Managing the risk of the Internet of Things
The Internet of Things (IoT), or variations of the term, has saturated the media with stories of connected vehicles, networked wearables, home automation, and smart meters. With such significant conversation, one would think that this market was invented yesterday, but, in fact, the machine-to-machine communication that typically interfaces with the physical world via communication networks has been with us for a long time. The less flashy devices known as industrial control systems have been running our electric grids, oil pipelines, and manufacturing plants for decades. Like cloud computing, which partly owes its lineage to the mainframe timesharing concepts of the 1960s and 1970s, IoT has been rebranded.
But notwithstanding the hype, the market for connected devices is shifting. Like cloud technology, IoT is massively larger in scale than its earlier generations and is growing fast. What makes it significant, and a little scary, is its sheer ubiquity, touching consumers and businesses alike. Moreover, the use cases continue to expand from trivial or narrowly focused applications to broad-based and life-critical solutions in health care and transportation.
To understand the risk to IoT, definitions are needed. Clearly, IoT is a somewhat fluid term and owes its name more to media hype rather than to a multi-year standards process. Consequently, it has the "know it when you see it" quality. At its most basic level, IoT implies network connectivity, the use of embedded (or limited computing) devices, and, typically, involves some connection to the physical world, such as measuring temperature, blood pressure, or road vibrations. In essence, it implies network connectivity for everyday devices that traditionally were not considered computers; however, nearly every use of IoT also involves some traditional computer usage. For example, these small, embedded devices usually report their status and receive instruction from a traditional computer workstation, server, laptop, or smartphone. A typical IoT architecture might look similar to what is shown in Figure 1.
It’s better to think of IoT as less a series of small devices and more of an ecosystem that requires multiple components to work correctly. The supporting components, while appearing to be normal computing devices, still need to be adjusted for the real-time nature of and massive data often associated with IoT. Computer networks need to be everywhere and optimized for the volume and velocity of the data flows. And the appropriate business logic needs to be devised for what are largely autonomous networks.
But fundamentally, IoT is about the core components that interact with the physical world. They typically include sensors to measure things like temperature, wind speed, or presence of an object. And they often include actuators that initiate actions like driving a car, turning off power, or injecting insulin. The supporting functions are often the place where the actions are determined, but for some largely autonomous devices, some of those decisions could be made independently based on the input the device receives.
While IoT is still a relatively new concept, core components have had populated industrial networks for decades, and they foretell some of the risks that could potentially be faced. Industrial networks have frequently been the subject of cyber attacks. Unlike traditional information technology components, they are often more vulnerable because many industrial networks were never designed to connect to networks that were linked to a hostile Internet. Instead, those closed networks assumed physical attacks were the threats to guard against.
In addition to interconnectivity challenges, the core industrial devices, such as programmable logic controllers (PLCs), had basic communication protocols that could crash if they received any unexpected data. Moreover, PLCs were essentially designed to process commands from whoever sent them, sometimes with little or no authentication. That meant that if the industrial networks were not sufficiently isolated or properly defended, compromise was more likely with real physical consequences.
IoT threats are real
Threats have been executed through IoT.
- Nearly two decades ago, a disgruntled former employee used network access to remotely release sewage.
- In 2007, researchers demonstrated that a generator could be destroyed by remotely opening and closing circuit breakers rapidly.
- In 2014, hackers broke into the industrial network of a German steel mill and prevented a blast furnace from shutting down.
- With respect to the more modern IoT devices, a researcher hacked his insulin pump, others managed to compromise smart meters, and, in a segment aired on "60 Minutes," Defense Advanced Research Projects Agency (DARPA) scientists remotely controlled automobile brakes.
These examples show how securing billions more of IoT devices, deploying them on a wide variety networks, and connecting some of them directly to the Internet will continue to pose great challenges.
Even with better network stacks and more rigorous cyber-security controls, the nature of many of these devices means that the robust controls that exist on typical workstations, laptops, servers, or even smartphones are unlikely to be implemented in the devices’ design. Controls need to be evaluated and implemented in a different way. Moreover, these devices are incredibly diverse in application, location, and architecture. Some rely on centralized control, while others have their own intelligence and often operate autonomously.
By definition, they are connected with other networked components, which means they are at risk of being compromised, have the potential to spread infections, and serve as a platform for hackers to attack other parts of the ecosystem. That is why the risks posed by IoT are significant, because, normally, there is a level of trust that pervades the network where these live. It is the network and its scalability offer the greatest promise and the greatest risk for IoT.
Additionally, it is often the data that matters. While the idea of hacking cars to run them off the road or manipulating pacemakers to induce heart attacks may generate the headlines and Hollywood movie plots, the reality is that much of the IoT world exists simply to observe and report. Their job is to generate and forward data. In the future, much of society will rely on these passive sensors to decide when and where to grow food, where to travel, and thousands of other similar decisions. It will be the accuracy of this data, or more precisely the relative accuracy of the aggregated data, that will prove to be a critical ingredient in how our private and public lives are conducted. That data will serve as the foundation by which everything else is built and operated. And few will ever stop and think whether the underlying data is correct.
By manipulating data, hackers could threaten air, water, food supply, and personal safety. For example, the correct data will keep us from dying in car crashes when nearly all vehicles will be self-driving, heavily relying on sensor data to operate correctly. For that reason, the commands issued to IoT devices and the integrity of data received from those devices must be protected.
Learn more about steps to take with mitigating IoT risks and how to prioritize potential vulnerabilities to the system.
Approaches to IoT risk
So given the wide variety of devices and their influence on the future world, what’s the best way to reduce risk? Traditional risk management may point in many directions. Trying to understand the kinds of future threats and devising controls to address them are likely to be overwhelming with the proliferation of new devices and continual acceleration of related threats. Also, the traditional strategy depends on how devices are used.
Another method would focus on the impacts and prioritize efforts around those with the most devastating consequences. This is a common method used by many government approaches, where the bulk of the focus is on impact and not how vulnerable a particular device is to a given threat. While impact is important, it is more important to first appreciate what exactly IoT devices are intended to do. Starting with a use case analysis also demonstrates what the intended business purpose is. If a device later gets used for something else, the risk team can point to the original analysis to remind management that a new risk analysis is warranted.
Building a risk model
To evaluate IoT risk, first define the use case. How will the devices and the supporting infrastructure be used? While technical descriptions are useful, the focus should be on the relevant business processes and expected outcomes. How exactly will this produce operational, business, or personal value? Given that nearly all projects must be approved with similar justification, this information shouldn’t be hard to find.
Unlike broad-based budgeting that seeks a general goal, but doesn’t touch on the how, these use cases should be very specific and should include details. The kind of data involved should include whether humans will interact directly with these devices in a physical sense (such as health monitoring devices, self-driving vehicles, or control system computer banks), whether the devices will interact with existing technology, and any assumptions that are made about the infrastructure that should already be in place. All business objectives should be noted, because one of the tasks for a risk analysis is to determine the consequences of those objectives not being met due to hacking or some other device failure.
It is also important that a use case be created for each variation. For example, connecting a smart meter that merely measures and reports energy usage has very different implications than one that also supports the ability to remotely disconnect power. The details matter. Deciding how detailed the use case should be is often a judgment call.
Once the use case is settled, companies are safe to analyze potential impacts. As noted, the easiest place to start is looking at the business objectives of the use case and asking what would happen if those objectives were denied in a cyber security attack.
If we’re talking about a pacemaker or an airplane, the consequences could be loss of human lives. In most cases, a device would simply cease to supply data. It’s important to understand the consequences from a variety of perspectives. For example, a device that ceases to function will likely signal the owner that something is wrong, and a repair or replacement likely would occur promptly. However, if a hacker managed to cause the device to send the wrong data, critical business functions could be impacted, leading to potentially worse consequences over time. In either case, it’s helpful to start thinking about the worst possible, but plausible, impact that could result from a cyber attack, including downstream effects such as lost customer revenue.
More importantly, considering what economists call "externalities" is also critical. For example, unless a company is sued, lost customer data doesn’t really hurt it directly, although indirect reputational harm can occur. Societal and quality of life issues are more nebulous, but relevant. For example, the failure of road sensors to accurately report traffic conditions could cause more traffic jams. Pollution, often the quintessential example of an externality, erodes air quality in often undetectable ways that are only felt when aggregated across thousands or even millions of pollution sources. This same effect could be witnessed with IoT, as automation and Moore’s Law conspire to create undesired outcomes. While broader societal harms are much harder to quantify when embarking on an IoT project, the issue should at least be noted so the problem can be easier to identify when it develops.
Once impacts are known, the potential vulnerabilities are easier to identify and prioritize. Identification of vulnerabilities usually starts with examining all interfaces and potential attack surfaces, both logical and physical. Because the number is often quite large, it may be necessary to focus on likely and sufficiently impactful threats. For example, it’s unlikely that a nation state is interested in gathering information on someone’s power usage unless it was the power usage for a key military base. In essence, vulnerabilities, to some extent, need to be informed by the current threat environment.
Notably, certain basic cyber security practices should always be implemented, regardless of threat, because devices could always be repurposed, and even bored teenagers can draw upon a huge reservoir of hacking tools and techniques readily available online at no cost. So looking for buffer overflows, assigning appropriate user roles, implementing acceptable user authentication, and applying patches to discovered software flaws, where feasible, are always recommended.
Finally, the exercise goes beyond the standard risk analysis to recognize that IoT will not stand still. By its very nature, it will grow and mutate to satisfy demands. Technologies like road sensors and smart meters are not designed to be replaced frequently, so software updates and network changes will need to use the installed hardware. That also means that considerations like upgradeability and extensibility, while not largely cyber security considerations, become bigger issues with IoT. Consequently, future use and misuse cases should be identified.
Similarly, the consequences of expanding the network of devices, and how that could lead to an overreliance on the core installation, need to be considered. For example, handling the security of a few self-driving cars may be manageable with one person manually doing occasional oversight. However, once the few cars grow to several thousands, just hiring more people won’t work, as the amount of data and attack surfaces increase exponentially. In that case, the only cyber-security solution to greater degrees of scale and automation is by using cyber-security automation that is then overseen by people. Harm to other stakeholders, or externalities, also needs to be part of the equation. The result is the extrapolated risk that a given IoT device or set of devices poses, as depicted in Figure 2.
Of course, identifying risks is only part of the equation and is often a trivial exercise. IoT phenomenon has fostered a cottage industry pointing to all the ways devices can be hacked. While the potential consequences of these attacks are not always fully appreciated, it’s clear that adequately addressing the vulnerabilities will be a big job.
Many vulnerabilities just aren’t worth fixing at this point. It may be possible to hack a wearable fitness band, but the consequences may be too small to matter. If that device were worn by a celebrity, used for personal harm, or used to notify a doctor when the person’s heart rate gets too high, changing the risk and the justification for remediation may be required.
Perhaps the most important consideration is that the device be identified for a particular purpose and if that purpose changes, the risk analysis and potential compensating controls would also change for the manufacturer and the end user. For example, a networked drone could be sold as only appropriate for agriculture and oil drilling observations in unpopulated areas. Enforcing these parameters could be a challenge, even if manufacturers disclaim liability for unspecified uses. Vendors have every incentive to find new uses for products. Moreover, when a device is designated for only a particular purpose, the manufacturer actually may incur more liability as any failure or harm it caused could be viewed as foreseeable, an important consideration in determining negligence. At the very least, some assumptions should be highlighted, and any limitations should be noted.
Additionally, two measures are being developed with respect to digital devices used in areas involving human safety, significant property damage, or a critical societal service like electricity, water, or emergency services. In so-called critical infrastructure areas, the standards are higher. And it should be no different for IoT. In these areas, additional oversight and the use of mandatory cyber security controls may be warranted.
In some cases, changes to a device may need approval from a government or industry regulatory body. Because consumers will increasingly be using and communicating with devices traditionally reserved for professionals (such as vehicle-to-vehicle communications or adding energy resources to the electric grid), it may be preferable that device owners aren’t free to tinker. Other initiatives include some sort of vetting of the devices through a certification process for particular use cases including safety, large amounts of personal information, or critical infrastructure.
For individuals or businesses purchasing these devices, mitigation and proper use starts with a well-defined use case development process. For businesses, that should mean policies specifically permitting or excluding a device’s use in a particular environment or for a particular purpose. Where personally identifiable information is involved, there should be clear data collection and retention policies. And specific people should be assigned responsibility for each device, as well as for the larger system involved, where relevant. Companies, in particular, need to review insurance for coverage of device damage and the harm that could result if the device is misused. Where possible and relevant, some sort of ongoing security monitoring should be implemented.
Finally, device owners need to understand that one security review is not enough. They need to schedule ongoing reviews as device use expands, as major changes are made to any backend infrastructure that communicates with these devices, and as new types of data are collected. The risk management model then needs to be revised with every change in scope.
Six IoT risk mitigation steps
For those currently involved with IoT, which includes nearly everyone, six basic actions should be taken regardless of the risk involved or the dollar amount being spent on the program.
- Beginning right away, IoT owners should identify current IoT implementations that are in place, planned, or anticipated. This may include building management systems for heating and air conditioning or even the mechanisms used to run the elevators if they’re networked.
- Next, organizations should identify any security policies or procedures related to IoT. If none exist, companies should at least document some high-level controls that should be in place, such as locking the elevator machine room.
- Within three months, organizations should ensure that device owners have applied the risk model described above and reviewed the results with management.
- Organizations should also identify mitigation steps and associated costs to achieve the desired state.
- And in the next six months, organizations should identify IoT risks that they don’t control, but that affect their organization.
- Organizations should also participate in industry groups to encourage development of security standards for the devices that most affect them.
– Gib Sorebo is chief cyber security technologist at Leidos Engineering. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, firstname.lastname@example.org.
- A basic understanding of IoT and implementing some basic steps can put any organization on the right track to managing its IoT risk.
- IoT is thought of as less a series of small devices and more of an ecosystem.
- Unlike traditional information technology components, IoT-connected devices are often more vulnerable.
As IoT spreads to almost every object in the future, how can we protect ourselves from hacked devices, or even the hacking of our homes? The question is should there be objects that are not connected for our own safety?
– See related stories about the IoT and the IIoT linked below.