InsightCyber Guidance For Your IoT Risk Management Initiative
Part 2 of 2, by Curtis Blount
The advent of Industrial IoT means vulnerabilities are becoming harder to detect and mitigate as these devices go online. The sheer volume of industrial IoT devices, coupled with the spectrum of capabilities they can provide, greatly increases potential vulnerabilities.
In part 1 of this series we determined that there is no standard framework that can be used to assess the security of IoT devices, due to varied constraints in the interconnection of these devices. Further, extending these existing frameworks to IoT systems alone will not address the new risks that have arisen in the IoT ecosystem.
At InsightCyber, to address this issue, we are creating a hybrid risk management/assessment methodology. In this post, we'll delve into some of the specific standards, guidelines and directives that are influencing our direction. We hope you find this useful for your risk management initiatives.
Here is some of the key guidance we have identified:
National Institute of Standards and Technology IR8228, known as NISTIR-8228.
Operationally Critical Threat, Asset, and Vulnerability Evaluation, known as OCTAVE.
Threat Assessment & Remediation Analysis, known as TARA.
The U.S. Government Accountability Office recently provided an assessment of the status of security issues surrounding IoT.
The EU Network and Information Security (NIS) Directive defines obligations by establishing minimum EU harmonized standards.
Here are some take-aways from my perspective:
Article 14 of the NIS states operators of critical services need to put appropriate, proportionate, state-of-the-art technical and organizational measures in place to “address risks” posed to systems, and they need to take measures to ensure continuity of service and prevent and minimize impacts of incidents.
In addition to the NIS Directive, the EU's General Data Protection Regulation (GDPR) also requires risk assessment procedures to be in place for those organizations that collect, process and store PII. Article 34 to the GDPR states that “the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.”
In the U.S., the NISTIR-8228 publication (still in the final draft stage) recommends organizations to implement risk assessment processes to mitigate the risks IoT devices create. “Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas.”
The risk mitigation goals set by NIST are to “prevent a device from being used to conduct attacks,” to “protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device” and to “protect individuals’ privacy impacted by PII processing.”
What’s interesting with NISTIR-8228 publication is that it correlates with NIST Cybersecurity Framework, also known as CSF. As you may know, the CSF risk mitigation steps are: Identify – Protect – Detect – Respond – Recover. (For more detail on how we have adopted this, please check out our white paper "InsightCyber IoT Risk Methodology").
NISTIR-8288 identifies three main considerations that affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices.
Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
Many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can.
The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
However, NISTIR-8228 doesn’t provide guidance on “how” to implement protections. Nor does it address the SecDevOps or SDLC processes around firmware or chip level development. This isn’t surprising, as NIST typically integrates at the management level.
Note: Most IoT devices can’t be patched, since the complex firmware updates are, let’s just say, too few and far between. As such, compensating controls need to be applied, using concepts from frameworks such as ISA-62443 to address and mitigate risk.
Risk Assessment Considerations
I certainly don’t advocate any product; however, Cisco recently released the “Securing the Internet of Things: A Proposed Framework.” While high-level, the Cisco framework does incorporate Authentication, Authorization, Network Enforced Policy and Secure Analytics, giving a holistic approach to IoT cybersecurity.
Conceptually, I do like Cisco’s approach because it focuses on network compensating controls to address IoT security. In my opinion, this is where it falls short. As the definition of risk assessment dictates, risk management is a management function. It’s designed to establish Policy on IoT cybersecurity. Cisco’s approach is more focused on establishing Standards and Procedures around the protection of IoT cybersecurity and ecosphere.
Regardless of where IoT sits within the environment, it's time all IT organizations in every business unit start taking IoT cybersecurity seriously. Taking the initiative now -- from researching emerging IoT security best practices to learning how to master the transition to securing traditional IT to managing connected devices and sensors -- will have considerable benefits down the road.
Organizations also need to understand where IoT vulnerabilities may lie, how complex they are, and how severe a threat they represent. Implementing IoT into the risk assessment process is not easy, considering most IoT devices comprise hardware, software and firmware that doesn’t fit into most IT cybersecurity monitoring systems.
It also means any project involving IoT must be designed with security front and center, incorporating robust, role-based controls to ensure adequate protection.
Curtis Blount is the Chief Security Officer of InsightCyber.