IoT Device Cybersecurity Guidance for Industry

IoT Device Cybersecurity

Internet of Things (IOT) cybersecurity is becoming an issue of increasing concern as these devices continue to secure a larger marketplace presence.  This is due to the fact that IoT solutions are a cost effective means of achieving integration of connected devices.  IoT include smart home products, wearable technology, health monitoring devices, alarm systems, and transportation equipment.  They can also be found in industrial controls technology, agriculture, military, and infrastructure applications. 

IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Fortune Business Insights predict that IoT Technology will grow from 478 billion dollars in 2022 to 2.4 trillion dollars in 2029.

IoT Device Core Baseline Cybersecurity

To address the vulnerabilities of IoT platforms, the National Institute of Standards and Technology (NIST) has released recommendations for manufacturers of IoT systems for improving how securable the IoT devices they make are.  The IoT Device Cybersecurity CapabiIity Baseline provides six actionable items, four that should be conducted to assess pre-market impact, and two activities with primarily post-market impact.  Because these activities affect the process by which design specifications should be created, the document is primarily intended for the development of new devices.

Pre-Market Activities for Baseline IoT Security

IoT product manufacturers should consider the security of a product throughout its life cycle.  This includes an examination of integration into the customers probable usage and overall system requirements.  Because these factors will widely vary from product to product the following steps should be conducted:

  1. Identify expected customers and users, and define expected use cases.
  2. Research customer cybersecurity needs and goals.
  3. Determine how to address customer needs and goals.
  4. Plan for adequate support of customer needs and goals.

IoT Considerations After Product Release

It is important to define methods for communicating cybersecurity risks and recommended protocols.  These considerations should include a declaration of risk related assumptions.  It is important to remember that both the manufacturer and the consumer share a responsibility in implementing and maintaining security.

NIST has provided a list of six recommended security features that manufacturers should build into IoT devices.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

Additional Protective Steps

Because IoT devices often do not allow access to their built in management tools, implementing IoT devices can provide access points into networks that contain sensitive data.  Additionally, preventing access to devices from unauthorized persons can be a challenge in large industrial settings.  Therefore, segregation and isolation of these devices by using Virtual Local Area Networks (VLAN) should be considered when installing devices in a business setting.  

Cybersecurity of Increasing Concern for Businesses

Because many incidents go unreported, real losses to U.S. manufacturing from cybercrime are difficult to assess.  Even the most statistically reliable data is derived from a small survey of businesses conducted by the Bureau of Justice Statistics.   In a recent report from Douglas Thomas of NIST, estimated losses for all industries could be as high as between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion.

The unfortunate reality for businesses is that those implementing IoT systems do not fully comprehend the vulnerabilities these devices present.  As with cloud computing, proper implementation is essential.  Common issues include insecure interfaces, lack of consistent device updates, and weak password protection.  It is therefore essential that those who select, install, and service IoT devices be trained and follow documented best practices to prevent data breaches.

Other actions can be taken to mitigate malicious threats on sites where IoT applications are used.  Performing data analytics can often allow an organization to identify threats before they become critical.  Another tool for protecting data is utilizing Public Key Infrastructure (PKI) to provide effective encryption of IoT networks.

Call for IoT Certification and Labeling

Because consumer based cybersecurity measures are at best reactive, there has been an effort to initiate a Certification & Voluntary Labelling Scheme to set a standard for manufacturers of IoT devices.  A labeling system would allow an easy way for developers of IoT applications to gain the confidence of consumers.  This international certification framework would involve third party assessments of  at accredited test facilities to and would be internationally recognized.  Currently, a pilot program is open for applications for case studies.

CVG Strategy Cybersecurity

There are many applications where  the benefits of IoT have yet to be fully explored.  As development of IoT sensors continue, they will contribute to the enhancement of such technologies as Artificial Intelligence (AI) and even smart cities.  However, as they rely on internet connectivity they have inherent vulnerabilities.

Many manufacturers implement such devices to control processes and gather critical data.  Because of this, the risk these devices present should be taken into consideration by an effective Information Security Management System (ISMS).  CVG Strategy can help your business implement ISO 27001 to exercise due diligence and compliance with contractual and regulatory data security.  

CVG Strategy is committed to assisting organizations doing business with the Department of Defense achieve CMMC to secure our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

 

Kevin Gholston

Share this post