IoT Security Primer: Challenges and Emerging Practices

Organizations use the Internet of Things (IoT) to create value, reduce costs, or streamline operations. While IoT devices create business opportunities, they also create information risks. 

Key Findings

·        Almost 20% of organizations have already detected an IoT-based attack.

·        Almost all organizations are exposed to IoT risk—even those that attempt to block IoT.

·        Information Security’s largest IoT challenge is poor visibility and understanding of IoT devices and how the organization uses them.

·        Information Security functions have ambitious plans to adopt IoT-centric controls, processes, and governance over the next 12 to 18 months.

Recommendations

Leading CISOs take the following steps to define and build IoT risk management capabilities:

·        Understand how the organization and its employees currently use and plan to use IoT to achieve business opportunities.

·        Define and categorize the types of IoT risks the organization faces. These risks include external, buy-side, and sell-side IoT risks.

·        Clarify Information Security’s role in IoT risk management and work with other risk management functions (e.g., Legal, Privacy, Procurement) to define cross-functional roles and responsibilities.

·        Recognize the IoT security challenges Information Security faces and develop a plan that addresses these challenges. The top IoT security challenges include poor visibility and understanding, lack of standardization, and poor vendor support and security practices.

·        Develop a portfolio of IoT controls and mitigation strategies based on the advice and benchmarked plans of leading peers.

Introduction

The Internet of things (IoT) is now an Information Security priority. IoT adoption continues to grow exponentially, senior executives view IoT as an opportunity for digital transformation, and many organizations already detect IoT-based attacks.

The Internet of Things (IoT) is not a new concept, but until recently it was not a major concern for most Information Security leaders. Historically, IoT adoption was low, especially for critical enterprise applications. Furthermore, IoT devices were not viewed as attractive targets for adversaries; data breaches and DDoS attacks typically targeted traditional servers rather than new types of connected devices.

Internet of Things (IoT): The phenomenon of pervasive computing; the growing trend of embedding computational capability, data-collecting sensors, and internet connectivity into everyday objects

This is changing. Over 80% of organizations currently use IoT to solve business use cases, and almost 20% of organizations have already detected an IoT-based attack in the past three years.

Looking ahead, IoT risk is poised to multiply at most organizations. The number of global IoT connections continues to grow exponentially and will reach 25 billion by 2025. Yet less than one-third of Information Security professionals are confident in their function’s ability to reliably assess or mitigate IoT risk.

Three Categories of IoT Risk

Conversations with leading CISOs reveal three broad categories of IoT risk: external, buy-side, and sell-side. Organizations must understand these categories before defining Information Security’s roles in IoT risk management:

1. External IoT risk (affects all organizations)—IoT devices external to the organization can be exploited to launch attacks against the organization. Examples include DDoS attacks, man-in-the-middle exploits, and third-party breaches. These risks face all organizations and cannot always be directly managed because the exploited devices lay outside the organization’s purview. Instead, organizations must develop compensating controls where possible to identify and manage external IoT risks.

2. Buy-side IoT risk (affects almost all organizations)—Most organizations buy and use IoT devices in some capacity—even if Information Security is unaware of these purchases. In particular, CISOs commonly cite three ways Information Security misses IoT purchases:

·        Procurement may not be aware that certain purchases carry information risks and thus fail to involve Information Security. This issue is particular common where traditionally unconnected products (e.g., machinery, appliances, vehicles) are now connected in ways Procurement does not realize or understand.

·        IoT devices are often acquired via business-led purchases outside IT, Procurement, or Information Security’s purview altogether.

·        Employees at almost all organizations bring their own personal IoT devices into the workplace, regardless of IoT policies, security controls, or formal procurement procedures.

These realities mean almost all organizations are exposed to—and must manage—IoT risks, even at organizations that attempt to block or sharply curtail IoT purchases.

3. Sell-side IoT risk (affects some organizations)—Organizations that develop and/or sell IoT devices or services are exposed to the risk that these devices will be exploited to harm customers or the organization itself. This includes customer data theft, service disruptions, privacy issues, and even life safety implications. Organizations exposed to sell-side IoT risk must devise ways to build sufficient security into their IoT products and services.

Factors That Influence Information Security’s Role in IoT Risk Management

We found there is no one-size-fits-all approach to defining Information Security’s role in IoT risk management. Rather, every Information Security function should take an approach that works best for the broader organization.

CISOs often consider the following factors when defining the function’s role in IoT risk management:

·        Type(s) of IoT Risk Exposure—The types of IoT risk exposure (i.e., external, buy-side, and sell-side) applicable to the organization affect Information Security’s role in IoT risk management. In particular, organizations not exposed to sell-side IoT risk may not have or need product security capabilities.

·        Information Security’s Mandate—Information Security’s mandate, organizational structure, and reporting lines, as well as those of other risk management functions in the organization, influence Information Security’s role in IoT risk management. For example, an Information Security function that reports outside IT may write IoT policies, define IoT controls, and oversee IT’s implementation and adherence to IoT policies and controls, whereas an Information Security function that reports within IT may own more day-to-day IoT security operations.

·        Industry—An organization’s industry plays a significant role in determining Information Security’s role in IoT risk management. Some industries (e.g., utilities, manufacturing) may make larger use of Internet-connected operational technology (OT), and IoT risk management practices and norms may vary by industry. Industry groups (e.g., ISACs) and peer networks are good resources for understanding, sharing, and even establishing IoT risk management practices.

Conclusion

IoT-based attacks are already a reality, yet most Information Security functions are just starting to think about how to manage IoT risk. Leading CISOs and their teams must work more broadly in the organization to understand IoT use cases, educate and categorize IoT risks, and adopt emerging IoT security practices. With time, Information Security functions will need to advance their IoT risk management practices as IoT security standards emerge, best practices develop, and the vendor landscape matures.