With technology leaders such as Facebook and Alphabet, Inc. allowing their employees to work remotely through mid-2021, remote work will likely be viewed as one way to cut costs and move through the current economic and health crises. Across industries, organizations seek to embrace Internet of Things (IoT) devices to reduce manual tasks and promote social distancing. However, IoT devices often lack basic security controls which lead to new cybersecurity risks across the IT stack. A comprehensive solution for managing IoT as part of organizations’ growth plans must also incorporate establishing best practices for moving forward securely.
Why is IoT enabling a distributed workforce?
IoT offers unique capabilities as organizations move their workforces off premises. Whether looking at medical or manufacturing IoT technologies, connected devices enable organizations to monitor and manage mission-critical operations. As reported in IoT Business News, remote monitoring devices allow manufacturers to monitor and manage asset performance remotely and medical professionals to monitor patient vital signs without being bedside. In short, these devices have the potential to replace in-person processes while workers remain remote to protect their physical health.
What are the IoT security risks?
IoT historically lacks a set of cohesive security guidelines, making the devices more difficult to protect. Their low levels of processing power and memory undermining security controls like encryption. Simultaneously, in the early days of IoT device manufacturing designers and developers rarely thought to insert security protections, leading to security issues such as requiring manual security updates, incorporating default passwords many users fail to change and leaving open backdoors that malicious actors can use.
Establishing an IoT risk tolerance
In May 2020, the Internet of Things Security Foundation (IoTSF) released the second version of its IoT Security Compliance Framework (IoTSCF). According to the IoTSCF, organizations need to take a risk-based approach to IoT security by creating “compliance classes” and weighing the security objectives of confidentiality, integrity, and availability.
As with any security compliance framework, organizations need to look first to their risk level and tolerance. Determining an organization’s “compliance class” under the IoTSCF means looking at the various potential risks embedded in the IoT stack.
For example, each IoT device incorporates a combination of risks to the confidentiality, integrity, and availability of information. With that in mind, organizations seeking to secure these access points need to start with a basic understanding of the types of information the devices collect, store and transmit as the company’s desired level of security.
According to the IoTSCF, organizations can look to the following suggestions as part of their risk tolerance setting:
Class 0: Low or “Basic” risk to confidentiality, integrity, and availability
Class 1: Basic risk to confidentiality, medium risk to integrity and availability
Class 2: Medium risk to confidentiality and integrity, high risk to availability
Class 3: High risk to confidentiality and availability, medium risk to integrity
Class 4: HIgh risk to confidentiality, integrity, and availability
For example, an Industrial IoT (IIoT) device would rarely be considered a Class 0 because it collects, transmits and stores sensitive data. Manufacturers often use IIoT for long-term data storage, making them riskier simply because of the large amounts of data stored for a longer period of time. The same can be said for medical IoT as well since the information the devices transmit is often sensitive electronic patient health information (ePHI).
Meanwhile, IoT such as smart thermometers used to regulate office temperature are low risk, so long as they use little processing power and a cyberattack would have no impact on sensitive data. In these cases, network segregation might act as the appropriate risk mitigation control.
Prioritizing IoT security business processes
As with all cybersecurity issues, no “one size fits all” approach to IoT security exists. At the core, the IoTSCF provides guidance across compliance classes. However, it does set some specific minimum requirements for all IoT devices.
Among these security controls, the IoTSCF suggests:
- Having an internal organizational member who owns and is responsible for monitoring the security
- Ensuring that this person adheres to the compliance checklist process
- Establishing a policy for interacting with internal and third-party security researchers
- Establishing processes for briefing senior executives in the event the IoT device leads to a security incident
- Ensuring a secure notification process for notifying partners/users
- Incorporating IoT and IoT-based security events as part of the Security Policy
From a hardware and software perspective, the following suggestions guide all compliance classes:
- Ensuring the product’s processor system has an irrevocable hardware Secure Boot process
- Enable the Secure Boot process by default
- Ensure the product prevents the ability to load unauthenticated software and files
- Ensure that devices supporting remote software updates incorporate the ability to digitally sign software images
- Ensure software update packages have digital signatures, signing certificates, and signing certificate chain verifications prior to installing the update
- Set appropriately restricted access controls for production software signing keys
- Clarify conditions for and period of replacement support if devices lack software updates
- Prevent update mechanisms from interfering with real-time performance expectations
- Permit only a local update by physically present user when devices cannot verify the authenticity of the updates themselves
- Establish end-of-life policies with specified minimum time frames for supporting updates and reasons for ending the support period
- Ensure that all possible software updates are pushed for a period of time appropriate to the device
Functionally, these minimum requirements across all compliance classes align with traditional security controls used at the enterprise IT level. However, as organizations onboard more complex IoT devices to reduce manual tasks and their associated operational costs, they need to be purposeful about looking at their risk and the ability to meet these minimum requirements.
Moving towards the future
Increased IoT device deployments may be a way to maintain business continuity and grow a remote workforce across industries that traditionally rely on in-person, on-premises operations. However, organizations must be mindful of the potential security risks associated with these devices and continually seek out the most recent security controls.