In the last few years there has been a surge of new (and old) solutions aimed at IoT Security. Most of the IT and ITSec departments should already be familiar with how most of the vendors align their tools to be the silver bullet for IoT Security – but as usually having the right tool is neither enough, nor should even be the first step on tackling this problem. As one of the related cybersecurity controls of the National Institute of Standards and Technology in the United States, the NISTIR Draft 8259 has been updated two weeks ago, I wanted to pay a visit to this subject from an information security aspect.
Of course the importance of IoT Security is not only for an Enterprise, most of us face IoT “things” in our personal life every day. I think everyone can answer this simple question beneath: Which one is a computer (or rather: which one is not a computer…)?
Cybersecurity and privacy of IoT
So let’s think about risk for a moment. Risk is what we take on each day, every hour, any given second, as we live our life. Most of these risks are taken unwillingly, a large part of those are even unknown to us. When we talk about taking risks on a company level, we should first start by understanding the nature of those risks affecting us. In the IoT domain, we can simultaneously talk about cybersecurity and privacy risks, both of which are separate, but usually intertwined matters.
There are three main aspects (according to NISTIR 8228), which are unique to IoT devices, when comparing to traditional IT devices:
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not. This means that they pose an even greater threat to non-IT infrastructure, property or even people. This even means there is a change in the commonly known trio of cybersecurity objectives: Confidentiality, Integrity and Availability. For most traditional IT devices the confidentiality aspect received most attention, however for example an IoT device which is responsible for controlling a manufacturing process needs much higher attention on integrity and availability, because if someone can tamper with it’s communications, that can provide catastrophic incident inside a plant.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. Issues can span from the lack of built-in management features, lack of proper interfaces, non-replaceable hardware parts, or multitude of OS’s on these devices, to the lack of inventory capabilities, or the difficulties of management at scale. These all pose a significant, yet not unsolvable problem to any IT departments facing a growing trend in IoT devices.
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This can mean a lack of good built-in capabilities (such as security logging) or a lack of support of centralized management (which gives 3rd party API gateway solutions a very valid market gap to fill). Even more troubling is the fact that conventional IT security appliances (intrusion prevention, anti-malware, firewall, etc.) cannot understand or even see some communications these devices make – which means radically novel approaches need to be considered.
I’ll leave this topic for today, as now we mostly understand the nature of the risks associated with IoT. I plan to return next week on the possible mitigation methods and strategic suggestions to handle these risks.