How to Categorize Risk in IoT

Similar documents
DELL: POWERFUL FLEXIBILITY FOR THE IOT EDGE

IoThings Milano Maggio 2017 Barbara Pareglio GSMA IoT Technical Director. Mobile IoT: 3GPP standard per reti LPWA e IoT security

Internet of Things (IoT) Vikram Raval GSMA

Internet of Things Telecommunication operator perspective

F5 Network Security for IoT

PoLTE: The GPS Alternative for IoT Location Services

INTERNET OF THINGS THE GSMA GUIDE TO THE R A G E C A P A B I L C O V E I T Y T Y U R I E C R S B E C Y. gsma.com/iot

New Technologies: 4G/LTE, IOTs & OTTS WORKSHOP

IoT in Port of the Future

Internet of Things ( IoT) Luigi Battezzati PhD.

Redefining the Connected Conversation

Your partner in testing the Internet of Things

Internet of things (IoT) Regulatory aspects. Trilok Dabeesing, ICT Authority 28 June 2017

DRIVING REVENUE FROM THE INTERNET OF THINGS

AMPHENOL RF ENABLES THE INTERNET OF THINGS

RUCKUS IoT SUITE DATA SHEET BENEFITS

DATA LOSS PREVENTION: A HOLISTIC APPROACH

IERC Standardization Challenges. Standards for an Internet of Things. 3 and 4 July 2014, ETSI HQ (Sophia Antipolis)

What you need to know about IoT platforms. How platforms stack up in IoT

Securing IoT in the Enterprise

IoT beyond platforms. Enabling innovation at scale

Architecture of Industrial IoT

IOT TECHNOLOGY AND ITS IMPACT

Dr. Tanja Rückert EVP Digital Assets and IoT, SAP SE. MSB Conference Oct 11, 2016 Frankfurt. International Electrotechnical Commission

INTERNET OF THINGS WINNING FORMULA. Rami Avidan Managing Director, Tele2 IoT

Spectrum for the Internet of Things

IoT Challenges & Testing aspects. Alon Linetzki, Founder & CEO QualityWize

Why Connecting to the Internet of Things Project List

Bringing an all-in-one solution to IoT prototype developers

Spectrum Management Aspects Enabling IoT Implementation

Internet of Things (IoT)

COURSE DESCRIPTION INTERNET OF THINGS- BUSINESS AND TECHNOLOGIES. Format: Classroom. Duration: 2 Days

SURVEY All brands and products are the trademarks of their respective holder/s. Copyright Decisive Media Limited. All rights reserved.

Internet Of Things Meets Digital Signage. Deriving more business value from your displays

Building Your DLP Strategy & Process. Whitepaper

Mobile IoT for Smart Cities: Open for Business. Svetlana Grant Future IoT Networks Director Connected Living Programme 17 November 2016

Internet of Things: Cross-cutting Integration Platforms Across Sectors

IOT TECHNOLOGY & BUSINESS. Format: Online Academy. Duration: 5 Modules

The Internet-of-Things For Biodiversity

The Importance of Connectivity in the IoT Roadmap End-User Sentiment Towards IoT Connectivity. An IDC InfoBrief, Sponsored by February 2018

THE NEXT GENERATION OF CITY MANAGEMENT INNOVATE TODAY TO MEET THE NEEDS OF TOMORROW

CASE STUDY. Smart Motorways Project. Temporary CCTV Monitoring Systems for England s Motorway network.

SIX STEPS TO BUYING DATA LOSS PREVENTION PRODUCTS

Enduring the IoT storm to unlock new paths to value. How a governance model protects you from a blizzard of IoT risk

FOSS PLATFORM FOR CLOUD BASED IOT SOLUTIONS

Kolding June 12, 2018

IoT trends in the Americas and considerations on the importance of National IoT plans

Inc. Internet of Things. Outcome Economy. to Win in the. How Your Company Can Use the

T : Internet Technologies for Mobile Computing

Introduction to Internet of Things Prof. Sudip Misra Department of Computer Science & Engineering Indian Institute of Technology, Kharagpur

NDT Meets the Internet of Things (IoT)

IoT Strategy Roadmap

The Smart Port Vision

IoT SUMMIT. MWC Shanghai 28 June Graham Trickey Head of IoT Programme GSMA

A Vision of IoT: Applications, Challenges, and Opportunities With China Perspective

The Internet of You: The Ethical, Privacy, and Legal Implications of Connected Devices. Beverly Kracher, Ph.D. Business Ethics Alliance

Bridging Legacy Systems & the Internet of Things. Matt Newton Director of Technical Marketing OPTO 22

Home Monitoring System Using RP Device

Innovations in PON Cost Reduction

The IoT and the Technical Information Challenge. Stuart Mendelsohn

Internet of Things (IoT): The Big Picture

The BIGGEST. The 2 nd Saudi International Exhibition & Conference for Internet of Things February 2019

Impact Of IoT (Internet of Things) On Cable MSOs

ITU-T Y Specific requirements and capabilities of the Internet of things for big data

EdgeX Foundry. Facilitating IoT Interoperability by Extending Cloud Native Principles to the Edge GLOBAL SPONSORS

Wireless Connectivity for the Internet of Things

PoE: Adding Power to (IoT)

PROTOTYPE OF IOT ENABLED SMART FACTORY. HaeKyung Lee and Taioun Kim. Received September 2015; accepted November 2015

UPDATE ON IOT LANDSCAPING

Technology & Security Officers Collide: The Future of Security in an Internet of Things

The Internet of Things Will You Be Ready to Support a Device-Driven Future? Manish Nathwani SVP, Product Development

Security of the Internet of Things

Smart Buildings - Integrating PoE with the IoT

INTRODUCTION OF INTERNET OF THING TECHNOLOGY BASED ON PROTOTYPE

Network and IT Infrastructure Services for the IoT Store

SIX DEGREES OF SEPARATION PLANNING THE IMPACT OF IOT ON YOUR FUTURE AUDITS

Microsoft's IoT Vision and Roadmap. Tony Shakib General Manager, Azure IoT Microsoft

The IoT Inc Business Meetup Silicon Valley Opening remarks and guest presentation

Alcatel-Lucent 5620 Service Aware Manager. Unified management of IP/MPLS and Carrier Ethernet networks and the services they deliver

Mobilising the Smart Cities September Barbara Pareglio IoT Technical Director

SPECIALIST TASK FORCE 505 IOT STANDARDS LANDSCAPING & IOT LSP GAP ANALYSIS

BUSINESS SYSTEMS MONITORING

India s perspective on IoT in smart cities program

THE TRANSFER CENTER INTERNET OF THINGS (IOT) LAB

Internet of Things Trends, Challenges, Opportunities, and Applications

ISELED - A Bright Future for Automotive Interior Lighting

Are you IoT Ready? Karl Jónsson. Karl Jónsson VP IoT Ready Alliance

Smart Cities A sua cidade está preparada para um ataque cibernético? Prof. Dr. Fabiano Hessel

Cisco Video Surveillance 6400 IP Camera

Driving the IoT Journey: 10 Trends to Watch

Live Control System Migrations Redefining Hot Cutovers

Smart. Connected. Energy-Friendly.

Ex Libris Rosetta Privacy Impact Assessment

Internet of Things. Decoding the IoT Ecosystem. Jad El Cham October 2017 RIPE75 Tutorial

FOR IOT-DRIVEN & BUSINESS

Vision Standards Bring Sharper View to Medical Imaging

Huawei AT815SN Brochure-Detailed

Measuring the Internet of Things (IoT)

Security Challenges in the Internet of Things. Dr. Sigrid Schefer-Wenzl

Introduction to the Internet of Things

Transcription:

How to Categorize Risk in IoT Defining use cases for IoT deployments lays the foundation for an end-to-end cybersecurity strategy that cuts across a broad and ever-changing threat landscape

2 Overview The purpose of this paper is to help readers understand the various attributes of Internet of Things (IoT) devices and the use cases that are important to consider in any enterprise risk-categorization exercise. It is not intended to be prescriptive but, rather, instructive for those seeking a better understanding of the IoT and its associated risks. Introduction In nearly every industry, the IoT is poised to radically change the way companies produce, and people consume, products and services. Like the Internet and the PC before it, the IoT promises to greatly improve the way we work and play. IoT devices, combined with global broadband communications networks and big data analytics, promise to reduce resource utilization and improve supply chain efficiency while simultaneously improving the quality of the goods sold and services provided. Already, the IoT is beginning to upend the business and operating models of mature industries like manufacturing and agriculture. Given the breadth of potential applications (many as yet unknown) and device types from simple sensors that passively monitor an environment to complex networked systems such as autonomous cars traversing the world s highways the IoT is poised to bring new order and predictability to an often-chaotic world. However, as the IoT enables new ways to bridge the digital and physical worlds, the cybersecurity risk landscape is also expanding. Cyber risk is no longer confined to enterprise data or systems, where organizations have traditionally focused their cybersecurity investments; hackers are also targeting devices outside traditional perimeters. The sheer volume of IoT devices, coupled with the spectrum of capabilities they can provide, greatly increase potential vulnerabilities. Add to this the impact multiple compromised devices can have on the Internet or a single device can have in the physical world, and it becomes easier to understand the growing challenge to cybersecurity practices. It s time, therefore, for organizations to reconsider traditional risk management strategies and practices in the context of this expanding threat landscape.

3 Categorizing Risk Determining the appropriate level of security controls for a given product or service is largely dependent on its associated risk categorization. For obvious reasons, a risk with a potential loss-of-life impact requires a greater level of security than the risk posed by a compromised asset-tracking tag on a pallet of toothpaste. However, rather than focus solely on outcomes, which are unpredictable, it s better to consider specific use cases for IoT devices and services. Using risk categories to drive security-level discussions and decisions helps to eliminate security control inconsistencies. It also provides a means to develop templates and tools that organizations can use to make the application of IoT security controls, policies, and procedures repeatable. Risk categories can also reduce the guesswork involved when creating security models for an increasingly diverse and interconnected landscape of products and services. An important first step in categorizing IoT risk is to define it. In broad terms, IoT risk is determined by the potential impacts of a compromised device be they operational, Rather than focus solely on outcomes, which are unpredictable, it s better to consider specific use cases for IoT devices and services. regulatory, physical (safety and security), or material. IoT risk varies greatly by deployment and differs somewhat from traditional IT risk, which generally has focused on the prevention of network intrusion and data exfiltration from beyond the corporate firewall. The IoT also differs from traditional IT in large part because of its connectivity model. Many corporate IT infrastructures are designed as quasi-private networks with minimal touchpoints to the outside world specifically, the Internet. Security in these networks is generally enforced at the network edges, and on internal network end points such as PCs and connected printers, by monitoring for and blocking inbound attacks. Well-established best practices and technologies are readily available to help organizations counter these threats.

4 The IoT environment, on the other hand, utilizes diverse connectivity models and non-traditional devices, often running stripped-down versions of open source or proprietary operating systems and applications that may not support established cybersecurity safeguards around confidentiality, integrity, and availability. These safeguards include technologies such as data encryption, authentication and access controls, and automated software patching or updates. While these IoT devices offer flexibility and interoperability, they also expand an organization s attack surface. In addition, the sheer number of IoT devices already in place or being deployed (Gartner predicts that more than 20 billion connected devices will be in operation by 2020 1 ), presents a target-rich environment. Real-World Consequences Given these considerations, categorizing IoT risk in the context of broader IT, operational technology (OT) such as industrial control systems, or business risk requires an understanding of the real-world consequences of a compromised IoT device. Some applications of IoT, for example, will be in environments where a single incident may be catastrophic. The use case of the device or the service it provides drives risk categorization and, therefore, the associated security controls to manage that risk. Factors such as where the IoT devices are physically deployed and what the product or service does are typical risk categorization considerations. Other variables include whether the business itself will be impacted if an IoT device or the service associated with it is impaired or compromised, or, lastly, what other parties such as customers could be impacted. For instance, if intruders compromise a smart thermostat so that it provides inaccurate temperature readings, the Questions to Ask To begin understanding how to categorize IoT risk, consider these questions: Device characteristics: Is it active or passive? (see sidebar Passive vs. Active Devices ) Is it physically secured or easily accessible? How does it communicate? How is it powered by battery or hardwired? Is it upgradable? Patchable? What is the shelf life of the device? Can the device be authenticated by the network? Can access to the device be authenticated? Intended usage: What is the purpose of the device? What data does it collect, transmit, or analyze? Is any of the data it collects personally identifiable information (PII)? How does it interact with other devices or systems? Can it manipulate something in the real world? Can it be manipulated remotely? Potential unintended usage if compromised: What could happen if a device s data were intercepted, or if the device was re-programmed to send inaccurate data? Is there potential for loss of life? Property damage? Would business operations be impacted if an IoT-based device or service were impaired? If so, for how long? How would we recover operations? What other parties, including employees, customers, or business partners, might be affected if a device is functionally impaired? Could the device become part of a botnet?

5 By exploring different examples, one can begin to see the integrated nature of IoT risk, extending well beyond the potential data loss normally associated with IT operations. Passive vs. Active Devices A key characteristic to consider when establishing an IoT risk category is whether a device is active or passive. Active devices collect data and then, generally, do something with it. For example, they can cause a traffic light to change or perform on-board processing before sending data to the cloud for further analysis. They are often connected to a network of other devices either locally or across the Internet. Passive devices, on the other hand, don t do much except collect data and send it somewhere. These devices may be networked or require someone to download data locally. service becomes functionally impaired. If the thermostat is in an office full of paper-based supplies, then the associated risk of material loss is low. But if the thermostat controls coolers at a meat storage facility, then the risk of product loss caused by rising temperatures becomes substantial. Taking this example a step further, consider the downstream impact on consumers who purchase and consume improperly stored meat. A resulting outbreak of salmonella poisoning could create a public health crisis, potentially leading to lawsuits, regulatory actions, and reputational damage, putting the business itself at risk. By exploring these examples, one can begin to see the integrated nature of IoT risk for all manner of organizations, extending well beyond the potential data loss normally associated with IT operations. Two Use Cases: Simple and Complex To demonstrate how an IoT risk assessment might take shape, we offer two sample use cases: a simple device in the form of an asset-tracking collar often found on livestock, and a complex device in the form of a smart electric meter. Each use case is representative of the process an organization may undertake to categorize risk across its IoT devices. It is important to remember, however, that even a simple device can have significant impact on an organization, depending on its usage. This is why risk categorization should focus less on technology and more on the use cases and the outcomes should the technology be compromised in any way.

6 Common Attributes of Simple Devices Operate on very low power Long lifecycle up to 20 years on a single battery Little to no on-board processing power Memory capacity measured in KB Incapable of over-the-air updates to firmware or software Collect and send data on a small number or parameters Often send information in short bursts to save energy before shutting down again Do not support common security algorithms such as data encryption Simple Use Case: Cattle Tags Asset-tracking tags are considered simple because they are typically low-power devices that have little available memory or on-board processing power. This class of devices generally performs a very limited number of functions. A cattle-tracking tag transmitting the location of free-ranging livestock is a good example of a simple device. For this example, our device performs one task: transmitting location data. Having little on-board processing power, if compromised, it likely presents limited value to hackers, even though the tracker may send out high volumes of location information that cover a wide geographic area and many thousands of animals. Although the loss of location data could be costly to a rancher particularly if the cattle are stolen the ripple effect of such an event would likely be limited. These factors would place this device into a low-risk category of IoT device. Complex Use Case: Smart Meter A good example of a complex device is a smart electric meter. A typical smart meter has much more processing power and memory than an asset-tracking tag. It communicates using any number of networking protocols (Ethernet, IP/TCP, Wi-Fi, ZigBee, Bluetooth, etc.) or hardwired interfaces such as a USB port. It has unlimited power because it is connected to the grid. While a smart meter could conceivably perform a wide range of functions, typically it is used to monitor electricity usage and transmit that data back to the utility. Utilities use this data to bill customers, balance electric loads across the grid, and optimize pricing. Smart meters are produced by many different manufacturers and are in use by power companies around the world, and therefore are crucial to everyday activities.

7 If compromised, these devices could be disconnected from the utility, cutting power to the source. A compromised meter also could be used to communicate back to the utility, potentially resulting in a wider impact 2. Attacks on electric utilities have been a growing concern since suspected hackers took down parts of the Ukrainian power grid in 2015 and 2016 3. Smart meters represent another potential attack point. Because of these scenarios, smart meters are attractive targets for bad actors. The ripple effect of a compromised smart meter or hundreds of thousands of smart meters could be catastrophic, leading to the prospect of power outages affecting millions of people. The data these devices generate could also be of considerable value. Just knowing how much power a person or business consumes may not be all that useful. Criminals could, however, analyze the data to determine when owners are away thus finding the best targets and times for a break-in. Common Attributes of Complex Devices Higher power requirements via battery or tethered power supply Unlimited processing power and memory (both RAM and non-volatile) Includes an operating system Runs complex security algorithms such as encryption Can host network authentication and user access controls such as certificates and passwords Can track and report on multiple parameters Can monitor and report on conditions continuously Utilizes multiple communications networks and protocols including hardware access ports Can be updated over-the-air Like other types of IoT devices discussed in this paper, smart meters represent potential opportunities for exploitation with risks that may be quite serious. Companies utilizing smart meters, therefore, should use a risk-informed security analysis to enhance their security and use on a network. Creating a Risk Management Framework for IoT Building out these types of use cases can serve as a template for a broader IoT risk assessment framework. It s important to remember that managing risk of any kind, and IoT risk in particular, is never a one-and-done exercise. After first determining the risk category for new IoT devices or services, it is crucial to revisit this exercise on a regular basis.

8 Changes to the IoT devices (e.g., device firmware updates), the local area networks (e.g., protocol updates or changes), and the applications with which the devices interact, create an ever-changing attack surface that requires constant monitoring to help maintain a strong forward-leaning security posture. Conclusion The growing number, types, and use cases of IoT devices can significantly elevate risk across an organization. Compared to the traditional risks IT cybersecurity teams manage, IoT risk may be unfamiliar. Couple that with the newness of these devices, a lack of device-level standards for security, the myriad networks and protocols they use to communicate, the stripped-down operating systems they run, and the out-of-the-way places they are deployed, and it becomes clear that organizations should take a disciplined approach to risk categorization and mitigation across the entire IoT ecosystem. Defining a set of use cases and associated risks helps security teams assign the appropriate policies and controls as part of an end-to-end IoT security strategy. This approach will help organizations begin to capture the benefits of IoT while helping to reduce any potential threats to the business and its people. For more on this topic, visit www.iotca.org. 1. Gartner press release, February 2017, http://www.gartner.com/newsroom/id/3598917 2. Smart Meters Pose Security Risks to Consumers, Utilities: Researcher, Security Week, Jan. 4, 2017, http://www.securityweek.com/smart-meters-pose-security-risks-consumers-utilities-researcher 3. Why the Ukraine power grid attacks should raise alarm, CSO, March 6, 2017, https://www.csoonline.com/article/3177209/security/why-the-ukraine-power-grid-attacks-should-raise-alarm.html About the IoT Cybersecurity Alliance Our mission in creating the IoT Cybersecurity Alliance is to forge a community where industry-leading cybersecurity and IoT experts come together with the intent of demystifying IoT security, collaborating to address real-world IoT security challenges, fostering a security-first IoT posture, and providing educational tools to share best practices and thought leadership.

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback