Along with the tremendous opportunity brought to the enterprise by the gadgets that hang off of the Internet of Things (IoT) comes sizable risk that organizations must assess and manage.
“Value should be considered while determining risk,” said Paul Rohmeyer, associate industry professors at the Stevens Institute of Technology, who led the “Managing Cybersecurity and Privacy Risks in IoT” session at InfoSec World 2020, noting how “cheap, small and easy to deploy and replace” the devices are. “They are exhibiting a low barrier to entry. We come to rely on them quickly.”
Despite a value that Rohmeyer said “far exceeds replacement cost,” organizations grapple with understanding the risk associated with IoT. Organizations may be lulled into thinking that they “are in a good position to manage these things because they’re based on a pre-existing architecture,” he said. “IoT systems are unique. They don’t involve people. [They are] a widespread dispersion of [very simplistic] sensors” which represent a “different usage of the internet.”
First and foremost, he said, it’s important for organizations to understand:
- Does IoT have a role in some important business process?
- Does data have to be audited and will you have to prove you protected it?
- Does it rely on protected data? Customer or identifiable data?
- Do you have interoperability ensure some degree of compatibility?
Protecting privacy and managing inventory are key to tamping down risk associated with IoT. “Personalized data should be protected,” said Rohmeyer. “It can be potentially manipulated – if someone steals sensor does that give the thief access?”
When it comes to inventory management, “enterprises that have an investment IoT, paint some semblance of inventory management but nowhere near the gathering and management of other inventory.”
To better assess risk, Rohmeyer said security teams should answer the following questions:
- What is network architecture? With IoT the network layer “becomes paramount.”
- What data are you capturing? “It’s not just plug the device in and let it start vacuuming up information,” he said. “What is it collecting, what kind of data, and is there end to end encryption.”
- What are risk and controls around the processing environment that‘s processing this information? “The output on one group of sensors [often is] inputting to other sensors,” said Rohmeyer.