Connected devices increasingly create a cybersecurity stress for businesses of all sizes across all industry types. Attempting to try to secure data environments increasingly requires establishing cybersecurity frameworks for Internet of Things (IoT) devices. In an attempt to ease the burden of data environment information security, the National Institute of Standards and Technology (NIST) issued a call for papers on April 18, 2018 for the creation of data security standards over IoT devices.
Internet of Things Risk Management
What is the Internet of Things?
Any device has an ability to connect to the internet or another device fall under the broad definition of Internet of Things (IoT). If you’re using a smart home device in your house, like lights that you can control through your smartphone? That’s an IoT device. Those Bluetooth headphones you love so much? IoT. That oil and gas real-time monitoring of pipelines? IoT.
Today, IoT drives efficiency. People protect their homes with security systems they can monitor from their phones. Businesses are easing data monitoring burdens by incorporating productivity tools. Manufacturers are streamlining their processes by enabling their Supervisory Control and Data Aquisition (SCADA) systems.
What are the security risks of using IoT devices?
People control computers. We can turn them on and off making sure that we protect their security when we’re not around. However, the IoT environment exists specifically to help automate activities so that we interact less with devices and engage with more information.
For example, in the healthcare industry, pacemakers equipped with IoT capabilities allow doctors to better monitor hearts. In your home, you’re connecting your doorbells to security cameras, to your smartphone.
Unfortunately, the same sensors that collect and communicate data bring with them a risk. When you share information between devices connected across your internal networks, you have firewalls, passwords, and encryption that protects the information. The sensors and connections between Bluetooth enabled devices, however, can’t handle the same kinds of protection that larger devices can.
What is a Bluetooth connection?
Bluetooth connections are short-distance, low-frequency radio wave signals that use little power. They connect devices to one another, usually within a 30-foot range. However, despite the connectivity of the anchored device to the internet, the Bluetooth connection is not always a network-enabled device.
For example, headphones can connect to a smartphone that connects to the internet, but they need the primary anchored device to reach the internet. Meanwhile, a smartwatch may have a cellular connection capability as well as a Bluetooth capability. In that case, the IoT device connects to both the anchored device (a smartphone) as well as the cellular data on the internet.
In the security realm, the Bluetooth connection is called “lightweight.” Because of the low radio frequency and low power consumption, they have little “weight” in terms of overall ability. They act as a tethering device and, often, can’t integrate independently.
What are the biggest IoT risks?
Since Bluetooth enabled and IoT devices connect in a variety of ways, they also create a variety of security concerns. The five predominant security gaps for establishing a risk management process include:
Authentication
When you connect your laptop to a network-based service, you usually try to incorporate a username and password. Moreover, if you’re really focused on security, you’re hopefully including multi-factor authentication which involves using either a device that provides another code or a biometric like a fingerprint.
Bluetooth connections create a unique “address” similar to an IP address. However, since you can’t put a password over that connection like you can with a router, the device doesn’t provide a high level of authentication.
Confidentiality
Since the connection between the devices isn’t secured by an authentication method, the information transmitted between the two may not remain confidential. In many ways, this problem is similar to the “public wifi” connection problem. Since there’s no password and no encryption, the information passing back and forth can be easily intercepted.
Authorization
Bluetooth connections do not have the complexity to protect the devices from unauthorized users and programs. In traditional networking, you can control the data that individual users can access. However, since Bluetooth devices don’t allow you to create passwords and usernames, you also can’t define by the user what data they can access.
Integrity
Since you can’t authenticate the users or set authorizations, you can’t ensure that only the right people are accessing the information going across the Bluetooth connection. In other words, anyone can get in between the devices to intercept the information traveling from the Bluetooth device to whatever else it is connecting to.
Pairing
Pairing the Bluetooth IoT device with a smartphone, tablet, or computer requires you to establish an information sharing connection between them. If you leave the primary device open to a Bluetooth connection for your IoT connections, other devices searching for “Bluetooth” connectivity can see yours as well which gives malicious actors an opportunity to connect to your primary device.
What is the goal of NIST’s “Lightweight Cryptography” project?
IoT devices range in price and sophistication. An IoT syringe for disseminating pain medication needs a different level of security from headphones that connect to an MP3 player. If someone hacks into the pain medication IoT syringe, they can not only steal health data but overdose a patient. Someone hacking into an MP3 player steals payment card information or other personal data but might not necessarily kill a person.
However, NIST recognizes the importance of creating standards to protect all devices. As part of its standardization goal, NIST spent four years consulting with industry groups that include smart power grid experts and car manufacturers.
The current draft of the NIST Lightweight Cryptography Standardization Process focuses on minimum requirements that include authentication encryption with associated data (AEAD) focusing on coding that helps prevent brute-force attacks against the devices. Additionally, the project focuses on ensuring that solutions maintain low energy, low power, and rapid speed.
How ZenGRC Enables NIST Compliance
ZenGRC provides an easy-to-use solution that allows compliance managers to stay up-to-date on changes in the information technology compliance area. The built-in seed content includes NIST 800-53 and all its 1,000 objectives.
When the standards change, we change with them. Instead of having to constantly seek out information to update your compliance stance, we provide a single-source-of-truth that provides updates to standards and regulations ensuring that you remain continuously compliant despite the constantly evolving state of the cybersecurity industry.
For more information about how ZenGRC enables continuous compliance, contact us for a demo.