We recently broke the news that half of IoT breaches in corporations are invisible.
Perhaps nothing can or should be more scary to corporate boards and management.
“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Jason Hart, CTO, Data Protection, Gemalto. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
There are numerous companies handling the challenge. A GlobalSign IoT security expert spoke at this past IoT Evolution Expo in Florida on securing smart meters via the Wi-SUN Alliance’s Field Area Network.
IoT Evolution also evaluated and gave out awards in the IoT security space late last year.
Dr. Mike Lloyd, CTO of RedSeal recently wrote:
The Internet of Things (IoT), made up of special-purpose devices designed to do a particular job well, presents a significant problem for security professionals. Several of their traditional approaches to security won’t work. Fortunately, it’s not all doom and gloom. We can use a three-step strategy for dealing with security and IoT.
He goes on to describe the need for finding and understand the threats – in context and then addressing them.
There are a great deal of companies in the IoT cybersecurity space because there are nearly infinite ways to configure solutions. Between disparate networks, LoRaWAN, NB-IoT, WiFi, bluetooth, etc. and so many different sensors and modules which may or may not be designed to work together securely.
The situation is complex. Far more challenging than data center and office computers in many ways.
This is in part because the constraints on IoT devices are far greater than PCs and even phones. Developers don’t worry so much about code bloat or adding layers of heavy security on these platforms as there are few constraints.
IoT devices need to be lightweight, transmit the bare minimum number of packets and have great battery performance.
You can’t exactly run full-time anomaly detection in such environments, right?
One last challenge is nation-state revenge hacking. We recently predicted and reported Iran would attack the U.S. and one way they did was by bricking IoT devices which didn’t change default passwords.
For these and many other reasons, the government has stepped in to assist.
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks(NISTIR 8228) is the first in a planned series of documents NIST is developing to help IoT users protect themselves, their data and their networks from potential compromise. Developed by the NIST Cybersecurity for IoT Program over more than two years of workshop discussions and interaction with the public, NISTIR 8228 is primarily aimed at federal agencies and other big organizations that are incorporating IoT devices into their workplace — organizations that may already be thinking about cybersecurity on a large-scale, enterprise level.
“The report is mainly for any organization that is thinking about security on the level of the NIST Cybersecurity Framework,” said Mike Fagan, a NIST computer scientist and one of the authors of the report. “It’s targeted at the mode of thinking that an organization would have — more resources, more people, more ability, but also more risk of attack because of all those things. It’s bad when a single house is attacked, but if a million bank account passwords are stolen, that has a much larger impact.”
Larger organizations may already be using the Cybersecurity Framework and NIST SP 800-53 Rev. 5, two NIST resources that offer guidance for mitigating risk to information systems and the activities that involve them. NISTIR 8228 takes the security and privacy focus from these other documents and considers it in the context of IoT products, from thermostats to voice-operated devices, which may not have traditional interfaces such as a keyboard.
“An IoT device might even have no interface at all, or have no way to install security software,” Fagan said. “But it still might connect to your network and be visible electronically to an enemy looking for a potential way in. It’s this kind of incongruency with expectations that we want to help an organization think through before they bring IoT devices onto their network.”
The report is a companion document to the Cybersecurity Framework and SP 800-53 Rev. 5. However, NISTIR 8228 offers only advice; none of its contents are requirements under the Federal Information Security Management Act (FISMA). After distinguishing IoT devices from conventional computers and outlining the type of risks they carry, the authors suggest three high-level risk mitigation goals:
- Protect device security, i.e., prevent an IoT device from being used to conduct attacks;
- Protect security of data, including personally identifiable information; and
- Protect individuals’ privacy.
“IoT is still an emerging field,” Fagan said. “Some challenges may vanish as the technology becomes more powerful. For now, our goal is awareness.”
Specifics are around the corner, though. In the near future, NIST plans to release a core baseline document that aims to identify fundamental cybersecurity capabilities that IoT devices can include. The document will have all IoT devices in mind, including those for individual users and home networks.