What Is The Internet of Things (IoT)?
Though machines have been communicating with other machines for decades, the encompassing term of IoT wasn’t officially coined until 1999. By definition, the IoT consists of any device that is connected through the Internet to other devices--this can mean anything, all types of tools including cell phones, connected refrigerators, aviation, and automobile devices, heart monitors, continuous glucose monitors, insulin pens, and even a biochip responder implanted in a farm animal.
What Are The Benefits?
"Connection between our tools not only makes our personal lives easier and likely safer, but businesses have also already realized the benefits of improved efficiencies and productivity."
Every new development usually leads to another addition to the IoT, and it’s no wonder, as there are many benefits to such devices. The connection between our tools not only makes our personal lives easier and likely safer, but businesses have also already realized the benefits of improved efficiencies and productivity. In healthcare, they can track behavior, improve patient outcomes and reduce healthcare costs. In agriculture, they can provide analytics, optimize resource consumption, and monitor the need for maintenance prior to breaking down, as well as obtain data from within animals. The aforementioned “connected cow” is a very real thing--farmers are using chips embedded on various parts of their cows to increase productivity. A device connected to the tail, for example, can tell the farmer when the cow will be going into labor, just as one connected within the ankles can yield peak fertility data.
Are There Any Challenges?
Of course, with any new technology, there are challenges. Because advancements happen all the time, businesses are constantly racing to implement every new, relevant device without pay proper attention to the security of those devices as they are incorporated into the larger networks. Such oversight is not good, as according to Symantec, IoT attacks grew 600% between 2016 and 2017, largely due to default passwords and other unpatched vulnerabilities, and the onslaught held steady in 2018. Each new addition to the IoT means another connection to the Internet, and if these devices are not sufficiently protected and secured, they remain vulnerable to attack. Any susceptibility is cause for concern, but in some cases, these gadgets are collecting and storing data on the device—imagine if any of that sensitive or critical information gets hacked. In fact, we are seeing these kinds of data breaches almost daily.
"individual consumers themselves are now demanding protection over their personal information..."
It’s a problem, especially since another challenge is privacy. Protection of personal information has always been important for regulators, but individual consumers themselves are now demanding protection over their personal information, especially since some organizations are not even aware of the data that is being collected or stored on these connected devices—that kind of oversight leaves the door wide open for the kind of data breaches that could lead to not only reputation loss but huge fines from regulatory bodies regarding the stolen data.
What’s Next?
So what do we do about this? First things first, the devices utilized in your business should be assessed for security risks, and there are a few good places to begin. Various frameworks related to IoT security and privacy have been released by many different bodies, and organizations may also choose to combine risks and guidance of several. Of the many available, here are a few to consider.
The first framework that we’ll highlight is the IoT Security Compliance Framework released by the IoT Security Foundation that includes a set of best practices related to organization governance, security by design, encryption, network and application security, manufacturing, and implementation security. Version 2 of the Framework was released in December 2018 and incorporates updates to the requirements for a variety of applications, including business-to-business (B2B) applications.
The UK Code of Practice for Consumer IoT Security is another framework that should be considered when pursuing IoT security. Of a different vein, the Code of Practice includes 13 guidelines that cover default passwords, vulnerability policy, software patching, secure storage, secure communication, minimizing exposure to attack, software integrity, personal data protection, resiliency, monitoring, deletion of personal data, device installation, and maintenance, as well as data input validation.
Furthermore, NIST has also developed its “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” Within the publication NISTIR 8228, three high-level risk areas to address cybersecurity and privacy risks regarding the IoT are identified—device security, data security and privacy of personal information. The risks outlined in these three areas are intended to help both organizations and manufacturers overcome the challenge of managing the risks of their relevant devices, and the publication not only outlines vulnerabilities but also provides a few recommendations for addressing them.
Not to be outdone, the Open Web Application Security Project (OWASP) also released its IoT top 10 risks in 2018, and the risks they highlight apply particularly to building, deploying, and managing IoT systems. For reference, their unified listing of top 10 risks includes:
- Weak, guessable, or hardcoded passwords
- Insecure network services
- Insecure ecosystem interfaces
- A lack of secure update mechanism
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- A lack of device management
- Insecure default settings, and
- Lack of physical hardening.
Finally, the Cloud Security Alliance features its own IoT Controls Framework, and theirs focuses specifically on several domains with controls intended to mitigate risks relating to confidentiality, integrity, and availability. As another interesting angle, the Framework also maps to their Cloud Controls Matrix (CCM) for cloud providers that have been assessed or are considering assessment, against the CCM.
How Can Schellman Help?
Though the frameworks themselves are very helpful, sometimes an outside review can further bolster security, and our professionals have been assessing against security and privacy frameworks since 2002. A readiness assessment of any kind can help organizations better determine where the control gaps are within an organization—once the control gaps have been remediated, Schellman can further provide a variety of attestations or non-attestation reports against the framework to validate the security of an organization’s IoT environment to clients, potential clients, or interested parties.
If your organization is already undergoing a SOC 2 examination, a SOC 2 + examination can include IoT security controls from any predefined security framework or custom-developed framework, and the additional subject matter added to the SOC 2 examination can be mapped to the established set of SOC 2 controls. This combined report could meet several needs within an organization, providing the best reassurance that devices and data are secure.
If you or your organization are interested in pursuing such any of the aforementioned assessments, please contact one of our professionals with any of your questions.