In September, the National Institute of Standards and Technologies released NIST IR 8228. The report overviews unique risks organizations face from the proliferation of IoT (Internet of Things). Essentially, it’s one of the first detailed approaches to securing IoT environments. NIST IR 8228 advocates for three high-level risk mitigation goals. Here’s a breakdown of those goals and how businesses can achieve them.
IoT Device Security Challenges
A critical first step is to ensure that IoT devices are safeguarded and can’t be used as a jumping off point for attacks on other devices or networks. This isn’t new. Device security is already a must requiring proper configuration, patch and vulnerability management, as well as Incident Response, among other things. It’s now also critical for an IoT environment. Unlike other devices, IoT devices, due to their newness, may pose additional challenges. They may lack the functionality required for centralized asset management systems, have heterogenous administrative responsibility, and are often located in environments segmented from traditional IT operations. All of these factors make them more difficult to both track and secure. And because of this, they are heavily targeted by hackers.
Additionally, IoT environments are often excluded from many organizations’ standard vulnerability management process. In some cases, updates or changes on these devices to remediate known vulnerabilities are not available. Companies often take the position that vulnerability management of these environments is not necessary because they reside on an air-gapped network. But, as we learned with Stuxnet, the virus used to infiltrate Iran’s nuclear facility, security through segmentation alone is insufficient. Despite being completely off the grid, the US and two other countries were able to compromise the facility by infecting an out-of-network device that had been brought into the environment. Even when your environment isn’t connected to the internet, you can still be compromised.
Adding to the complexity of securing IoT devices, many do not support the common logical access norms in place in most enterprises today. The inability to integrate into established directories, as an example, lends itself to a lack of control in the password complexity, aging, and role-based capabilities mandated by even a rudimentary security program. Security visibility rounds out the top concerns of possible IoT security pitfalls. IoT devices are not always included in traditional security logging and monitoring solutions. The reasons range from segmentation constraints to the devices being unable to produce security events.
Organizations should consider developing or maturing processes that integrate risk management into procurement. At minimum, the information security and IT organizations should be involved. With IoT environments often procured by lines of business and outside the visibility of traditional IT operations, engaging the appropriate internal teams should ensure that risks are understood and appropriately mitigated prior to the introduction of new devices into the corporate network.
IoT Data Security Challenges
Protecting the confidentiality, availability, and integrity of stored, transmitted, or processed data can also be extra challenging in an IoT environment. The theme remains the same. There can be incompatibility issues between IoT and conventional IT management standards, processes, and technology. Encryption, data sanitization, and backup and restoral features may not be available in IoT devices. In addition, the pre-market capabilities around secure network communications can be lacking as well.
When configuring and updating IoT devices, security needs to be front of mind. Especially if the purpose of the device is to collect data, as with sensory and actuary enabled devices. These assets store and report on the data they are collecting. Ask yourself, if a bad guy were to breach or take down these devices, is the data secured, backed up, and safe?
This is fundamentally no different than any other device and data management system. So be prepared to apply the same security management to IoT data as you do to everything else.
Protect Individuals’ Privacy
With emergent new laws like the General Data Protection Regulation (GDPR) and an onslaught of consumer data breaches, privacy is a hot topic in every consumer-facing industry. A recent breach to Facebook is a great example of a large-scale attack waking people up to what privacy means. Business NEED to be current on how consumer data is being collected, stored, and used.
The premise behind GDPR is that privacy is a fundamental right of the individual. As such, organizations must take measures like ensuring that personal data is protected, capture explicit consent for the use of that data, and provide to consumers upon request a report on how that data is used.
In the case of IoT, devices may not provide the ability to interface with its’ functionality. This can impact the ability of a user to consent to the processing of collected PII, and to access privacy notices.
The compliance framework also mandates an individual’s “right to be forgotten.” This indicates that an organization must know where a user’s data resides and has a way to remove it in a timely manner. The dynamic nature of IoT and the indiscriminate nature in which it can collect PII can make compliance with this standard much more difficult. This is further complicated by IoTs inherent decentralized data processing and heterogenous ownership inside an organization.
It’s clear that IoT is exciting and also risky in its relatively young state. By NIST taking notice and beginning the discussion on securing IoT environments, expect to see IoT security become a mainstream topic, one that results in a series of new security protocols. In the meantime, understand that the benefits of IoT adoption also come with significant security challenges and risks. The first step, as they say, is being aware.