Two years ago, the “Internet of Things” Security Foundation announced a new framework for security compliance. Here is an overview of IoT and a comprehensive summary of how the new security compliance framework will affect the operations of the InfoSec teams.
What Is “Internet of Things (IoT)?”
Internet of Things is a term that has been in existence for a relatively long time, and it is used to refer to the interconnectivity of all things with internet capabilities such as smartphones, smart house systems, tablets, and so on. However, the true definition of IoT has evolved, and today, the term is used to refer to a scenario in which people, objects, or animals are given unique identification keys and the ability to transfer and receive data over any given network without the need for human-to-computer or human-to-human interaction.
On the other hand, Forbes describes the Internet of Things as the technique of interconnecting devices that feature an on/off mechanism to the web or each other. These devices that are powered through interconnectivity are used in school, workplace, and homes for various purposes. Interconnectivity is at the center of IoT, and that is what brings about the enormous security risks and challenges.
The Speed of Connection Is Too Much
The various IoT security risks are propagated by the increased speed of implementation and lack of precise consumer knowledge. Even though most people are aware of its existence, only a few individuals can explain what it entails and how security can be achieved through the complex IoT paradigm. The subcommittee of Communication and Technology and that of Commerce, Manufacturing, and Trade held a joint hearing on November 16th, 2016 to discuss the various risks associated with IoT.
The first thing to be discussed during the hearing was the October 2016 denial-of-service attack that was engineered by weaponizing an unsecured network connected devices such as cameras. Once all the devices were under the full control of the black hat hackers, they were used to flood DoS requests to the network which rendered the entire network ineffective. Various statistics indicated the existence of at least 3 billion connected smart and non-smart devices as potential entry points. With the increasing number of connected vehicles and medical devices being manufactured every day, protecting the ever-rising number of possible entry points will only become more challenging.
The IoT Security Foundation
With the increasing number of enterprises that offer cloud-based services connected through wireless networks, security remains a pertinent issue that needs to be addressed. The IoT Security Foundation is simply a collaborative and non-profit based international response to the sophisticated challenges caused by security in the hyper-connected modern world. The IoTSF serves as a self-governing and regulating security body whose primary mandate is to enhance information and data security for the Internet of Things while still allowing and championing for innovation. The standards set by the IoTSF could be compared to those established by the ISO. The importance of the internet of Things Security Foundation lies in its unique ability to have security experts and professionals who work in different areas of information security become innovators and create devices in unique but simple ways that keep them safe.
The Internet of Things Framework
Apart from IoTSF framework, CISCO has also come forward and proposed another IoT framework. Both frameworks take a different approach towards managing and securing information. The IoTSF framework offers a comprehensive checklist meant to help organizations started while the CISCO framework focuses primarily on providing definitions and useful information to help InfoSec experts understand the various security issues that surround IoT. Combining the two frameworks can help create a firm basis for an effective program.
The IoTSF framework checklist creates a risk-based approach that is more similar to the typical compliance programs. The risk assessment involves a thorough inspection of all the businesses and products currently in place to establish their level of risk preparedness. This framework covers 12 critical areas that must be reviewed:
- Device Application
- Device hardware and physical security
- Business security process and responsibility
- Device operating systems
- Web user interface
- Authentication and Authorization
- Device Wired and Wireless Interfaces
- Cloud network elements
- Encryption and key management for hardware
- Secure supply chain and production
The framework provides comprehensive questions for each of these areas and also offers a place to link your evidence. Organizations that want to stay ahead of the compliance curve have already started the process of reviewing IoT security and taking appropriate measures to safeguard the integrity of their information.
With the ever-rising number of connected IoT devices, there is a need for all manufacturers, businesses, and even clients to work as a team to keep their devices, information, software, and hardware safe.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.