Businesses across all industries have to deal with cybersecurity threats that come with the increasing use of connected devices. To secure organizational data, it is critical to establish robust cybersecurity frameworks for the Internet of Things (IoT).
In an effort to standardize processes and ease the burden of data environment information security, the National Institute of Standards and Technology (NIST) issued a call for papers on April 18, 2018.
Internet of Things (IoT) Risk Management
What is the Internet of Things?
The broad definition of the Internet of Things covers any device that can connect to the internet or another device through Bluetooth technology. For example, your smartphone, laptop, Bluetooth earphones, smartwatch and other modern tech consumer products fall under IoT.
However, IoT is not restricted to consumer products only. Devices used in industries like healthcare, banking, oil and gas, engineering and others, which can connect to the internet also fall under the larger ecosystem of IoT.
IoT drives efficiency in today’s world. For example, you can monitor your home security with CCTV cameras and access the data they gather through your phone. Businesses can also improve efficiency in their processes by using productivity tools.
Security Risks of Using IoT Devices
It is easy to control computers. For example, you can set passwords to restrict access to them.
However, with the Internet of Things, controlling devices is a little difficult. This is because the IoT ecosystem entirely helps to automate activities so that we interact less with devices while getting more information.
For example, doctors can use pacemakers equipped with IoT capabilities to monitor hearts. The doctors will not need to be with the patient physically to get the heart data.
However, a security risk emerges when this data is being transmitted from the IoT-enabled pacemaker to other devices, for example, a laptop. Since these two devices (pacemaker and laptop) are not on the same network, the data being transmitted between them can be intercepted by third parties, which can turn disastrous.
The Biggest Risks of the Internet of Things
IoT-enabled devices pose a number of security concerns that relate to the interception of the data being shared between the devices. These security gaps should help to inform your risk management strategy.
Bluetooth connections do not provide a high level of authentication as network connections do. When you connect your laptop to a Wi-Fi network, you can set up authentication protocols such as a username and a password. You can even set multi-factor authentication for more security.
When devices connect with each other through Bluetooth, they get a unique “address” that is similar to an IP address. However, users cannot put a username or password to this address for authentication purposes.
Since the information being transferred from one device to the other in the IoT ecosystem is not secured using an authentication method, it can be intercepted by third parties. This scenario can play out like what happens with “public Wi-Fi” where users can access other users’ devices.
With traditional networking, you can control the users that can access your device as well as the data that they can access. On the other hand, the security of Bluetooth connections is not robust to protect the devices connected to each other from unauthorized users and programs.
Since Bluetooth cannot be protected using a username and password, you cannot control what a user can or cannot access in the device.
Since there is no way of setting authorizations, you cannot be certain of the people or programs that are accessing the data being shared through the Bluetooth connection. This means that anyone can intercept the data being transferred through the Bluetooth connection as well as that in the devices that are connected to each other.
To pair a Bluetooth IoT device with a computer, tablet, or smartphone, there has to be an information-sharing connection between them. When you leave the primary device open to a Bluetooth connection to form your IoT connection, other devices in the zone can see the Bluetooth connection and connect to the primary device.
Goal of the “Lightweight Cryptography” Project by NIST
At the moment, there are no IoT standards and given how diverse IoT devices are, their potential risks cannot be underestimated. For example, if an IoT syringe being used to dissipate pain medication is hacked, the results can be catastrophic. Imagine a malicious actor hacking the syringe to steal data or even overdose a patient!
NIST is proposing the creation of IoT standards that will increase data protection across all devices. Through the Lightweight Cryptography project, NIST is proposing a minimum set of authentication requirements that will secure IoT devices against brute force attacks. The project also seeks to get IoT solutions to work fast, consume low power and maintain low energy. Leveraging both the NIST framework and HITRUST (CSF) can help your organization stay ahead of zero-day exploits than can harm your clients health and/or safety when leveraging IoT devices for day-to-day business operations.