Request Demo


As the former CSO of a multinational corporation, Cybersaint CEO George Wrenn knows the importance of IoT security and Digital Risk Management, which is why the CyberStrong Platform supports even the latest draft of NIST’s IoT Framework.

Rod Turk, the CISO, and acting CIO of the Commerce Department, said that CISOs and teams need to evaluate the impact of IoT in a holistic manner and continuously assess the risks that change and grow with the additional and subtraction of IoT devices, vendors and more. Even though there are some agencies such as NASA, who want to bring IoT security into their broader cybersecurity efforts overall, the importance of IoT is totally changing the role of the federal CISO

“Know what’s in your environment,” Turk said, according to Federal News Radio. “You may not know all of your IoT, but I’ve got a good hunch that you’ve probably got a sense of where it all is. You know your printers, you know your copiers now have computers in them, and they’re going to be storing information, and they have the ability to take that information and send it out to random places.”

NIST reports that IoT networks are deployed over protocols and physical links that are constantly “selecting the appropriate messaging and communication protocols depends on the use case and security requirements for each system.” One characteristic of IoT deployments, and an important one, is that there is potential for seemingly out-of-the-blue connections without a system view. According to a recent NIST report, “IoT could not be ‘planned’ nor secured well using traditional approaches to security since system compositional or emergent properties would never be seen by a risk manager.”

In agencies, the network interfaces used in these IoT deployments are attack surfaces., and as NIST puts it, therefore, “without a system asset definition and subsequent threat analysis the security design is very unlikely to be useful.”

How to Effectively Manage IoT Security Issues

Many cybersecurity techniques designed for industrial control systems can be adapted for IoT as well. The agency could restrict physical access to various IoT-related components via card readers or even guards. In another example, an agency could restrict access to the network by “using unidirectional gateways, a demilitarized zone network architecture with firewalls to prevent network traffic from passing directly between the corporate and IoT networks, and having separate authentication mechanisms and credentials for users of the corporate and IoT networks.”

NIST advises federal agencies to protect IoT components individually - for example deploying security patches after testing them and disabling any unused ports, and other services, and then in addition making sure they stay disabled, is important.

Implementing the least privilege principal applies to IoT just like it does in so many other circumstances. Agencies could, and should, restrict user privileges for IoT to only those who truly require access in their respective roles. Agencies should also track audit trails, monitor those trails, while implementing best-practice security controls including “file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware,” notes the NIST report.

Federal agencies should implement controls preventing modification of IoT data by an unauthorized party - whether being stored, processed, or transmitted across or between (an) organizations. NIST stated that agencies can learn to “detect failed IoT components, unavailable services, and exhausted resources that are important to provide proper and safe functioning of an IoT system” in order to be even more secure.

If there’s a security incident, IoT systems need to be able to function during any range of conditions, which means designing IoT systems so that each critical component has a counterpart is critical. NIST says that the IoT system “should fail in a manner that does not generate unnecessary traffic on IoT or other networks, or does not cause another problem elsewhere, such as a cascading event.”

Overall, NIST notes, “there is a multiplicity of risks associated with IoT” and that to mitigate IoT security risks, they “should not be assessed and monitored in a vacuum, but take into consideration the broader perspective of risk to ensure all aspects of threat and vulnerability are addressed.” This is why NIST's draft IoT Framework can be supported by the CyberStrong Platform, and why the Platform can adequately support digital risk management, risk profiling, and reporting across any organization or multitude of organizations. See How: Get a Free Demo.

 

 

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...