Source: Mark Chaplin, Principal, ISF
08 Oct 2018
At a recent gathering of senior cyber security professionals, we examined the topic of securing the Internet of Things (IoT). There are thousands of IoT-based projects underway around the world, with the introduction of IoT into all parts of society showing no signs of slowing.
From smart city to the individual, organisations are looking to leverage this emerging technology, which has the potential to shape many aspects of how organisations operate – from healthcare, logistics and manufacturing to retail, transportation and utilities. Even organisations not heavily dependent on technology see a future supply chain significantly influenced by IoT.
IoT will drive and impact how we live, work and rest, so the future looks bright. It will bring about smart cars, smart energy, smart health and smart offices, to name a few. As technology becomes smarter we can expect increased safety, lower costs, improved treatment and greater efficiencies.
However, as with the promise of many new technologies, there is a dark side to IoT, where the goal of smart technology is hindered by, what some technologists call, dumb technology. This was the focus of a session with the senior cyber security professionals from a variety of industry sectors, who explored the IoT security concerns that keep them awake at night.
While technologists extol the virtues of IoT, cyber security professionals remind us that new technologies often fail to incorporate basic security practices, such as secure development and configuration, access control, segregation, vulnerability management and patching, resilience, encryption and monitoring.
During the session, security experts forecast a range of realistic security scenarios for IoT stakeholders to address. These included:
- degraded levels of safety in manufacturing and industrial environments
- increased exposure to attack due to a larger and unprotected technical infrastructure
- introduction of backdoors into, and compromise of, corporate/enterprise networks
- unauthorised disclosure of personal and business sensitive information
- misuse of critical or sensitive data collected and processed by IoT devices
- failure of business operations, resulting in unacceptable downtime.
While IoT presents traditional and new challenges that need to be addressed, cyber security professionals identified systemic risk as a critical concern. There was consensus that increasing dependency on IoT and related environments, may present a risk to large numbers of organisations in different industry sectors, in supply chains and throughout a nation’s critical infrastructure.
With these concerns in mind, the cyber security professionals set out key expectations for stakeholders of IoT, including manufacturers, suppliers, retailers, integrators, acquirers, regulatory bodies, acquirers and consumers. The result was a set of 10 actions for stakeholders to consider.
10 Security Actions for IoT Stakeholders.
- Hold IoT stakeholders accountable for IoT security, including providers, business leaders and technologists
- Demand, support and embrace industry/international standards and regulation for IoT security
- Collaborate with industry peers to help identify and manage systemic risk introduced by IoT
- Establish risk governance models for IoT and its protection, including strategy, policy, technical standards, management procedures and implementation guidance
- Apply globally-accepted security principles to all aspects of the IoT lifecycle, including security and privacy by design, defence-in-depth, secure-by-default and default-deny
- Work with, and not against, developers of IoT technology to manage the risk associated with its rapid development, by embedding security into the design, development, build, testing, deployment and maintenance activities
- Provide consumers with a clear indication IoT security capabilities (e.g. by providing a rating or compliance level with an accepted standard for IoT security)
- Assume IoT environments are hostile by default – verify trust levels associated with IoT devices or the environments in which they are deployed
- Deploy IoT and related technology in a manner that ensures protection remains as simple and intuitive as possible
- Include coverage of IoT security in all technology and risk education and training activities, including for designers, developers, integrators and consumers.
The Information Security Forum regularly engages with senior cyber security professionals around the world to solve key information risk and cyber security problems, through solution development workshops, training events, Chapter meetings, regional conferences and its Annual World Congress.
To learn more about the consequences of IoT on business and personal security, listen to this ISF podcast here. For our full library of podcasts on the latest hot topics, visit our digital media centre.