Risk Management

 View Only

IoT and the Risk Minefield

By David Tremont posted 06-18-2018 14:37

  

Well undoubtedly we have all heard of IoT or the Internet of Things.  This will be the first of a two part series of Risks and Compliance of IoT.  We will first look at what IoT really means and how this fast growing technology is causing reason for concern amongst Security professionals.

5 of the biggest cybersecurity risks in IoT

What is IoT? The world of IoT consists of a multitude of devices such as smart phones, wearables , cameras, network connected Bio’s, readers, televisions, well you get the picture.  It is basically anything that can connect to a network vis a vis  the Internet, and when we connect devices to the Internet there are risks, and in this case lots of risks. See Fig. 1

  

 

Fig. 1  Definition of IoT (Reference Computer Science Studies)

The technology although useful for businesses and homes unfortunately are not designed to handle security and privacy attacks and it increases a lot of security and privacy issues in the IoT networks such as confidentiality, authentication, data integrity, access control, secrecy, etc.

IoT Risks and the challenges it creates

When we look at the risks of these devices it is truly a daunting task to understand those risks based on the device, what function it performs and how we can mitigate the risks to not only keep these devices as productive tools for users, but to ensure that we as security professionals understand these risks and define what it is that has to be done to protect firm or corporate assets and data.  Oh, by the way the privacy risks that are associated with IoT devices can really be a huge concern if the devices are either recording information about people or storing the information on a particular device.

Let’s look at some of the risks associated with IoT.  Due to all the current news about data privacy, GDPR, Data Privacy sits as one of the top risks associated with IoT.  Most of the IoT devices either stores or collects information about people such as GPS coordinates, user information such as employee numbers used for access to Bio or card readers and let us not forget the type of information that is on a smartphone used for business. 

What I wonder is why there is not a common standard for these devices.  Standards are all over the map and there is a huge challenge to distinguish between permitted and non-permitted devices. 

Then we have technical concerns on the amount of traffic generated by these devices.   This is not necessarily a risk but sure deserves a mention about our network capacity and dare I say the storage this information needs for analysis.  There are other risks as well, Falsification, DoS/DDoS attacks on specific IoT devices which basically renders the device useless.

 What do we need to do?

The most important thing is to identify all the devices you can, both the business and the personal side of IoT devices.  Surveys are good way to understand what users are bringing to your network.  Personal laptops, personal smartphones, wearables. Do you have a BYoD policy in place, if not it is time to sit down with Senior Management and get one as soon as possible.  This is important because it gives security professionals direction on what needs to be protected, what is allowed or blocked on your network. 

Then with a consultant if needed perform a risk assessment just on the IoT devices within your network and define what you have, the risk it poses and how to eventually mitigate the risk.  This is nothing new to security minded people but it is a lot more to think about as the future of IoT gets larger by the day.

Final thoughts

The IoT is a concept that depicts the future where the physical objects connected to internet communicate with each other and identify themselves for other devices.  The IoT helps to build connections from human to human, human to physical objects, and physical objects to other physical objects. This can be a huge benefit to business’s and personal lifestyles for the future.  The prediction of IoT devices that there will be approximately 30 billion internet connected devices by 2020. This rapid growth of internet data needs a more robust and secure network and sound security policies for your IoT devices.

Cyber Risk in an Internet of Things World by Deloitte

Look for Part two of this IoT series on ‘Compliance in an IoT World’.

 


#RiskManagement
#Security
2 comments
45 views

Permalink

Comments

10-20-2021 12:47

Part 2 - https://iltanet.org/blogs/david-tremont/2019/02/14/compliance-in-an-iot-world

06-18-2018 15:07

​Looking forward to Part 2!