The “Internet of Things”, or IoT, is a phrase used to define the universe of internet-connected objects that have the capability to interact with the physical world and exchange data over a network. The use of networked devices to exert control over a physical environment has been around for quite some time in the industrial world; electrical grids are just one example. However, the concept has exploded in popularity thanks to its expansion into the consumer market, and rebranding with the catch-phrase “IoT”.
Before this explosion of IoT in the consumer market, the majority of devices connected to the internet were computers, and IoT in the industrial world was largely confined to closed networks. Now everything from wearable fitness trackers to “smart” refrigerators that allow you to see their contents from the grocery store aisles are connected to the internet. And, while the proliferation of IoT has provided a wealth of opportunities for people to easily share information and conveniently control our environment, it’s made our networks and the internet in general more prone to cyberattacks.
Cybersecurity and Privacy Risks
IoT devices face many of the same types of cybersecurity and privacy risks as conventional IT devices. But, managing these risks is very different. The National Institute of Standards and Technology (NIST) has recently taken steps to begin addressing the unique issues of IoT cybersecurity. In September, the organization released a draft document entitled, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228).
Because IoT devices are so varied, the document does not offer specific guidelines and recommendations to improve privacy and cybersecurity protections, but rather provides an overview of baseline considerations and mitigation goals to be considered as they pertain to the following high-level risks:
Risk Management Considerations
NIST identifies several high-level considerations that impact risk management for IoT devices. The first has to do with the core components of IoT devices: sensors and actuators. Sensors and actuators are both transducers. A transducer is any physical mechanism that converts energy from one form to another form. In other words, sensors and actuators control how IoT devices interact with the physical world.
Sensors convert physical energy to electrical impulses that can be interpreted by IoT devices and shared with other IoT and conventional IT devices. Fitness trackers are a good example. These devices are able to sense and record vital signs; your heart rate, pulse, sleep patterns, etc. The data can be stored on the device and uploaded elsewhere, for example to an electronic health record (EHR).
With actuators, the process is reversed; an electrical input allows you to initiate a physical action in the environment, such as when a signal sent from your phone or computer to an IoT doorbell system unlocks the door when you recognize the person standing in the doorway.
The second high-level consideration NIST identifies concerns limitations with how IoT devices are accessed, managed and monitored. While conventional computers allow for authorized users to access and manage their hardware components and software applications and to monitor their functioning, IoT devices usually don’t allow for the same level of oversight. Many devices are “black boxes”; there is no ability to manage their software or access their internal hardware.
The third high-level consideration NIST identifies is the availability and effectiveness of cybersecurity and privacy capabilities. NIST differentiates between “pre-market” capabilities, which are built into by the manufacturer prior to sale, while “post-market” capabilities are those that you can add yourself.
The pre-market and post-market capabilities for IoT devices are different than those available for conventional IT, with some capabilities being less effective or not available at all. These capabilities include things such as event logging, encryption, user authentication and firewalls. For some IoT devices, these can be counter-productive to their functioning; however, IoT devices without these capabilities are more vulnerable to hacking, which in turn increases the risk to your entire network.
NIST Risk Mitigation Goals
The NIST draft document addresses high level risk-mitigation goals in response to the areas of risk identified:
IoT Device Security
In order to protect IoT devices, you need to have an accurate inventory. This may pose a challenge if your devices lack unique identifiers or are “Black Boxes” that provide little or no information on their configurations or other devices on your network to which they are connected. Black box devices can also be problematic when trying to update their firmware, hardware and software. And, devices that are unpatched or running outdated firmware or software are at higher risk of attack. In addition, some IoT devices don’t support strong passwords, require default passwords to be changed, or require passwords at all. Finally, not all IoT devices have the capacity to log security incidents, making it very difficult to know if it’s been accessed by an unauthorized person.
IoT Data Security
Many IoT devices lag behind conventional IT devices when it comes to the security of data stored and transmitted. IoT vulnerabilities have been found recently in everything from security cameras to medical devices. Security measures commonplace in conventional IT devices aren’t always built in to IoT devices. These include encryption, data backup and restoration capabilities, and mechanisms to purge data prior to repurposing or disposing of IoT devices.
Protecting individuals’ Privacy
Of course, protecting the privacy of individuals whose data is stored on IoT devices encompasses securing the devices themselves, and the data residing on them. But it also includes providing individuals with sufficient control over what data is accessed, how it is used, and where it is stored. These tasks are often more challenging to manage with IoT devices, especially when multiple IoT devices with competing purposes are in use on a given network.
Because IoT devices are closely connected, all a hacker has to do is exploit one vulnerability to impact the entire network to which the device is connected. But, managing the privacy and security risks of IoT devices requires a delicate balance between the securing these the devices and their data, and maintaining the usability of the devices and the availability of the data being stored and transmitted.
The NIST document is just one means of addressing IoT cybersecurity. Another approach that is gaining traction is addressing cybersecurity through legislation. In fact, California recently became the first state to pass an Internet of Things cybersecurity law. Several IoT bills have also been introduced at the federal level, although none have made it to a vote. It’s only a matter of time, though, that more states pass their own laws, and there may yet be federal action, either as a separate law, or as a revision to existing HIPAA regulations.