The Internet of Things (IoT) Cybersecurity and Privacy Risks
The IoT ecosystem poses cybersecurity and privacy risks that extend beyond traditional data security.
To address IoT-specific cybersecurity and privacy risks – including those posed by cyber, physical, and human elements. This article provides an overview of the IoT cybersecurity and privacy risks.
How the introduction of IoT to networks and infrastructure has changed the cybersecurity and privacy risks organizations are facing, and how managing these cybersecurity and privacy risks has become increasingly difficult for IT security departments.
From a cybersecurity perspective, while once there was only a need to focus on protecting servers and databases from intrusion, CISOs and front-line professionals are now tasked with defeating well-funded attacks that in some cases can cause immediate physical harm.
A single enterprise can have hundreds if not thousands of sensors, and monitoring for attacks in real time is resource-intensive.
Traditional IT security systems offer very little defense against these cyber-attacks that can shut down power grids, smart traffic systems, and automobiles.
The ubiquity of IoT devices poses challenges for managing the personal information they collect and helping people understand how that information is processed by a system.
IoT can – intentionally or unintentionally – lead to the direct collection of sensitive personal information such as geolocation, financial account numbers, and health information.
Many consumers are unaware that devices already in homes can surreptitiously record and process their information. As speakers pointed out, from personal health information on wearables to cameras on baby monitors, consumers have an expectation of privacy that is currently not met.
When assessing their particular set of risks, an organization must consider the nature of a specific IoT device and how it is being used in order to identify any associated cybersecurity threats or privacy problems.
The demonstrated list of risks is extensive. It includes – but is far from limited to – opportunities for malicious actors to hijack communication channels, spoof sensor data, access sensitive information, disrupt vital services, and alter signals and data for nefarious purposes.
Furthermore, while cybersecurity and privacy risks are present and need to be addressed throughout a device’s lifecycle, cybersecurity and privacy are often an afterthought and not considered throughout the system development lifecycle.
A need for a framework or other type of guidance for assessing and scoping IoT cybersecurity and privacy risks in order to provide an informed approach to securing devices and the ecosystems in which they are deployed has been expressed.
IoT Specific Risks
Iot cybersecurity and privacy challenges are posed by a variety of facets of the IoT ecosystem. Below is an overview of IoT specific risks discussed during presentations and conversations, but not a comprehensive review of all IoT cybersecurity and privacy challenges.
Need for IoT Security Incentives
There is a lack of incentives to build cybersecurity and privacy into IoT devices. Cybersecurity is often an afterthought to getting to market, with price and features prioritized. There is also a general lack of consumer education leading to a lack of demand for better cybersecurity and privacy. There are guidelines available to help manufacturers mitigate the risk, but a lack of incentives to adhere to them.
Furthermore, there is a communication gap between technical and executive professionals. Speakers noted this gap will likely continue to exist until executives and technical professionals are more aware of the potential consequences of an IoT cybersecurity breach or failure.
With the rapid proliferation of IoT devices comes a rapid accumulation of data – data that offers a host of insights while also posing a host of security and privacy risks.
With such an increase in the volume of data, organizations have to consider how the data is processed.
While there are methods for analyzing anomalies in data, it can be difficult to analyze massive amounts of data to find discrepancies in real time (which many IoT applications need), especially when dealing with a sensor attack.
The volume of sensor data can also be used by both attackers and legitimate users to compromise users’ security and privacy. For example, smart meters can be analyzed to learn a person’s TV watching habits; gyroscope orientation can be used to get the password or text from a phone based on how a user’s hand is tilted while typing; and a bad actor can even learn health and religious information from a smart phone GPS location.
It has been demonstrated how sensors are now a feasible attack vector, as they are used to understand a physical environment and gather information. This data informs decisions and actions, and any spoofing can lead to unanticipated consequences.
A spoofing attack could affect things such as a GPS in a boat, the anti-lock braking system in a car, or a pacemaker located in a human body. Even an attack on a phasor measurement unit, which measures electrical waves, could destabilize portions of a power grid.
IoT Supply Chain
Supply chain threats are a concern in the IoT ecosystem as many manufacturers do not create the entire device. Manufacturers often use components produced elsewhere, and these components may be produced by suppliers whose cybersecurity practices are unknown to the manufacturer.
Many threats exploit vulnerabilities in IoT components that were acquired via the supply chain during the development, modification, or support of these devices.
Component suppliers often have poor cyber hygiene, and these vulnerabilities are more of an issue than the ingenuity of the attackers.
From these vulnerabilities, edge devices, IoT platforms, and the enterprise are all subject to hacking, snooping, and tampering.
Identity is critical to IoT because:
- Most IoT devices connect to the cloud at some point;
- Human control of, and access to, these devices is generally controlled by traditional identity solutions; and
- A full-lifecycle approach to identity is needed to govern access to things on the Internet.
Most IoT devices are controlled by traditional identity solutions – most commonly username and password. Because bad actors frequently leverage weak identity management practices to access devices, it is necessary to take a full-lifecycle approach to identity management in the IoT – that is, considering cybersecurity and privacy in every stage of the device lifecycle, from design to deployment to retirement.
Furthermore, these devices often come hard-coded with default passwords that cannot be changed.
IoT DDoS Attacks
Analysis of recent attacks reveals that the scale of distributed denial-of-service (DDoS) attacks has rapidly increased in recent years. IoT devices are frequently leveraged in these attacks.
There are two types of DDoS attacks: one is a large volume of attacks against the service itself, and the other is a reflection attack where traffic is sent towards a targeted service. This rise is driven, in part, by profitability: this takes the form of bad actors using devices for attacks on individuals’ banking information,as well as people who hire bad actors for espionage and to cause chaos, often making payments with bitcoin and stolen credit cards.
IoT Patch Management
While patching is important for ongoing device cybersecurity, it is not sufficient. There are too many exploits for patching alone to work, and there is concern about running out of time and money before bad actors do, given how quickly IoT changes.
Next Steps for IoT CyberSecurity
In response to the concerns raised, the NIST Cybersecurity for IoT Program will continue collaborating with stakeholders as they begin drafting guidance for IoT cybersecurity and privacy. The Program intends for the document to have broad applicability to address common high-level cybersecurity and privacy risks for IoT, and to introduce practical risk management considerations for IoT product selection, deployment, protection, and operation.
As part of the guidance development process, the Program will engage with stakeholders for input.
Furthermore, the Program will continue working with the NIST National Cybersecurity Center of Excellence on projects to demonstrate secure and privacy-enhancing IoT solutions.
Updates on Program activities and collaboration opportunities are available on the NIST Cybersecurity for IoT Program website.Share this: >Tweet