feature

feature
Managing the Risk of IoT
Regulations, Frameworks, Security, Risk and Analytics

IoT Security—The Game Plan

Também disponível em português
The game plan for IoT security provides an overview
Do you have
www.isaca.org/currentissue something
of the IoT ecosystem and addresses standards,
to say about
frameworks and regulatory proposals that have this article?
Does the recent distributed denial of service developed recently. Figure 1 depicts an IoT Visit the Journal
(DDoS) attack on Dyn1 officially mark the passing ecosystem in which information security forms an pages of the ISACA®
of the Internet of Things (IoT) fear, uncertainty and integral part. website (www.isaca.
doubt (FUD) stage, or is this still the beginning of org/journal), find the
the stage? IoT FUD pertains to IoT vulnerabilities IoT Standards and Framework Developments article and click on
leading to loss of data, service and possibly life. A positive repercussion of the Dyn DDoS attack the Comments link to
Traditionally, FUD about a security breach or was the US Department of Homeland Security share your thoughts.
regulatory noncompliance is the primary driver (DHS) release, in 2016, of principles and guidelines
for management to invest in information security. for securing the IoT.5, 6 These guidelines are not
The same FUD applies to IoT security, although legally mandatory, but are definitely a sign of a good
it involves multiple variables that need to be start toward IoT device security. Some of these
considered. The resolve to address IoT device guidelines are well-known mantras to most security
security at various levels—hardware and software, professionals in the game:
government and enterprise, consumers and
services—is widespread. This soaring resolve is • Leverage security from the feasibility phase.
primarily due to the sheer quantity of IoT devices that • Apply security updates, patching and vulnerability
are available and the ease with which these devices management.
can be compromised and converted into thingbots.
• Follow proven security practices. Indrajit Atluri,
Thingbots are botnets of infected IoT devices that
CRISC, CISM,
can be used to launch attacks that are like the Dyn • Prioritize controls based on the magnitude or impact. CEH, CISSP,
attack, which affected more than one million devices,
• Provide oversight and proper governance of the IoT. CSSLP, HCISPP,
of which about 96 percent were IoT devices.2, 3
ITILv3
• Plug in the device off of the network if there is no Is a cyber security
The primary issue is with IoT device hardware, which absolute business need. professional with
is manufactured mostly outside of the United States expertise in IT
and needs to be regulated.4 The retail industry sector Also in 2016, exemptions to the US Copyright Law governance, risk
has been the leading adopter of IoT technology were approved that allow independent researchers management and
because it reaches out directly to numerous customer to be able to hack almost any IoT device.7 Although compliance. His
bases, unlike the health care sector, which does not current focus areas
numerous limitations apply to the exemptions,
have benefits that are transparent immediately to the include security
they were granted for two years. This will help of emerging
end user and has higher risk. researchers unlock software for their research technologies, such
as the Internet of
Figure 1—IoT Ecosystem Things, big data and
security analytics,
INFORMATION SECURITY and their implications
on information risk
and privacy. Atluri is
CHIP DEVICE CONNECTIVITY PLATFORM INTEGRATION associated with the
information security
firm Secur80. He can
CLOUD COMPUTING AND ANALYTICS be reached at iatluri@
secur80.com.
Source: I. Atluri. Reprinted with permission.

ISACA JOURNAL VOL 3 1

 without any legal implications. The intentions are a profit or cost benefit for the manufacturer to patch a
right, but the impact of this change, positive or less frequently replaced product, there is no drive for
negative, is yet to be seen. the manufacturer to patch it regularly; hence, it should
be regulated. The other side of this argument is that
The Industrial Internet Consortium, primarily regulation of the IoT industry would stunt the growth
comprised of IoT-related enterprises, rolled out of innovation.
the Industrial Internet Security Framework (IISF),
which outlines best practices to assist developers The US Food and Drug Administration (FDA) has
and end users with gauging IoT risk and possibly been providing some guidance to manufacturers
defending against this risk.8 In early 2017, the US on the best practices to build security into medical
Federal Trade Commission (FTC) announced that devices since October 2014. In December 2016,
it is granting prize money to anyone who develops the FDA added a guide that lists the best ways
an innovative tool that detects and protects home to secure medical devices after they enter the
devices from software vulnerabilities.9 consumer’s hand, primarily to prevent any harm to
patients. The guide also states that the IoT device
manufacturers need to report to the FDA if the use
of a device had resulted, or can result, in any kind
If there is not a profit or cost of serious harm or the death of a person. Reporting
benefit for the manufacturer to to the FDA is waived only if customers and device
users are notified about the vulnerability in the device
patch a less frequently replaced within 30 days, the device is fixed within 60 days,
product, there is no drive for the and this information is shared with the Information
Sharing and Analysis Organization (ISAO).12, 13 The
manufacturer to patch it regularly; premise is somewhat similar to the optical character
recognition (OCR) sanctions on US Health Insurance
hence, it should be regulated. Portability and Accountability Act (HIPAA) violations,
but the difference is that the FDA guides are just
recommendations and are not legally binding. It is
Another recent development in IoT security is believed that these guides will eventually lead to
the Sigma Designs S2 security framework, which legislation, as in the case of HIPAA.
will be part of every Z-Wave-certified IoT device
that is manufactured after March 2017 and is More recently, the US Senate Commerce Committee
backward-compatible on existing Z-Wave IoT approved the Developing Innovation and Growing the
chipsets, making the devices more secure.10 Internet of Things (DIGIT) Act. It is currently waiting on
approval from the full senate. The DIGIT Act creates
Regulatory Proposals a working group that would focus on the security,
Cyber security researcher and Harvard University privacy and other issues relating to IoT.14
lecturer Bruce Scheiner recently proposed a more
regulated IoT industry in a meeting with two US The Game of IoT Security
House of Representatives’ subcommittees—the
Subcommittee on Communications and Technology The number of connected IoT devices is estimated
and the Subcommittee on Commerce, Manufacturing to reach 200 billion by 2020.15 Similarly, it is
and Trade.11 He presented the comparison of the estimated that approximately 4 billion people will
cost versus the incentive and drive for IoT device be online by 2020.16 The online exposure increases
manufacturers to patch vulnerabilities periodically. multifold by 2020 for the simple reason that human-
Scheiner pointed out that most IoT devices provide to-machine (H2M) interactions increase along with
lower profits and that the more frequently replaced the machine-to-machine (M2M) interactions.
devices, such as smartphones, are patched more
often, compared to devices that are seldom replaced, The IoT Arena
such as thermostats and refrigerators. Smart cars Figure 2 shows a conceptual IoT architecture.
and Blu-ray players fall in between. IoT thermostats The IoT devices fall generally into one of two
and refrigerators that are not likely to be replaced are categories—one type of device interacts with a
at a higher risk, if they are not patched. If there is not gateway and the other has a gateway built into the

2 ISACA JOURNAL VOL 3

device. The second category of devices includes replaced and cloned. Hardware vulnerability
mostly devices that need to be in constant motion, examples include prebuilt weak default passwords
Enjoying
e.g., smart cars and fitness wearables. or hard-coded credentials and counterfeit
integrated circuits.
this article?
Defense
Defense starts at the chip or hardware level. The The nonprofit Internet of Things Security
• Read Internet
hardware on which the IoT device is built forms the Foundation (IoTSF) aids all IoT manufacturers,
of Things: Risk
basis for a robust and secure IoT device. This is like vendors and end users to help secure IoT devices.17
and Value
laying a strong foundation for a house to ensure a Nevertheless, the best countermeasure to
Consideration.
stable and sustainable end product. combat the hardware vulnerabilities is to regulate
www.isaca.org/
the process of manufacturing an IoT device.
internet-of-things
Device-Manufacturer Level The manufacturers of IoT devices need to be
As shown in figure 1, the chip and hardware of the accountable for not adhering to the appropriate IoT
• Learn more about,
IoT device is where the life cycle of an IoT device regulatory standards (there are not any standards
discuss and
starts and is also the right time to steer the process at the time of this writing), industrial standards and/
collaborate on risk
in the right path. or guidelines. Today, there are no legal implications
management in the
for not following the standards, but there can be
Knowledge Center.
Hardware a pushback at the enterprise level in adopting a
www.isaca.org/risk-
Primary threats to an IoT device at the hardware substandard IoT device from a manufacturer. This
management
level are that it can be stolen, physically modified, pushback can prevent most hardware vulnerabilities

Figure 2—Conceptual IoT Architecture

Sensor and IoT IoT IoT Cloud IoT

Actuators Gateway Applications Analytics
Devices Platform/Services

IoT Devices IoT Gateway Services

Sensors Data Streaming
Communication Device
Acoustic with Gateway

Vibration Analytics and

Rest Services Visualization

Humidity

Moisture
DB
Flow Database

Proximity
Storage Servers
Electicity

Magnetic Messaging

Radio
Device Management
Chemical IoT Devices
Communicating
to Cloud
IoT Process
Automation
Actuators
Hydralic

Pneumatic

Electric
Rules Engine
Mechanical

Source: I. Atluri. Reprinted with permission.

ISACA JOURNAL VOL 3 3

 and software weaknesses that may be inherently 1. Identify and inventory the IoT devices in the
available in IoT devices. If hardware vulnerabilities enterprise and make sure they are integrated into
are not mitigated, the rest of the controls, the enterprise asset management program.
methodologies, frameworks, time, resources and
2. Define standards and baselines for the IoT
investment to make IoT devices secure cannot be
device security based on enterprise policies and
effective. Some of the regulations and pushback
standards.
need to be driven by the respective governments,
with assistance from the security community. 3. Implement the necessary security controls to
mitigate IoT risk.

Segmentation of all of the IoT devices onto a

Today, there are no legal separate network zone is recommended, which
implications for not following the makes it easier to quarantine the entire IoT zone in
the case of a breach.19 The rest of IT can continue
standards, but there can be a its operations without any major impact.
pushback at the enterprise level in If segmentation and zoning are not feasible, adopting
adopting a substandard IoT device a software-defined networking (SDN) model that
not only improves IoT security, but also helps with
from a manufacturer. identifying the location of the breach is suggested.20

Other commonplace controls that need to be

Software implemented for IoT devices are the same controls
Major threats to the software or firmware on IoT that apply to most of the IT infrastructure today.
devices are that the software can be modified or They are two-factor authentication, stronger
decompiled to extract credentials and leveraged to passwords or key-based authentication.
perform the DDoS attacks. The vulnerabilities at the
software level are: It is of paramount importance to realize that the key
to having these defense methodologies work as
• Insecure code
expected is to secure the IoT devices and the network
• Hard-coded default passwords from the day that they are introduced into the network.
If not, the possibility is high that these IoT devices
• Improper software testing leading to backdoors
are hackable forever and they will not be able to be
• Absence of strong authentication during M2M, patched and secured. If such a rogue IoT device is
detected, it should be replaced immediately.21
H2M and machine-to-human (M2H) interactions
The Open Web Application Security Project (OWASP)
IoT devices need to be able to carry out a
helps IoT manufacturers build secure IoT software
multifactor authentication, e.g., phone the human
and periodically categorizes the top 10 IoT software
user/owner of the IoT device, before the user/owner
vulnerabilities.
performs the security update.
Enterprise/Network Level
Public key infrastructure (PKI) authentication for
Like other network devices, the most common IoT
communication between IoT devices and gateways
device threats at the enterprise/network level are
is a recommended countermeasure to prevent an IoT
eavesdropping, man-in-the-middle (MiTM) attacks
device from being jailbroken to install unauthorized
and bandwidth theft. The suggested three steps to
software. Only certified software should be permitted
protect against these threats are:18
to be installed during upgrades and patching.

4 ISACA JOURNAL VOL 3

Frameworks are being introduced that can help to enterprise network to possibly gain access to
implement a robust security model for IoT devices. metadata about the network.26
The KeyScaler 5.0 product from Device Authority
offers certificate and key provisioning specifically FDA guidance recommends that device
for IoT devices during the registration process.22 manufacturers form or join an information sharing
and analysis organization (ISAO), which is similar
Offense to the information sharing and analysis centers
The best defense always starts with a good offense. that exist today. An ISAO can help participating
Early detection and preventing attacks in real time organizations by sharing looming security threats
is the priority for security teams and has become and risk in real time and devising appropriate
the new mantra. Many recent breaches happened responses in a timely manner.
months ago or in some instances years ago (e.g.,
the Yahoo breach), before they were detected and
the response processes began.23
The key to having these defense
Testing
Quality testing of the IoT software is altogether methodologies work as expected is
different from traditional software testing. Autonomy,
connectivity and momentum are the three factors
to secure the IoT devices and the
that make IoT software-quality testing different network from the day that they are
from traditional software testing.24 The concept that
security is a process and not an add-on feature is introduced into the network.
well known. The IoT software testing for weaker
passwords, buffer overflow vulnerabilities, etc., must
follow the OWASP best practices. IoT devices should
also be tested on universal serial bus (USB) ports for Analytics and Detection
vulnerabilities. The key is to reduce the attack surface Recent advancements in data analytics improvises
of the IoT device to the maximum extent possible. the actionable intelligence metric for security.
Additionally, like any other IT system that is close to Products such as Adaptive Defense not only
the Internet, one should store, transmit and process provide security teams with information on the
only the minimum amount of sensitive information.25 executables that enter the network, but also
proactively confirm an incident, rather than just
IoT Risk Management alerting for all suspicious events.27 PatternEx
Forescout categorizes IoT devices into three levels: combines artificial intelligence (AI) with analyst
intuition to offer a threat prediction platform that
• Disastrous—IP-connected devices that are
detects current and emerging threats in real time
hooked directly to the Internet are at high risk.
across the enterprise. This will and should be the
They can cause damage to the enterprise by
trend going forward, especially with the limited
gaining access to sensitive information or cause
resources and analysts, continuous monitoring,
critical infrastructure impairment.
security budgets, and more devices being added
• Disruptive—Interconnected systems, such as to the network creating still more ways to get
the voice over Internet protocol (VoIP) phones hacked. Determining the point at which an intrusion
and printers, can result in disruption in business actually happened after detecting that it happened
operations. is the key. AI can, hopefully, reduce the time
and resources that are needed to detect an
• Damaging—Devices such as smart bulbs and
intrusion soon.
refrigerators can be used to snoop around the

ISACA JOURNAL VOL 3 5

 Team IoT Governance 7. Devise policies for privacy of sensor data

The risk of an insecure IoT device is relative based 8. Protect IoT devices
on the domain in which it is operated and the
jurisdiction in which it thrives. For example, privacy Conclusion
is at utmost risk when the device handles protected
The IoT footprint will vary in size based on the
health information (PHI), compared to when it is in
industry vertical. As enterprises move forward
an industrial set up, in which the infrastructure or
on the IoT bandwagon to be more profitable and
services are at risk. The geography of where the IoT
to be able to reach out to an extended customer
device operates also matters because the legal and
base, they need to have an IoT strategy that
regulatory bindings can differ from place to place.
encompasses the entire IoT device life cycle (from
The governance of IoT devices needs to be handled
procurement to end of life) in place. Enterprises
separately, but under the IT governance umbrella.
need to build an IoT risk strategy that evaluates
The four critical success factors that contribute to
and manages risk. Consider IoT as part of the
an effective IoT project are an efficient IoT project
overall security and risk management portfolio and
management team, a project stakeholder who
have a dedicated focus on continuously evaluating
has the authority to drive the IoT project, data and
and monitoring IoT risk. Early adoption of security
telecommunication infrastructure to support IoT,
into the IoT device life cycle, at the hardware and
and subject matter experts to maintain high data
software level, is the best practice.
quality and integration issues.28
The FUD factor mentioned earlier will continue to
drive management to invest in information security
and, more specifically, IoT security in the near
The governance future, at least until the risk of breaches reduces.
of IoT devices
Endnotes
needs to be handled
1 York, K.; “Dyn Statement on 10/21/2016
separately, but under DDoS Attack,” Oracle, 22 October 2016,
the IT governance http://dyn.com/blog/dyn-statement-on-
10212016-ddos-attack/
umbrella. 2 Ibid.
3 Martin, C.; “U.S. to Issue IoT Principles After
Internet Cyberattack,” MediaPost, 26 October
2016, www.mediapost.com/publications/
At a project-management level, the eight steps29 article/287614/us-to-issue-iot-principles-after-
that can help enterprises to put in place a internet-cybera.html
sustainable IoT security program are: 4 Atluri, I.; “The Rewards and Risks of Our
1. Identify information Smarter Future,” InfoSecurity Professional,
International Information Systems Security
2. Prioritize the devices Certification Consortium, Inc. November/
3. Evaluate data loss risk December 2014, www.isc2.org/uploadedfiles/
(isc)2_member_content/member_resources/
4. Evaluate IoT access risk infosecurity_professional_magazine/infosecurity-
5. Perform IoT incident response planning professional-magazine-nov-dec-2014.pdf
5  Op cit, Martin
6. Formulate a big data strategy to manage the vast 6 Martin, C.; “U.S. Issues Guidelines for IoT
amount of IoT data generated Security,” MediaPost, 18 November 2016,

6 ISACA JOURNAL VOL 3

 www.mediapost.com/publications/
article/289288/us-issues-guidelines-for-iot-
security.html
7 Armerding, T.; “Feds Provide Legal Loophole
to Hacking IoT Devices,” CSO, 28 November
2016, www.csoonline.com/article/3144648/
internet-of-things/feds-provide-legal-loophole-
to-hacking-iot-devices.html
8 Lawson, S.; “Industrial IoT Inches Toward
Consensus on Security,” ComputerWorld,
19 September 2016, www.computerworld.com/
article/3122244/internet-of-things/industrial-iot-
inches-toward-consensus-on-security.html
9 Federal Trade Commission, “FTC Announces
Internet of Things Challenge to Combat
Security Vulnerabilities in Home Devices,” USA,
4 January 2017, www.ftc.gov/news-events/
press-releases/2017/01/ftc-announces-internet-
things-challenge-combat-security
10 Zurier, S.; “Z-Wave Alliance Ups IoT
Security,” SC MEDIA, 12 December 2016, 16 Microsoft Secure Blog Staff, “The Emerging Era
www.scmagazine.com/z-wave-alliance- of Cyber Defense and Cybercrime,” Microsoft
ups-iot-security/article/578656/ Secure Blog, 27 January 2016, http://blogs.
11 Gross, G.; “US Lawmakers Balk at Call for IoT microsoft.com/microsoftsecure/2016/01/27/
Security Regulations,” CSO, 16 November the-emerging-era-of-cyber-defense-and-
2016, www.csoonline.com/article/3141920/ cybercrime/
security/us-lawmakers-balk-at-call-for-iot- 17 Dickson, B.; “Why IoT Security Is So
security-regulations.html Critical,” TechCrunch, 24 October 2015,
12 CNBC, “New Cybersecurity Guidelines for https://techcrunch.com/2015/10/24/why-iot-
Medical Devices Tackle Evolving Threats,” security-is-so-critical/
The Verge, 29 December 2016, www.cnbc. 18 Moyle, E.; “Three Steps to Better Security in
com/2016/12/29/new-cybersecurity- IoT Devices,” TechTarget, July 2016, http://
guidelines-for-medical-devices-tackle-evolving- internetofthingsagenda.techtarget.com/tip/
threats.html Three-steps-to-better-IoT-device-security-in-
13 Food and Drug Administration, “Postmarket the-enterprise
Management of Cybersecurity in Medical 19 Kerravala, Z.; “How Network Segmentation
Devices: Guidance for Industry and Food Provides a Path to IoT Security,” NetworkWorld,
and Drug Administration Staff,” USA, 17 December 2015, www.networkworld.
28 December 2016, www.fda.gov/downloads/ com/article/3016565/security/how-network-
MedicalDevices/DeviceRegulationandGuidance/ segmentation-provides-a-path-to-iot-security.html
GuidanceDocuments/UCM482022.pdf 20 D’Abreo, C.; “What CIOs Need to Know About
14 Zurier, S.; “No Clear Policy,” SCMagazine, IoT and Security Risks,” Masergy Blog,
March 2017, https://media.scmagazine.com/ 21 October 2015, www.masergy.com/blog/
documents/287/0317_digital_edition_71636.pdf what-cios-need-know-about-iot-and-
15 Sun, L.; “IoT Stocks: What to Watch in 2017,” security-risks
The Motley Fool, 23 November 2016, www.fool. 21 SecureRF, “Why Dyn Suffered a DDoS Attack
com/investing/2016/11/23/iot-stocks-what-to- and How Consumer IoT Device Security
watch-in-2017.aspx Vulnerabilities Can Be Addressed,” 23 October

ISACA JOURNAL VOL 3 7

 2016, www.securerf.com/dyn-suffered-ddos- 25 Sullivan, D.; J. Sullivan; “IoT Security Testing:
attack-consumer-iot-device-vulnerabilities- Cover All Your Bases,” TechTarget, May 2016,
can-addressed/ http://internetofthingsagenda.techtarget.com/
22 Stephenson, P.; “Access Control,” SC Magazine, feature/IoT-security-testing-Cover-all-your-bases
14 December 2016, www.scmagazine.com/ 26 ForeScout Technologies, Inc., How Hackable Is
access-control/article/577086/2/ Your Smart Enterprise?, USA, 2016,
23 Cross, K.; “This Is the New Reality for https://www.forescout.com/wp-content/
Cyber Security: Accept That Hackers Will uploads/2016/10/iot-enterprise-risk-report.pdf
Get In,” MarketWatch, 10 December 2016, 27 Zurier, S.; “When It Comes to IoT, More Security
www.marketwatch.com/story/this-is-the-new- Is Needed,” SC Magazine, 12 December 2016,
reality-for-cyber-security-accept-that-hackers- https://www.scmagazine.com/when-it-comes-
will-get-in-2016-12-09 to-iot-more-security-is-needed/article/578654
24 Lawton, G.; C. McKenzie; S. Raman; “IoT 28 Schulz, Y.; “Critical Success Factors for IoT
Applications Pose New Problems for Projects,” ITWorldCanada Blog, 25 June 2015,
Developers,” TechTarget, February 2016, www.itworldcanada.com/blog/critical-success-
http://internetofthingsagenda.techtarget. factors-for-iot-projects/375399
com/ehandbook/IoT-applications-pose-new- 29 O’Donnell, L.; “8 Strategic Steps for Long-Term
problems-for-developers IoT Security,” ITbestofbreed.com, 20 March
2015, www.itbestofbreed.com/slide-shows/8-
strategic-steps-long-term-iot-security/page/0/2

8 ISACA JOURNAL VOL 3