Follow NIST Printer Guidelines as a Starting Point
First, use NIST guidance as a starting point for planning printer security. NIST Internal Report 8023, Risk Management for Replication Devices, explains in detail how an agency can manage risk for networked printers during all phases of the system development lifecycle.
The document includes questions to ask when planning acquisitions, security functionality to look for, and actions to take when deploying printers. It also provides mappings to the corresponding NIST Special Publication (SP) 800-53 controls.
IR 8023’s appendices include a risk assessment questionnaire table and flowchart to help agencies determine if a printer is considered low, moderate or high risk. The document was published in 2015, however, so agencies should supplement its guidance with recent information on printer security from additional sources.
Be sure to take advantage of the latest and most sophisticated security features. Agencies should also consider requiring them for new printer acquisitions. Examples of these features include a Trusted Platform Module that facilitates secure boot; this helps ensure that the printer only executes authorized firmware.
Application whitelisting can prevent malware and other unauthorized executables from running. In addition, printers should include an auto-erase functionality that securely wipes cached data from printer storage as soon as it is no longer needed, plus a sanitization feature that completely wipes all internal storage media before printer decommissioning.
Prevent the physical theft of unattended print jobs by including an option to have the printer “hold” a print job until the recipient is actually present at the printer and enters a PIN or other form of authentication to start the job.
Also use strong encryption for all network communications to and from the printer to prevent eavesdropping on sensitive data, and include the printer in agency continuous monitoring implementations so that security issues and compromises are detected quickly.
Update Printers Regularly to Increase Protection
Finally, harden each printer to reduce its attack surface. Printers should be made as secure as all the other devices on the agency’s networks, and hardening is critical for accomplishing that. Change all default passwords and make sure all accounts require authentication.
In addition, keep printer firmware up-to-date with patches and upgrades. Make sure that the integrity and authenticity of all updates are verified, such as by having the printer check digital signatures on patches before installing them.
Disable any printer functions, services, network ports and protocols and other capabilities that aren’t needed. And use network-based controls, such as firewalls and routers, to limit direct access to the printer, particularly from the internet.
Hardening printers, along with using the security features they support, can be highly effective at reducing the likelihood of networked printer compromise.
Sometimes the older the printer, the safer it is. Why?
- It doesn’t store information.
- It can’t be networked.
Conduct a risk assessment anyway.
- There might be a vulnerability you don’t recognize.
- It might be cheaper to replace those printers instead of upgrading them.