Risk Management Is Critical in the IoT Threat Landscape
Part 1 of 2, by Curtis Blount
As InsightCyber matures our products and services, we clearly recognize that Internet of Things (IoT) cybersecurity is a major concern. This became evident with COVID-19 and the move to working from home. The home is now an IoT network connectivity via VPN into a corporate network. Traditional security services simply don’t cut it anymore.
IoT technology has matured in recent years; however, the same cannot be said for the security of these devices. Security is not a topic that comes up when developing firmware. Despite their efficacy, IoT devices are not secure and are open to vulnerabilities that need to be addressed.
The challenge here is to secure the data that IoT devices hold from external entities and minimize an attack that might hinder the development and put the data at risk. Everyone already has existing security technology in place. Today we have existing cybersecurity frameworks that address IT and OT cybersecurity, but not IoT. There are several attempts in progress to develop a framework that addresses IoT cybersecurity. Most of these are still in the development stage.
Bottom line, there is no standard framework that can be used to assess the security of IoT devices, due to varied constraints in the interconnection of these devices. Further, extending these existing frameworks to IoT systems alone will not address the new risks that have arisen in the IoT ecosystem.
The Growing Challenge to Cybersecurity
At InsightCyber, we are creating a hybrid risk management/assessment methodology that will coincide with our existing risk management/assessment services. To do this, we are looking at National Institute of Standards and Technology – IR8228 (known as NISTIR-8228), Operationally Critical Threat, Asset, and Vulnerability Evaluation (known as OCTAVE), Threat Assessment & Remediation Analysis (known as TARA), as well as other IoT documents on cybersecurity.
IoT cybersecurity and risk management is complex. It needs to incorporate vulnerabilities (specifically at the chip level) that simply cannot be remediated. As such, other methods must be applied to manage risk.
The U.S. Government Accountability Office recently provided an assessment of the status of security issues surrounding IoT. The GAO identified the following types of attacks as primary threats to IoT:
Denial of Service
The Role of Risk Assessment in IoT
The advent of Industrial IoT means vulnerabilities are becoming harder to detect and mitigate as these devices go online. The sheer volume of industrial IoT devices, coupled with the spectrum of capabilities they can provide, greatly increases potential vulnerabilities.
Add to this the impact that multiple compromised devices can have on the Internet or a single device can have in the physical world, and it becomes easier to understand the growing challenge to cybersecurity practices.
Further, there are IoT devices under some level of control and those that are not. The latter will most likely be the case. Therefore, risk management is critical in this threat landscape.
Risk assessment is the process of identifying, estimating and prioritizing risks to the organizational assets and operations. This is a critical activity within risk management, as it provides the foundation for the identified risks to be mitigated. Risk assessment answers the questions “What can go wrong?” “What is the likelihood that it would go wrong?” and “What are the consequences?”
Here in the U.S., there is no regulatory obligation for IoT cybersecurity - yet. However, in the EU, IoT risk assessment is dictated by various regulations and directives. The EU Network and Information Security (NIS) Directive defines obligations by establishing minimum EU harmonized standards. EU member states need to adopt national measures and implementation strategies.
In part 2, we'll look at the specific standards, guidelines and directives mentioned here that are influencing our direction at InsightCyber.
Curtis Blount is the Chief Security Officer of InsightCyber.