Initial considerations for protecting devices highlight differences between IoT and traditional IT endpoints
The security of IoT devices and data is one of the hottest topics for enterprise businesses — and one that has been lacking definitive guidelines, awareness, and standards for some time. Recently the National Institute of Standards and Technology (NIST) released a document that begins to fill this noticeable gap by helping everyone understand how to analyze various risks and threats to better plan and manage IoT devices in the enterprise.
NIST IoT security framework will provide more prescriptive guidance based on specific industries in the near future, but for now the organization’s “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NISTR 8228)” outlines a few particularly important topics that everyone who has deployed or is considering deploying IoT applications should consider. These are mainly centered on differences between IoT devices and your typical IT endpoints.
Below are three considerations from NIST when adopting IoT. One of the big differences in managing risk with IoT compared to IT systems is that IT typically focuses heavily on protecting confidentiality of data, while IoT use cases are more about availability and integrity because of their interactions with the physical environment.
Consideration #1: Device Interactions with the Physical World
Unlike conventional IT devices, many IoT devices sense and interact with the physical environment through various sensors and actuators. Effective controls need to be considered for protecting the data that sensors gather, because they could affect physical systems and safety.
Consideration #2: Device Access, Management, and Monitoring Features
Many IoT devices cannot be accessed, managed, or monitored like conventional IT devices. Depending on the use case and vendor, there are numerous OS, management, and API-level interfaces and capabilities to manage. As your organization grows, the sheer number of IoT use cases and related systems can prove challenging. Additionally, many of these IoT solutions may not be patchable and can enable remote access and/or local access, which creates additional risk for an enterprise.
Consideration #3: Cybersecurity and Privacy Capability, Availability, Efficiency, and Effectiveness
The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities for IoT devices often differ from conventional IT devices. Many IoT solutions and use cases are very price sensitive in order for them to make business sense to deploy. As a result, IoT devices typically do not have security features or secure development models integrated into their solutions. Using existing network-based security solutions may not be sufficient due to proprietary and different IoT protocols and the IoT devices’ ability to communicate directly over RF protocols such as BLE, WiFi, LoRAN, ZigBee, Zwave, LTE, and more.
NIST IoT security framework recommends the following three risk mitigation strategies be layered into your security operations. Each one builds upon the previous goal:
Goal #1: Protect Device Security
Ensure the device cannot be compromised to conduct attacks, gather information from the network, or allow pivot attacks.
Goal #2: Protect Data Security
Protect unauthorized disclosure, lack of availability, and integrity of IoT data at rest and in transit.
Goal #3: Protect Individuals’ Privacy
For an enterprise IoT use case, ensure the data gathered in systems and applications is adequately protected against direct and indirect personal privacy risks.
More to Come from NIST and Other Entities
This initial step by NIST is only the beginning. IoT security will remain one of the most important enterprise security issues for many years to come, as evidenced by the amount of activity surrounding it. From U.S. and overseas lawmakers to cellular operators and many other companies and groups, expect a steady onslaught of opinions and guidelines.
NIST itself will build upon this foundational report by developing — the deadline is March 31, 2020 — recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the Federal Government.”
Fortunately, industry consortiums, governments, and standards bodies are aggressively trying to mature the state of IoT security for everyone. Here are a few to note:
- In November 2018, the International Organization for Standardization (ISO) released a reference framework for the Internet of Things (IoT): ISO/IEC 30141.
- In October 2018, the UK government published the “Code of Practice for Consumer IoT Security” developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC) for Consumer IoT Devices.
- In February 2019, the Technical Committee on Cybersecurity (TC CYBER) released a cybersecurity standard for consumer IoT devices and basis for certification for IoT certifications: ETSI TS 103 645.
- In October 2018, CTIA published an “IoT Cybersecurity Certification” program for cellular-connected IoT devices.
- In September 2018, The State of California passed a bill for minimum security capabilities: SB-327 Information privacy: connected devices.
- The GSMA (a global mobile operator consortium) has published the IoT Guidelines and Assessment to help promote best practices for IoT solutions.
In terms of accountability to security standards, the IoT landscape has a long way to go. However, a path has been forged.