How to Secure IoT Devices and Networks
According to an August Government Accountability Office report, many federal agencies (56 of 90 surveyed) reported using Internet of Things technologies.
Most often, agencies reported using IoT to control or monitor equipment or systems (42 of 56), control access to devices or facilities (39 of 56) or track physical assets (28 of 56) such as fleet vehicles or agency property.
IoT devices are also being used to monitor water quality, watch the nation’s borders and control ships in waterway locks. Furthermore, IoT use by federal agencies may increase in the future, as 25 of the 56 agencies currently using IoT technologies indicated that they planned to expand IoT use in the next five years.
“IoT can also enable the collection and analysis of data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events,” NIST says in its May report.
However, as NIST notes, “IoT devices often lack device capabilities that customers can use to help mitigate their cybersecurity risks, such as the functionality customers routinely expect their desktop and laptop computers, smartphones, tablets, and other IT devices to have.”
As a result, those that deploy IoT solutions “may have to select, implement, and manage additional or new cybersecurity controls or alter the controls they already have.” An agency may not know it needs to alter existing processes to accommodate the unique nature of IoT devices.
“The result is many IoT devices are not secured in the face of evolving threats; therefore, attackers can more easily compromise IoT devices and use them to harm device customers and conduct additional nefarious acts (e.g., distributed denial of service [DDoS] attacks) against other organization,” NIST notes.
Before devices are sent out to agencies or other users, NIST recommends IoT device manufacturers identify expected customers and users and define expected use cases. The report also recommends that manufacturers research their customers’ cybersecurity needs and goals.
Another recommendation is to “determine how to address those needs and goals by having their IoT devices provide particular device cybersecurity capabilities in order to help customers mitigate their cybersecurity risks.” A fourth recommendation involves “appropriately provisioning device hardware and software resources to support the desired device cybersecurity capabilities.”
IoT device manufacturers can also do a better job of communicating cybersecurity risks to those using the devices.
A separate NIST publication, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” notes that a core goal of IoT security is to “prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment.”
Another is to protect the confidentiality, integrity, and/or availability of data that IoT devices collect, store, process or transmit. A third goal is to protect individuals’ privacy impacted by personally identifiable information processing “beyond risks managed through device and data security protection.”