The IoT Threat LandscapeAs technology continues to pervade modern-day society, security and trust have become significant concerns. This is particularly due to the plethora of cyber attacks that target organizations, governments and society. The traditional approach to address such challenges has been to conduct cybersecurity risk assessments that seek to identify critical assets, the threats they face, the likelihood of a successful attack and the harm that may be caused. Through this methodology, the identified risks are being prioritized to be able to select the appropriate strategies to effectively mitigate them. The Internet of Things (IoT) is set to benefit the quality and efficiency of products and services in smart grid, manufacturing, retail, critical infrastructure and more. According to Forbes, the market for industrial IoT (IIoT) alone is projected to hit $123 billion by 2021. The main challenge behind the explosion of IoT is the devices’ diversity in terms of scale, connectivity and heterogeneity. Not to mention the fact that IoT devices are assumed to be not secure. The main reason behind this is that manufacturers of connected devices, as well as the industries that use them, often engage these devices without proper cybersecurity awareness. Many organizations are not aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices do. These devices are computer systems with hardware components as well as operating systems and applications within their firmware that often feature communication interfaces to the outside world. The United States Government Accountability Office has provided an assessment of the status and security issues surrounding the IoT and has identified the following type of attacks as primary threats to IoT:
- Denial of Service
- Passive Wiretapping
- Structured query language injection (SQLi controls a web application’s database server)
- Wardriving (search for Wi-Fi networks by a person in a moving vehicle)
- Zero-day exploits
The Case for IoT Devices Security Risk AssessmentRisk assessment is the process of identifying, estimating and prioritizing risks to the organizational assets and operations. This is a critical activity within risk management, as it provides the foundation for the identified risks to be mitigated. Risk assessment answers the questions “ What can go wrong?,” “What is the likelihood that it would go wrong?” and “What are the consequences?” IoT risk assessment is dictated by various regulations and directives. The EU Network and Information Security (NIS) Directive defines obligations by establishing minimum EU harmonized standards, and EU member states need to adopt national measures and implementation strategies. Article 14 NIS states operators of critical services need to put in place appropriate, proportionate, state-of-the-art technical and organizational measures to “address risks” posed to systems, and they need to take measures to ensure continuity of service and prevent and minimize impacts of incidents. In addition to the NIS Directive, GDPR also requires risk assessment procedures to be in place for those organizations that collect, process and store PII. Article 34 to the GDPR states that “the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.” NISTIR 8228 publication also dictates organizations to implement risk assessment processes to mitigate the risks IoT devices create. “Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas.” The risk mitigation goals set by NIST are to “prevent a device from being used to conduct attacks,” to “protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device” and to “protect individuals’ privacy impacted by PII processing.” NISTIR 8288 identifies three main considerations that affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices.
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
- Many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can.
- The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.