Imagine waking up one morning and asking Alexa for the weather – only to hear nothing but silence. A small inconvenience for sure and so you move on with your day and attempt to catch up on the news only to discover the New York Times podcasts are unavailable. Undeterred, you jump on Slack to check on how your software developers are doing to meet an impending deadline only to find that your online code repository is down too. Your morning has transitioned from one of mild annoyance and inconvenience to one of lost productivity and its potential costs.
That was exactly what happened on Friday, October 21, 2016. Mirai, an internet worm virus, propagated across various Internet of things (IoT) devices through manufacturer default configurations and was able to take down several household-name websites like Netflix, Reddit and CNN. Some observers compared this attack to an act of war. At a minimum, such an attack clearly points to potential forms of cyber-terrorism.
The internet of things (IoT)—a term referring to internet-enabled smart devices for consumers and businesses—contributes to the ease of attacks and dramatically expands the nature and range of cyber risks, partly due to the proliferation of poorly secured internet-connected devices.
As companies expand internet connectivity from traditional phones, tablets and laptops to products such as door locks, thermostats, coffee makers, vehicles, medical devices and even yoga mats, the inadequate security of these devices creates easy access points to wreak havoc on larger networks, systems and data repositories.
Smart-device security frameworks to consider
The following frameworks are useful in designing, implementing and operating secure smart devices over their lifecycles:
- U.S. Department of Homeland Security (DHS): Strategic Principles for Securing the Internet of Things – Explains risks and provides principles and best practices for achieving a responsible level of security for designing, manufacturing, owning and operating devices and systems
- Industrial Internet Consortium (IIC): Industrial Internet of Things Security Framework – Presents a process to create industry consensus on how to secure IIoT systems
- IoT Security Foundation (IoTSF): IoT Security Compliance Framework – Presents IoT security best practices
- Institute of Electrical and Electronics Engineers (IEEE): IoT Security Framework for Smart Cyber Infrastructures – Provides a smart-house and smart-buildings framework and threat model for developing a methodology for protecting IoT services against cyber attack
- Online Trust Alliance (OTA): IoT Trust Framework – Includes strategic principles to help secure IoT devices and their data when shipped and throughout their lifecycle
- Open Web Application Security Project (OWASP): IoT Framework Assessment – Outlines vendor-agnostic criteria to evaluate relative security strengths of IoT development frameworks
- National Institute of Standards and Technology (NIST):
- NIST 800-160 – Implementing security in IoT
- NISTIR 8114 – Criteria for and classification of IoT devices for encryption
- NCCoE IoT-Based Automated Distributed Threats – Practice guide that describes the solution and practical steps needed to mitigate IoT-based automated distributed threats
- Network of Things – Special Publication 800-183 – Provides a model and terminology for describing IoT devices and mapping the model to lower-level architectures and designs
- Cybersecurity for Smart Grid Systems – NISTIR 7628 – Smart Grid Strategy, Architecture and High-Level Requirements
- NIST Special Publication 800-121 – Guide to Bluetooth Security Revision 2 – Discusses security considerations for devices that may implement Bluetooth communication protocols
- Cybersecurity for Cyber Physical Systems Framework – Provides mapping to IoT models
- NCCoE Wireless Medical Infusion Pump – Implementation techniques for wireless medical infusion pumps
- Guide to Industrial Control Systems (ICS) Security – Special Publication 800-82 – Guidance for establishing secure industrial control systems
- UL (formerly Underwriters Laboratories): Cybersecurity Assurance Program – Uses the UL 2900 series of standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness
Thus, cyber risks are increasing for virtually every user of non-traditional smart devices—including businesses with internet-connected digital assets. That jeopardizes the security of data stored and processed by those devices and assets.
What do businesses need to understand about these threats, and how should they address them?
Proliferating things, proliferating risks
Devices with internet connectivity, such as industrial control systems (ICS) for manufacturing processes, have been around for a few decades. The universe of such devices has grown into the IoT, and today’s smart devices now are more than just connected, they are now converting data at the sensor itself.
For example, a smart refrigerator may have each of these components:
- Hardware, including built-in cameras, CPU, memory, speakers, and touchscreen
- Operating system based on Linux
- Applications, including internet radio for music, sensors and applications for sharing shopping lists, photos and calendars
- Communication over a network, with internet access via Wi-Fi controlling temperature and humidity on different shelves,
Smart devices connected to the IoT are projected to number in the tens of billions globally by 2020 and some, such as voice-activated home automation devices or personal assistants like Alexa, connect to cloud infrastructure, raising additional security concerns. It may become difficult to buy non-smart devices, just as non-smart phones are becoming rare. The exponential growth of internet-connected devices has necessitated development of Internet Protocol (IP) Version 6 because the typical IP Version 4 address format currently in use —for example, 192.168.1.1—will be exhausted at 4.3 billion addresses.
Smart devices tend to be designed for functionality more than security. For example, while vendors often use marketing terms like “military grade encryption,” they also design products with undocumented backdoor accounts to be used for updates. It may be just a matter of time before those backdoor accounts are discovered and exploited. Smart devices are plagued by these and other issues. Backlogs of unpatched vulnerabilities are growing every day.
Common security issues involving smart devices include:
- Devices being shipped pre-configured with insecure settings and user interfaces that make it difficult to patch or update firmware, should the vendor actually provide updates
- Companies emphasizing price over vendor reputation during procurement, potentially overlooking questionable relationships between vendors and hostile actors
- Code reuse by developers and manufacturers inadvertently leading to “vulnerability reuse,” potentially replicating problems on a mass scale
- Closed source-code, which prevents third-party analysis or testing that would ensure that proper coding practices have been used
- Devices lacking sufficient memory or processing power to allow firewall implementation or other security mechanisms
- Devices being shipped with default credentials that remain unchanged long after deployment
- Privacy violations such as collecting too much personal data, not allowing end-users to opt-in or opt-out and failing to secure collected data
- Absence of encryption or use of weak encryption, which jeopardizes data at rest and in transit
The impacts of vulnerabilities vary widely. While traditional servers may crash during an attack causing inconvenience to customers and costs to the company, smart device vulnerabilities can be potentially deadly. Researchers demonstrated this in 2015 by hijacking an unmodified SUV over the internet, allowing the vehicle’s acceleration, braking and steering to be controlled from anywhere on the planet. Similarly an IoT-enabled insulin pump was accessed through an unencrypted radio frequency channel, allowing full control of the pump. Both cases had potentially deadly consequences.
The healthcare industry in particular faces risks to patient safety and health, in addition to lost or compromised data, particularly personal health information—an attractive target for identity thieves and other bad actors. A compromised device could not only enable an attacker to pivot to other targets on the network and breach those records, but also, in the case of devices used to monitor patients’ vital signs or to provide continuous care, endanger personal or public health and cause loss of life.
AIM for smart device security
Given the exposures created by IoT devices, they should be subject not only to traditional, proven security practices, but also to a cyber risk governance model that can be scaled to the level of smart devices, which in some industries can number in the millions.
Grant Thornton’s AIM approach to cyber security—Align, Integrate, and Measure—can help your organization incorporate smart-device security into a holistic cyber strategy. The AIM approach enables a business-outcome-focused cyber risk program that identifies, prioritizes and addresses the most important needs.
Specifically, consider the following steps:
Align smart-device security and business needs
Begin by aligning smart-device security with the business strategy so as to accept only risks that drive higher performance and strategic goals.
Integrate smart-device security with business processes
- Develop a smart-device governance strategy to ensure that security considerations make their way into product design, manufacturing and implementation processes, so the required quality, security and resiliency capabilities are designed and available
- Designate ways of embedding smart-device security governance responsibilities into the relevant business processes and operations, and, potentially, appointing an IoT product security officer and giving product development or engineering greater responsibility and accountability
- Ensure management and the risk committee understand the risks of smart devices and are positioned to make informed business decisions
- Embed awareness of the organization’s smart-device ecosystem across all relevant businesses and functions to supplement existing inventory practices
- Conduct ongoing smart-device security tests and assessments to quantify security risks, and monitor those risks and their effects on the organization’s risk profile
An organization can layer relevant practices and controls into business processes by identifying and integrating frameworks and metrics to measure effectiveness.
Measure smart-device security effectiveness
- Adopt a smart-device governance model and an IoT security framework (see sidebar)
- Follow the security-by-design principle to establish clear security requirements for smart-device design and development and implementation
- Integrate security testing into the smart-device product development and use lifecycle, and mandate security risk remediation before devices go live
- Understand how incident response models have to change given the larger scale of the smart-device ecosystem
- Enhance the third-party risk management program to include specific smart-device security evaluation questions and requirements
Measuring business outcomes assists in determining effectiveness and in rationalizing investments and efforts to achieve continuous improvement.
- Establish key risk indicators (KRIs) to measure smart-device security governance program outcomes and the effectiveness of risk mitigation steps
- Track security risk remediation over time to measure trends and improve the ROI on smart-device security measures
- Conduct benchmark studies to evaluate smart-device security program maturity and to rationalize adoption of relevant leading practices for the industry or devices
For assistance in considering, designing or implementing any of these steps, contact a Grant Thornton cyber risk professional today.
Principal, Risk Advisory Services
: +1 703 637 4071
Senior Manager, Risk Advisory Services
: +1 704 632 6842
Senior Manager, Risk Advisory Services
: +1 215 814 4053