By Chuck Brooks
Loosely defined, the Internet of Things (IoT) refers to the general idea of things that are readable, recognizable, locatable, addressable, and/or controllable via the Internet. It encompasses devices, sensors, people, data, and machines. As broad as the definition of IoT are the cybersecurity challenges that pose a threat to anything and everyone connected. A well thought out risk-management security posture for the evolving cybersecurity threats to IoT is an imperative.
According to a study conducted in April of 2017 by The Altman Vilandrie & Company, nearly half of U.S. firms using the Internet of Things experienced cybersecurity breaches. Their study surmised that the cost of the breaches represented 13.4% of the total revenues for companies with revenues under $5 million annually and tens of millions of dollars for the largest firms. Nearly half of firms with annual revenues above $2 billion estimated the potential cost of one IoT breach at more than $20 million.
An EY (Ernst & Young) study [note: opens a PDF], Cybersecurity and the Internet of Things, it is estimated that the number of connected devices globally will exceed 50 billion by 2020. predicts that 50 billion devices (including our smartphones, appliances, and office equipment) will be wirelessly connected via a network of sensors to the internet by 2020. Cisco also estimates that IoT will be valued at $4.6 Trillion for the Public Sector in the next 10 years predicts that 50 billion devices (including our smartphones, appliances, and office equipment) will be wirelessly connected via a network of sensors to the internet by 2020. Cisco also estimates that IoT will be valued at $4.6 Trillion for the Public Sector in the next 10 years predicts that 50 billion devices (including our smartphones, appliances, and office equipment) will be wirelessly connected via a network of sensors to the internet by 2020. Cisco also estimates that IoT will be valued at $4.6 Trillion for the Public Sector in the next 10 years That is a lot of devices and sensor surface for anyone to protect and regulate. Making matters more complicated are the mix of devices and manufactures that make of the IoT, and the “Internet of Everything”.
Knowing and identifying the myriad of threats to IoT is a good first step. Last Month, The United States Government Accountability Office [note: opens a PDF] (GAO) issued an assessment of the status and security issues surrounding The Internet of Things. The GAO identified the following type of attacks that are primary threat to IoT:
- Denial of service
- Distributed denial of service
- Passive wiretapping
- Structured query language injection (SQLi controls a web application’s database server)
- Wardriving (search for Wi-Fi wireless networks by a person in a moving vehicle)
- Zero-day exploits (software tool that attacks a flaw in a computer system with no opportunity for detection).
I would also add Ransomware (in conjunction with malware) to the GAO list. A variant of a ransomware called “WannaCry”, the ransomware spread swiftly in May reaching over 100 countries. WannaCry disrupted government, and many organizational and company networks that have connectivity to IoT. Also, social engineering and common Phishing can access devices and then networks, so almost every form of cybersecurity attack methods apply to the IoT.
The GAO assessment highlights the vulnerabilities and implications of IoT in having so many devices and networks digitally interconnected. There is a reason GAO selected Denial of Service at the top of the list in regard to threats. In October of 2016, hackers attacked domain name service (DNS) provider Dyn, causing disruption to major components of the Internet’s infrastructure, and temporarily bringing down hundreds of websites. The breach was the result of a distributed denial-of-service (DDoS) attack that sent millions of bytes of traffic to a single server to cause the system to shut down. The Dyn attack leveraged IoT devices, and some of the attacks were launched by common hardware like digital routers, webcams and video recorders infected with malware. The DDoS cyber-attack is an example of using a broad spectrum for a high profile and potentially deadly result.
It is abundantly clear that the Internet of Things is evolving at such a rapid pace that the urgency of cybersecurity planning and perhaps the establishment of security protocols, have become paramount. There is hope because security solutions and methods are available under the defined set of threats and risks.
Risk Management Framework
A pragmatic IoT cyber threat consequences for connected devices, wireless and wired networks. The strategy requires stepping up assessing situational awareness, policies & training, technology integration, information sharing, mitigation capabilities, and Cyber resilience. The end goal is to optimize solutions and services and determine what level of security is required for implementation.
There are many good cybersecurity risk management frameworks to choose. Selecting a suitable framework that fits personalized requirement is an integral part of the security process itself. Microsoft’s IoT Security Evaluation Framework summary provides a succinct evaluation approach to risk management that is applicable model for situational awareness: These include (not verbatim): 1) Consider Threats, 2) Review the Consequences to your identified threats and determine priorities, 3) Select Evaluation Strategies. And 4) Choose security evaluator and required evaluation services. (www.InternetofYourThings.com)
A cybersecurity risk management framework needs to be adapted to meet growing IoT challenges needs to be comprehensive and tested. More specifically the framework should be defined by the most basic elements and best practices in managed risk: Layered vigilance (intelligence, surveillance); Readiness (operational capabilities, visual command center, interdiction technologies); and Resilience (coordinated response, mitigation and recovery).
A system of standards do make creating a framework for risk management easier. The creation of standards to protect IoT devices has been a topic of discussion among industry and organizations. It is a difficult quest because manufactures do not share many design elements and metrics so standards are not easy to establish. Professional associations are attempting to set standards for functional IoT compatibility. For example, the IEEE Standards Association is working on creating a cross-domain architectural frame work, called the P2413 Standard for an Architectural Framework for the Internet of Things. Another significant IoT standards initiative is being proposed by the Industrial Internet Consortium (IIC) for critical infrastructure. It is good that there groups who have excellent technical expertise are evaluating the issues and problems associated with IoT security. While standards may or may not be adopted, lessons learned from the discussion can add to creating a more efficient Iot security posture.
IoT Readiness: Potential Solutions and Services
Based upon a risk management architecture, there are a variety of solutions, services, and protocols to evaluate when a business or organization to consider as no one size fits all. Below is a basic list for the C-Suite, CISOs, CTOS and CIOs to evaluate and consider (not in an order of priorities) in regard to their IoT security challenges:
- Do a vulnerability assessment of all devices connected to your network
- Monitor and share threat intelligence
- Implement awareness training employees
- Create an IoT/Cybersecurity incident response plan
- Compartmentalize IoT devices if possible to minimize attack surfaces
- Add security software, containers, and devices to “digitally fence” network and devices
- Update and patch vulnerabilities to both networks and devices
- Do not integrate devices into your network with default passwords and other known vulnerabilities
- Establish privileged access for device controls and applications
- Use authentication and perhaps biometrics for access control
- Use machine authentication when connecting to a network
- Encrypt, especially data in transit
- Use firewalls
- Use multi-layered cybersecurity protections
- Consider Managed Security and outside subject matter experts
- Consider Cloud security as a service
- Integrate emerging technologies for protections including artificial intelligence and cognitive computing
- Continually audit and use real time analytics (including predictive analytics)
- Be Vigilant
A risk management approach is fundamental to anything involving security, whether it be physical or digital. The IoT combines both those elements. There are no failsafe solutions, and the task of securing IoT is monumentally difficult, especially as connectivity grows. Also, some of the threat actors are becoming more sophisticated as vulnerabilities and kits are shared on the Dark Web. These threat actors not only include hacktivists, but criminal enterprises and nation states. But for the most part, these threat actors will go where there is the least resistance. Being IoT security ready should a priority pursuit for everyone connected.
About Chuck Brooks
Chuck Brooks is Vice President of Government Relations & Marketing for Sutherland Government Solutions. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 500 million members.