In our world today, there are more smart devices than there are people. Many people could not make it through a modern workday without using a connected device. A growing number of people are connected to the Internet in one way or another, 24 hours a day. According to Cisco, by 2020, it is estimated that each consumer will have an average of 6.58 smart devices. Forty-four percent of children less than 1 year old use at least 1 smart device.
Researchers estimate that more than 3 million new devices are connected to the Internet each month. How is it possible for so many devices to be connected? Multiple data sources indicate that:
- It is estimated that there will be more than 50 billion connected devices worldwide in 2020, according to the World Economic Forum.
- Four billion people will be connected to the IoT in 2020, creating a potential revenue opportunity of US$4 trillion, according to IDC.
- The IoT market will reach US$14.4 trillion by 2022. This includes the impact of Industrial IoT, (IIoT) in all areas including shipping, logistics, other commercial areas, and consumer devices, according to Cisco.
These estimates are eye opening, helping us understand the size of the IoT market and how it impacts daily life. At the same time, there are ever-increasing security and privacy risk and corresponding challenges due to the growing use of IoT devices.
Cybersecurity and Privacy Risk Considerations
It is important to understand that many IoT devices affect cybersecurity and privacy risk differently than conventional IT devices do. For example, data security risk areas are always a significant concern for conventional IT devices, but for some IoT devices, there may not be any data security risk because they do not process or store much data that needs protection. There are several factors that may play a role in how an IoT device works:
- Different cybersecurity and privacy capabilities—Think of this in terms of general cybersecurity objectives: confidentiality, integrity and availability. For conventional IT devices, confidentiality often receives the most attention because of the value of data and the consequences of a breach of confidentiality. For many IoT devices, availability and integrity are more important than confidentiality because of the potential impact to the physical world. Imagine an IoT device that is critical for preventing damage to a facility. An attacker who can view the IoT device’s stored or transmitted data might not gain any advantage or value from it, but an attacker who can alter the data might trigger a series of events that cause an incident.
- Different management and monitoring mechanisms—Conventional IT devices usually provide authorized people with hardware and software access, management and monitoring features.
In other words, an authorized administrator, process or device can directly access a conventional IT device’s firmware, operating system, and applications; fully manage the device and its software throughout the device’s life cycle as needed; and monitor the internal characteristics and state of the device at all times. Authorized users can also access a restricted subset of the access, management and monitoring features.
In contrast, many IoT devices are opaque. They provide little or no visibility into their state and composition, including the identity of any external services and systems they interact with, and little or no access to and management of their software and configuration. The organization may not know what capabilities an IoT device can provide or is currently providing.
Cybersecurity and Privacy Risk Mitigation for IoT Devices
Cybersecurity and privacy risk for IoT devices can be thought of in terms of 3 high-level risk mitigation goals:
- Protect device security—It is critical to ensure IoT devices are prevented from being used to conduct attacks such as distributed denial of service (DDoS), attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. Risk mitigation involves:
- Effective vulnerability management to identify and eliminate known vulnerabilities in IoT device software and firmware to reduce the likelihood and ease of exploitation and compromise
- Preventing unauthorized and improper physical and logical access to, usage of and administration of IoT devices by people, processes and other computing devices
- Protect individuals’ privacy—Ensure protection of individuals’ privacy impacted by personally identifiable information (PII) processing. Risk mitigation involves:
- Maintaining a current, accurate mapping of the information life cycle of PII, including the type of data action, the elements of PII being processed by the data action and the party doing the processing
- Enabling individuals to understand the effects of PII processing and interactions with the device, participate in decision-making about the PII processing or interactions, and resolve a problem
- Monitoring and analyzing IoT device activity for signs of breaches involving individuals’ privacy
- Protect data security—Protect the confidentiality, integrity and/or availability of data (including PII) collected by, stored on, processed by, or transmitted to or from the IoT device. Risk mitigation involves:
- Preventing access to and/or tampering with data at rest or in transit that might expose sensitive information or allow manipulation or disruption of IoT device operations
- Monitoring and analyzing IoT device activity to detect potential device security incidents
IoT today has helped reduce the toil of routine and repetitive tasks, and the market is growing. With it, so are IoT security risk areas and concerns. IoT security is not absolute and can never be guaranteed. New vulnerabilities are constantly being discovered, which means there is a need to monitor, maintain and review both policy and practice as they relate to specific use cases and operating environments on a regular basis.
How will you use IoT to help improve the future?
Hafiz Sheikh Adnan Ahmed, CGEIT, Certified COBIT 5 Assessor, CDPO, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a governance, risk and compliance (GRC); information security; and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter and volunteers at the global level of ISACA as a Topic Leader for the Engage online communities, member of the IT Advisory Group and the Chapter Compliance Task Force, Journal Article Reviewer and SheLeadsTech Ambassador. He previously served as a chapter award reviewer and on the CGEIT Quality Assurance Team. He can be reached via email at adnan.gcu@gmail.com and LinkedIn (http://ae.linkedin.com/in/adnanahmed16).