The proliferation of Internet of Things devices is well-documented, with the potential for more than 20 billion connected things by 2020. Installations of connected devices are spanning virtually all industries and cover just about any use case that can be imagined.
With such an enormous volume of connected devices and minimal regulation, it comes as little surprise that many of them have been programmed incorrectly and are supplying users with false or misleading information.
“So, how do you look at scenarios like that?,” said ISACA board director R.V. Raghu during Wednesday’s session on IoT audits at EuroCACS in Edinburgh, Scotland. “It can become very dangerous.”
IoT audits should align with enterprise needs and ensure a compliance approach is factored in from the outset. Auditing IoT can help address a wide array of important questions, including each of the following:
- How will the device be used from a business perspective, and what business value is expected?
- What threats are anticipated, and how will they be mitigated?
- Who will have access to the device, and how will their identities be established and proven?
- What is the process for updating the device in the event of an attack or vulnerability?
- Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
- With whom will the data be shared?
In the case of IoT, the answers to these questions can have urgent implications. Raghu used a nuclear plant as an example, saying that the capacity to interpret accurate data in timely fashion can guard against potentially damaging irregularities at the plant.
“We want to be able to pick up the data at the right point and then tell you, this is what we need to do,” Raghu said.
Privacy considerations need to be taken into account by IoT device manufacturers, given the enormous capacity to gather data. Encryption might need to be built into devices to protect potentially sensitive information, such as with medical devices used by hospitals.
“Do we need to get greedy and collect everything that is possible, or do we only collect the data that makes sense to us?” Raghu said. “And, in the post-GDPR world, that is a very important question to ask.”
Raghu also expressed concern that regulation of IoT devices is lagging behind the surging usage, meaning there is little standardization on the IoT landscape.
That puts even more of a premium on strong risk management and robust controls. Among the baseline controls that should be put in place for IoT devices are identity and access management, malware protection, transmission confidentiality and time-stamping. Raghu also highlighted “Level 2” controls, such as patching, vulnerability management and log management, saying many organizations do a subpar job with their log management.
“People don’t want to do the log analysis, and if you don’t do the log analysis, you don’t understand how the device is behaving, and you could have a serious problem on your hands at some point,” Raghu said.
Whether affecting security in homes, in hospitals, in cities’ critical infrastructure or just about any other setting of today’s society, the ramifications of insufficient IoT security can be serious. Raghu said IoT audits should emphasize the importance of continuous monitoring, as prescribing fixes months after the fact can be far too late.
“You don’t have that kind of luxury here,” Raghu said. “You might need to fix it on an ongoing basis, on the fly, so it becomes very important you have a real-time status on this.”