Posts

IOT Risk Management

5G networks will usher in a wave of new IoT (Internet of Things) applications. As with the implementation of any new technology, it is vital to ensure that a secure foundation is in place. This is especially important when we consider that 5G will accelerate the deployment of smart devices and the applications they support. Tech analyst company IDC predicts that by 2025 there will be 41.6 billion connected IoT devices, generating 79.4 zettabytes (ZB) of data.

Mobile network security vulnerabilities are not new, and they will not go away with 5G. Overall, 5G is more secure than 4G. Many industry experts have warned of the 5G security gaps and vulnerabilities. A 2019 Brooking report identified five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors, and Purdue University and the University of Iowa researchers identified 11 new vulnerabilities in 5G.

As 5G becomes widely available, the deployment of IoT devices and applications will increase. Each IoT device connected to the network becomes a new entry point of attack that can be exploited. If an attacker can successfully gain access to the IoT device, they can attack other devices on the network. Considering that some IoT devices access and control environmental systems and critical infrastructure, there are significant life and safety risks if these systems are compromised.

While the network providers are responsible for securing the 5G network, the end-user plays a critical role in securing the devices they connect to their network. We know that many organizations struggle with implementing simple cybersecurity best practices.

What are the additional security challenges these organizations face when 5G is widely available fueling the acceleration of IoT? Are their security teams equipped with the knowledge, skills, and tools necessary to manage IoT?

To help organizations manage IoT cybersecurity and privacy risk, the NIST has published the  Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The NISTIR 8228 provides a framework and set of recommended actions to address the risks associated with IoT devices.

NIST IoT Framework

The NIST IoT framework provides a starting point for addressing IoT risk. The framework stresses the importance of identifying and addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle and includes:

1. Identifying and understanding the considerations that may affect the management of cybersecurity and privacy risks for IoT devices, including:
   • How IoT devices interact differently as compared with conventional IT devices.
   • The additional knowledge, effort, and tools required to manage IoT devices.
   • The new controls that may be necessary to ensure the security of IoT devices.
2. Adjusting organizational policies and processes to ensure they clearly define the scope of IoT to avoid confusion, ambiguity, and the specific challenges introduced by IoT and their potential impact.
3. Modifying mitigation practices that consider the different types of IoT devices and the variability of their capabilities. Risks may need to be managed by device type and by how these devices are used.

Following the NIST IoT framework and implementing IoT best practices such as the ones listed below can help your organization limit your security exposure and develop a comprehensive IoT security program.

IoT Best Practices to remember

1. Follow a layer defense approach that implements overlapping layers that include prevention, detection, and response when securing the IoT asset.
2. Include your IoT devices and applications on your information asset register.
3. Conduct a comprehensive risk assessment before connecting any device to the network.
4. Change default passwords before connecting any device to the network.
5. Follow password best practices for all devices.
6. Install security patches and software updates.
7. Determine whether or not the device requires connectivity to the internet. Do not assume that all devices must be connected to the network.
8. Consider isolating IoT devices on a separate network that is not connected to sensitive information assets.
9. Use a firewall to monitor traffic between IoT and the internet to detect suspicious behavior.
10. Keep up to date on IoT vulnerabilities and threats.

Preparing for IoT risk now will enable your organization to take advantage of the opportunities presented by IoT to transform and grow the business.

For more information, please email John Mendes at john.mendes@pamten.com.