.1, leave organizations vulnerable to modern threats like eavesdropping and cyberattacks.

Outdated encryption protocols are often found in legacy systems or arise from misconfigurations. In the case of misconfigurations, switch to secure protocols immediately. For legacy systems where replacement may be challenging, document the risks and develop a medium-term plan to transition to modern encryption standards, ensuring your critical data remains protected.

Recommended actions:

• Upgrade encryption standards to secure versions, such as TLS 1.2/1.3.
• Identify systems using outdated protocols and schedule updates.
• Restrict access to systems still reliant on outdated encryption.

Pro Tip: Use tools like GREYCORTEX Mendel to identify systems using weak encryption protocols.

External DNS Requests 

Configuration error: Devices communicating directly with external DNS servers increase the risk of exposing sensitive infrastructure data and them being exploited through DNS tunneling techniques.

Devices within internal, server, or technology networks should only use organization-managed DNS servers. External DNS queries pose particular risks in environments with IoT devices or less secure endpoints, allowing attackers to exploit vulnerabilities like DNS spoofing or covert tunneling.

Recommended actions:

• Ensure internal devices communicate only with an authorized internal DNS server, which alone resolves external queries.
• Monitor DNS traffic for anomalies, such as unauthorized queries to public DNS servers.
• Block external DNS queries at the firewall level to secure your internal infrastructure.

Pro Tip: Leverage tools like GREYCORTEX Mendel to detect unauthorized DNS communication and improve network protection.

Unused IPv6 Communication 

Configuration error: Active IPv6 communication on devices without deliberate use adds unnecessary network overheads and complicates management.
In many organizations, devices are configured with both IPv4 and IPv6 addresses, even when IPv6 is not actively used. This results in redundant multicast and anycast queries, increasing your network traffic without providing value.

Recommended actions:

• Disable IPv6 on devices where it is not required to reduce traffic.
• Regularly monitor IPv6 traffic to identify inefficient flows.

Pro Tip: Ensure the compatibility of applications and devices relying on IPv6 before disabling it completely.

Effective Network Threat Prevention Begins with Proper Configuration

The misconfigurations highlighted above are not uncommon—they frequently surface during network audits across organizations of all sizes. Some issues can be resolved with simple configuration changes, while others demand a more strategic approach or infrastructure upgrades. Regardless of their complexity, early identification of these vulnerabilities is critical to preventing security incidents.

GREYCORTEX Mendel offers you a complete view of your network, detecting risks such as unencrypted communication, unauthorized access points, and problematic remote access methods. With Mendel, you can proactively identify vulnerabilities, minimize risks, and fortify your network before threats escalate.

We have released a new service version of GREYCORTEX Mendel.

Version 4.4 introduces a transition to the new CentOS operating system, enabling us to deliver more advanced functionalities in future versions, including:

• Completely redesigned user rights management with native integration to identity services, supporting SSO and MFA.
• High availability with collector redundancy (Phase 1).
• Vulnerability mapping (CVE) tailored for OT devices.
• Threat Intelligence 2.0 features a custom source definition with automated data processing.
• Redesigned NBA events, leveraging the UnTE (tagging) engine for improved correlation.
• Logical sensors optimized for MSSP deployment.
• Application data analysis for deeper operational insight and environment identification.

The rollout of version 4.4 for existing customers started gradually in February 2025.

The NIS2 Directive has introduced a new era of cybersecurity regulation across the EU. Its focus on process setup and technical requirements challenges organizations to rethink how they manage cybersecurity risks. While setting up governance frameworks is crucial, NIS2 also mandates essential technical measures like asset management, network segmentation, and incident detection.

For many organizations, these technical demands can feel overwhelming: How do we meet them effectively? Do we have the right tools in place? This is where GREYCORTEX Mendel steps in, helping you bridge the gap between process and technology. Mendel empowers organizations like yours to simplify compliance by offering you the tool to monitor, secure, and optimize their network infrastructure effectively.

In this article, we’ll show you how Mendel supports compliance with the technical aspects of NIS2, helping you strengthen your cybersecurity posture while meeting the directive’s requirements.

A Brief Overview of the NIS2 Directive

The NIS2 Directive (Network and Information Security) is a pivotal EU cybersecurity regulation introduced in December 2020. Its primary objective is to establish a uniform level of cybersecurity protection across all EU Member States by mandating specific requirements and measures. Compared to its predecessor, the NIS Directive, NIS2 represents a significant expansion of scope and ambition.

While the specific requirements may vary by country as national legislations adopt the directive, certain challenges remain universal. This is where GREYCORTEX Mendel can help. No matter the regulatory nuances in your country, Mendel provides you with practical tools and insights to address key technical requirements, ensuring your organization stays secure and compliant.

NIS2 in Practice: How GREYCORTEX Mendel Helps

Asset management

Organizations must maintain visibility of all devices and systems within their infrastructure, including their interactions. GREYCORTEX Mendel lets you simplify this process by automatically auditing assets and mapping their connections.

For instance, a regional healthcare provider discovered 15 undocumented devices using Mendel. This helped them uncover legacy systems that were vulnerable to exploitation and provided a roadmap for mitigation.

Mendel detects and stores information about every device communicating on your network. Use it to view a list of networks and subnets and see in detail the devices in these subnets. This overview is supplemented with information about the risk level of these devices and subnets, and detailed information about hostname, tags, operating system, and other parameters.

In the system, you will see a visualization of the individual connections between devices and networks as well as an overview of users. By integrating this with identity sources such as Active Directory or an LDAP server, Mendel connects specific communications to individual users.

Risk management

Understanding which systems are critical—and the impact of their failure—is fundamental. Mendel allows organizations to identify and prioritize key assets, enabling them to assess the potential consequences of disruptions.

By identifying the criticality of assets, organizations can allocate resources effectively, focusing on what truly matters to their operations and compliance efforts.

For instance, a manufacturing company used Mendel to uncover inadequate segmentation around a legacy control system. Addressing this gap protected them from a ransomware attack that could have halted production.

Mendel allows you to filter the communication clients that access a particular service or application as a basis for determining the criticality of those services and applications.

Human resource security and access control

Monitoring user behavior and access is vital to preventing unauthorized activity. Such examples are users communicating with a system to which they should not have permission to communicate, accessing a VPN with an account or remote access that should be blocked, or an external vendor having access to a company’s internal network that occurs after a contract has been terminated.

Mendel identifies unusual access patterns, such as attempts to log into restricted systems or use compromised credentials.

Our customer discovered that an employee’s credentials were being misused to access sensitive applications after hours. Mendel flagged the anomaly, enabling the IT team to act swiftly and prevent a breach.

By integrating Mendel with asset management tools or identity sources, it is possible to create a list of users and explore their communication with other users and services. This allows you to check whether there is a user on the network who should not be there.

Cybersecurity audit

Regular audits ensure that security measures align with daily operations. While traditional audits are conducted, for example, twice a year, Mendel enables you to carry out continuous verification of policies and compliance on a daily basis.

Security of communication networks

Network segmentation is a cornerstone of effective cybersecurity. With GREYCORTEX Mendel, you can easily verify the correct implementation of your network segmentation. Mendel provides clear insights into whether devices from one subnet are improperly communicating with devices in another subnet or are accessible from the Internet when they shouldn’t be.

Consider critical production devices, these are typically restricted to an internal network for security reasons but may occasionally require temporary Internet access for upgrades or remote servicing. If this access is not revoked after use, Mendel will detect and alert you to any unauthorized communication, ensuring your network remains secure.

Mendel’s capabilities go further, processing protocols like MODBUS and other OT-specific protocols to visualize communication flows for production devices. This helps verify not only where these devices are communicating but also whether the communication complies with security policies.

Additionally, Mendel simplifies the detection of illegitimate connections. For example, you can filter and monitor Remote Desktop Protocol (RDP) communications that might be restricted by company policy or identify unauthorized TeamViewer connections.

Detection of cybersecurity events

Detection is one of the key capabilities of GREYCORTEX Mendel, along with its recording and analysis. All this is key for effective incident prevention.

Mendel excels at identifying threats by analyzing network traffic and detecting both signature-based and anomalous behavior. This capability allows organizations to address issues at different stages of a cyberattack.

For example, Mendel detects command-and-control communication, a hallmark of advanced persistent threats, and brute force attacks, which are a common tactic in ransomware campaigns. Also, it detects other dangerous behaviour, such as scans or tunnels.

Event logging

One of NIS2’s key requirements is retaining cybersecurity event records for at least 18 months. GREYCORTEX Mendel lets you simplify compliance by securely recording all mandatory data and making it easily traceable over months or even years—limited only by your available storage capacity.

Mendel also supports seamless integration with other tools through its ability to upload and export PCAP files. This feature enables you to analyze records externally or import PCAPs back into Mendel for detailed investigations, ensuring your organization stays agile in handling cybersecurity events.

Analysis of cybersecurity events

Continuous and centralized evaluation of detected cybersecurity events is essential for maintaining a robust security posture. This process involves identifying correlations, assessing the relevance of sources, and generating alerts—whether automatically in real-time or through manual configuration.

With GREYCORTEX Mendel, you gain the ability to drill down into the specifics of every detected event. Mendel categorizes events using the MITRE ATT&CK Framework, providing a structured and industry-recognized approach to understanding threats. Additionally, it offers various intuitive views and filters, enabling you to analyze your data from multiple perspectives and focus on what matters most to your organization.

Cryptographic algorithms

GREYCORTEX Mendel helps you verify that your systems are using up-to-date encryption standards and eliminates the risks associated with unencrypted communications or plaintext password transmissions.
For example, Mendel flagged several plaintext password transmissions in a client’s system, enabling them to enforce encryption policies and prevent credential theft.

Additionally, Mendel checks the validity of communication certificates, ensuring that your encrypted connections are both secure and compliant with best practices.

Security of industrial assets

The NIS2 Directive places significant emphasis on securing industrial networks, an area where many organizations still face challenges. GREYCORTEX Mendel addresses these gaps by supporting industrial protocols like MODBUS, OMRON, BACnet, and others, enabling comprehensive monitoring of operational technology (OT) environments.

Beyond analyzing IT network traffic, Mendel visualizes communication between devices up to level 2 of the Purdue model, including sensors, motors, and other industrial components. With proper configuration, it can extract detailed insights about OT devices, such as furnace temperatures, centrifuge speeds, pipeline pressures, and water levels in storage vessels.

Mendel delivers critical data to ensure the reliability and security of production infrastructure, including:

• Identification of Common Vulnerabilities and Exposures (CVEs) affecting OT devices
• Configuration settings of industrial systems
• Firmware information for better version control and security assessments

Prepare in Time

Applicability, enforcement, and fines will vary from one EU Member State to another. Yet in cybersecurity, more than anywhere else, the saying “yesterday was too late” applies.

There is no need to panic, but don’t underestimate the security of your business or institution. Your organization doesn’t need to face NIS2 alone. Whether you’re just starting your compliance journey or refining existing processes, GREYCORTEX Mendel provides the visibility and control you need to succeed.