IoT Devices — Why Risk Assessment is Critical to Cybersecurity

The IoT Threat Landscape

As technology continues to pervade modern-day society, security and trust have become significant concerns. This is particularly due to the plethora of cyber attacks that target organizations, governments and society. The traditional approach to address such challenges has been to conduct cybersecurity risk assessments that seek to identify critical assets, the threats they face, the likelihood of a successful attack and the harm that may be caused. Through this methodology, the identified risks are being prioritized to be able to select the appropriate strategies to effectively mitigate them. The Internet of Things (IoT) is set to benefit the quality and efficiency of products and services in smart grid, manufacturing, retail, critical infrastructure and more. According to Forbes, the market for industrial IoT (IIoT) alone is projected to hit $123 billion by 2021. The main challenge behind the explosion of IoT is the devices’ diversity in terms of scale, connectivity and heterogeneity. Not to mention the fact that IoT devices are assumed to be not secure. The main reason behind this is that manufacturers of connected devices, as well as the industries that use them, often engage these devices without proper cybersecurity awareness. Many organizations are not aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices do. These devices are computer systems with hardware components as well as operating systems and applications within their firmware that often feature communication interfaces to the outside world. The United States Government Accountability Office has provided an assessment of the status and security issues surrounding the IoT and has identified the following type of attacks as primary threats to IoT:

• Denial of Service
• Malware
• Passive Wiretapping
• Structured query language injection (SQLi controls a web application’s database server)
• Wardriving (search for Wi-Fi networks by a person in a moving vehicle)
• Zero-day exploits

Ransomware could also be added to the above list. (Recall that in 2017, WannaCry disrupted government entities and many organizational and company networks that had connectivity to IoT.) The advent of IIoT means vulnerabilities are becoming harder to detect and mitigate as systems go online. The sheer volume of IoT devices, coupled with the spectrum of capabilities they can provide, greatly increases potential vulnerabilities. Add to this the impact which multiple compromised devices can have on the Internet or a single device can have in the physical world, and it becomes easier to understand the growing challenge to cybersecurity practices. It’s time, therefore, for organizations to reconsider traditional risk management strategies and practices in the context of this expanding threat landscape.

The Case for IoT Devices Security Risk Assessment

Risk assessment is the process of identifying, estimating and prioritizing risks to the organizational assets and operations. This is a critical activity within risk management, as it provides the foundation for the identified risks to be mitigated. Risk assessment answers the questions “ What can go wrong?,” “What is the likelihood that it would go wrong?” and “What are the consequences?” IoT risk assessment is dictated by various regulations and directives. The EU Network and Information Security (NIS) Directive defines obligations by establishing minimum EU harmonized standards, and EU member states need to adopt national measures and implementation strategies. Article 14 NIS states operators of critical services need to put in place appropriate, proportionate, state-of-the-art technical and organizational measures to “address risks” posed to systems, and they need to take measures to ensure continuity of service and prevent and minimize impacts of incidents. In addition to the NIS Directive, GDPR also requires risk assessment procedures to be in place for those organizations that collect, process and store PII. Article 34 to the GDPR states that “the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.” NISTIR 8228 publication also dictates organizations to implement risk assessment processes to mitigate the risks IoT devices create. “Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas.” The risk mitigation goals set by NIST are to “prevent a device from being used to conduct attacks,” to “protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device” and to “protect individuals’ privacy impacted by PII processing.” NISTIR 8288 identifies three main considerations that affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices.

• Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
• Many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can.
• The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.

The latter raises the question of whether existing risk assessment methodologies are adequate for addressing the risks of IoT devices. Researchers in the University of Oxford have argued that they may not be adequate for the complexity or the pervasiveness of IoT. The probability of a new system emerging between periodic assessments is very high. Therefore, a risk assessment would need to be able to predict and consider the potential systems that might emerge before the next periodic assessment. The rapid introduction of new IoT systems results in managing risks with limited system knowledge, increasing the possibility of high risks being either missed entirely or mistakenly qualified. Adoption of near-real-time threat intelligence can help refine these assessments. Finally, IoT devices can be used as the basis for launching attacks. The 2016 Dyn cyber attack, which involved compromised IoT devices is a perfect example of this, and therefore, organizations must include these types of risks in their assessment processes. To this end, Sicari et al. (2018) argue that in order to assess the vulnerabilities, the risk analysis methodology must be appropriate for the IoT infrastructure and should “take into account both the static and dynamic features of the devices.” What matters is not the absolute value of a metric, but “the structure of the metric” that “can assess the reliability of a heterogeneous IoT system putting into light the potentialities and weaknesses.” Further, Radanliev et al. (2018) conclude that established risk assessment methods “need to be adapted” to form new risk metrics which can identify, estimate and prioritize the IoT cyber risk and can establish an acceptable risk level “by calculating the risk metrics from new operating conditions.” The IoT ecosystem demands for large-scale deployments where devices must provide a high level of security in order to cover typical vulnerabilities increasing the acceptance IoT scenarios. A European Commission funded research by the University of Murcia proposes “a cybersecurity certification framework for IoT [that] can help to support the development and deployment of trusted IoT systems, empowering testers and consumers with the ability to assess security solutions for large-scale IoT deployments.” The development of this framework has to deal with several challenges, such as the heterogeneity of the devices and the absence of a dedicated IoT vulnerability database. “Towards this end, there is a real need to consider a systematic and automated methodology that enables scalable testing approaches for security aspects in IoT,” concludes the research paper.

Conclusion

Managing risk of any kind, and IoT risk, in particular, is never a one-and-done exercise. After first determining the risk category for new IoT devices or services, it is crucial to revisit this exercise on a regular basis. Changes to the IoT devices, the local area networks and the applications with which the devices interact create an ever-changing attack surface that requires constant monitoring to help maintain a strong forward-leaning security posture. Organizations should take a disciplined approach to risk categorization and mitigation across the entire IoT ecosystem. Tripwire can help you identify IoT risks by providing rigorous security assessments. Tripwire’s device testing approach includes identifying security risks and vulnerabilities that may exist in the physical construction of the device and its network interfaces. Our goal is to identify potential control exposures through security configuration analysis and vulnerability testing of the platform and the operating environment. Visit tripwire.com/solutions/industrial-control-systems/ to learn more about the full range of ICS security solutions from Tripwire.