If you approach IoT security proactively and strategically, you can help manage complexity and reduce risk.
A critical first step is conducting a comprehensive risk assessment that incorporates the IoT into your overall risk profile.
Bottom line: Bottom line: Following core security principles and practices will help reduce the risks and maximize the benefits of utilizing new types of connected devices.
The fundamental objective of every IoT security initiative must be to build in security at the ground floor. A more disciplined approach to IoT initiatives gives you an opportunity to implement security strategies in front of the growing IoT wave, rather than after you’ve been swamped by it.
The approach requires collaboration among manufacturers, software developers, consultants, and other partners, because IoT security must be robust across every device, sensor, operating system, and application in the ecosystem.
Here’s a four-part framework to help you identify IoT-related risks and put the proper controls in place.
The first item on your to-do list is to conduct a comprehensive risk assessment that incorporates the IoT into your overall risk profile. It may seem trite to say "every IoT implementation is unique," but that statement is indisputably true from a security perspective. Even two companies that set up similar smart systems to make their buildings more energy efficient will need to blend those new IoT solutions into their existing — and unique — IT security infrastructures and processes. Add to the mix different IoT use cases, vertical sector regulatory demands, and other variables, and it’s easy to see how each IoT initiative takes on a security profile of its own.
An IoT risk assessment should comprise these primary steps:
Track your IoT solutions. A thorough audit includes devices, communication protocols, networks, and applications. It’s telling that 10% of the AT&T survey respondents cited the "best guess" estimate as their method for tracking the number of IoT devices at their organization.
Assess the security vulnerabilities of each IoT element. Beyond the devices themselves, consider the communication protocols and networks involved in the solution, the applications and databases, and any other IoT networks with which your solution may interact.
Map out worst-case scenarios. What happens if an IoT device fails or if it is compromised and manipulated? For example, whether your IoT devices are controlling a nuclear power plant or dispensing insulin in a diabetic patient, the ramifications of a malfunction or breach are much greater than compromising a smart watch to steal personal data.
Determine whether IoT devices and data can be isolated. Some IoT operations and traffic can be managed through separate networks or systems, but some will have to integrate with existing IT networks. For example, HVAC sensors and systems can typically function on networks completely separated from your firm’s core IT networks and applications. You want to minimize IoT exposure to your "crown jewel" databases.
Gauge the value of the data from individual IoT devices. It’s important to determine the sensitivity of data that IoT devices generate, communicate, and aggregate. (More discussion on this below.)
Only after completing such a risk assessment can you intelligently tackle the IoT security challenge. As has always been the case when it comes to IT security, the level of IoT security should be commensurate with the level of risk identified. That said, you still need to understand that IoT deployments introduce some new twists when it comes to the types and scale of risks posed.
Traditional IT security solutions deal primarily with protecting sensitive information — the lifeblood of any organization — from theft, exposure, or corruption. Depending on the nature of an IoT solution, however, securing information may not be your primary concern.
For example, the data sent by an RFID tag on a package in transit may have little value to an outsider, and therefore has little need for rigorous security protections. Even when the data from hundreds or thousands of these devices are aggregated, the consequences of compromise may remain minor.
By contrast, if a sensor is part of a health monitor worn by a patient or a device is tracking an extremely valuable asset, such as a piece of art, the data can be highly sensitive — and desirable to criminals. In these cases, it’s vital to help protect the data using existing controls, such as data encryption, network monitors, firewalls, and other familiar tools.
Beyond data protection, of course, IoT deployments introduce the need to consider device-related risks and security. By definition, IoT devices don’t just generate data, but also interact in new ways with the physical world, such as controlling the flow of water or electricity. As a result, you must consider operational security threats, as well as information security concerns.
It’s easy to identify nightmare scenarios for some types of IoT devices should they be compromised. People could be harmed if someone commandeers the IoT controls of a car traveling down the highway or a robotic arm in a factory. Even seemingly innocuous IoT endpoints can potentially pose significant physical risks. How much damage might result, for example, if an office’s smoke detectors are disabled and a fire occurs, or if they are falsely triggered and set off a soaking from the sprinkler system?
Given the immediate and significant risks associated with some IoT device scenarios, you may not have the luxury of analyzing archived IoT data monthly, weekly, or even daily. Many IoT deployments will require real-time analysis and response, which necessitates automated processes that have little or no human involvement. In the AT&T survey, 47% of respondents say their organizations analyze connected device security logs and alerts no more than once a day — a pace that will need to quicken as the risk profile rises.
In recent years, organizations of all types have bought into the notion that IT and business strategies must be tightly integrated and complementary. This IT-business union seems to be holding true when it comes to IoT initiatives. Among decision-makers in the AT&T survey, 65% say their IoT business strategies involve collaboration between IT and business units.
When it comes to IoT technology strategy, nearly as many respondents (60%) say IT and business units both contribute to the effort. This type of cross-organization, cross-functional collaboration is critical, regardless of the thoroughness and timeliness of an IoT security-risk analysis.
The effectiveness of an IoT deployment can be undermined if your organization isn’t fully engaged in the effort from the top down. The scope, speed, and potential impact from the IoT’s emergence demands the attention of not just your IT security team and business units, but also your executive officers and board of directors.
On this last point, the AT&T survey provided some encouraging data. More than 90% say their boards have at least some level of involvement in providing oversight of connected devices or IoT data.
Still, the survey results suggest board involvement, overall, has room for improvement. Just 17% say their boards provide IoT oversight at every meeting or quarterly.
The level of board involvement matters, in part, because it impacts the confidence level that a company’s decision-makers have in the security of their organization’s connected devices. Specifically, there was a 300% increase in the number of organizations showing full confidence in the security of their connected devices when their board was highly involved.
Corporate boards and C-suite executives may well find they need to modify corporate policies and standards to see that IoT deployments meet both business and security requirements. To assess and address these needs, your organization’s chief security officer must occupy a central and influential seat at the IoT strategy table.
Especially at this early stage of the IoT revolution, it’s important for your organization to have clear lines of responsibility for IoT security, as well as consistent security systems and procedures throughout the organization. Even if individual business units are permitted to pursue their own IoT initiatives, they should be required to do so only in tight consultation with your organization’s IoT security experts.
What it is: The value of IoT-connected health care devices lies in their ability to allow physicians to efficiently monitor patient health, while improving communication between physicians and patients.
Some devices measure and transmit data about different physical conditions, such as heart rate or respiratory rate. Others can dispense drugs or perform actions in response to those measurements. The various types of devices perform functions that measure common health markers in the form of wearables or are smart versions of traditional devices, such as pacemakers or insulin pumps.
AT&T has solutions for remote patient monitoring that help to ensure security for cloud-based data, as well as the device itself.
Security implications: Patient information is already a favorite target of cybercriminals. As noted in our first Cybersecurity Insights report, a health record is 50 times more valuable to a cybercriminal than a Social Security number. Data exposure and device failure can open manufacturers to compliance violations such as HIPAA and other regulatory guidelines.
Beyond data vulnerability, the risk of outsiders taking control of some devices has critical health implications and is of particular concern.
Potential security safeguards: Examine the function of connected devices — not just the vulnerabilities — and build more protections into connected things that could impact physical health and safety. Traditional cybersecurity solutions — threat detection and analysis, authorization/authentication, encryption, and the ability to securely patch vulnerabilities — are key to preventing connected-device breaches and tampering.
Security standards should become a part of an ongoing effort to protect against an ever-developing threat environment. Before production, all IoT-enabled devices should meet those security standards. In general, cybersecurity must be a consideration throughout the lifecycle of the product.
Telling stat: Only 11% of health care/life sciences providers are extremely confident in the security of their connected devices, and 30% are analyzing the logs and alerts of connected devices in real time.15
As you explore the risks and security demands associated with IoT deployments, you must also consider your organization’s legal and regulatory requirements and exposures. Most companies already understand the liabilities they face if, for example, they allow the theft of Social Security numbers or medical files.
Beyond information thefts or breaches, the physical and operational parameters of IoT devices can open new types of corporate responsibility and liability. The consequences of an IoT device that is manipulated to cause physical harm, for example, will quickly surpass those associated with many information breaches.
The use of multiple vendors in most IoT deployments requires that you assess their level of IoT security.
Here again, board involvement can play a significant role, as our survey shows. As is the case with an organization’s own connected devices, confidence levels in the security of their business partners’ connected devices are lower when boards are less involved in IoT oversight.
Software-over-the-air/firmware-over-the-air, in which updates, settings, and other digital programming are transmitted wirelessly to networked devices.
As illustrated throughout this report, the IoT is in part defined by a dizzying variety of IoT device types and characteristics. But the IoT is also united in its reliance on certain requirements to help secure every connected device. They include:
Every network-connected device should have a means for authorized operators to update the device’s software and firmware (e.g. software- over-the-air/SOTA and firmware-over-the-air/FOTA). Ideally, the updating process will be highly automated while still providing cryptographic checks to allow updates from an authorized source.
Every device should include a way to reset it to its original manufactured clean state.
Rather than permitting an easy-to-hack default password, each device should require the user to define a unique and reasonably secure password for access from a network interface.
A device should not offer any services to the network that it does not require to support its core functions.
A device should not have hidden or known entry points that can be easily exploited by the device vendor or others.
Device makers should provide online access to operators’ manuals, access to updates, and updated instructions. Support information should include a clear explanation of the product’s support lifecycle.
Vendors should provide contact details or a support forum to which organizations can report any problems with the device or its software.
Each device should carry a label that helps the authorized operator identify it and find support information.