Identify IoT Risk with Threat Modeling
Even in small numbers, IoT devices can affect an agency’s risk significantly and in numerous ways. Devices increase the attack surface, giving attackers more ways to enter networks and environments. Because devices interact with the physical world, attackers could misuse them to disrupt agency operations, cause harm to people, damage infrastructure or steal sensitive information collected by IoT device sensors.
Agencies should perform threat modeling to better understand the relevant risks and mitigations for their IoT devices. This doesn’t mean modeling for every IoT product. Instead, think broadly about likely threats, likely vulnerabilities in those devices, the potential impacts of compromises and security controls that could help mitigate risks.
During threat modeling, agencies should review recent cyberthreat intelligence regarding how IoT devices have been attacked and compromised. Keep the following points in mind:
- IoT devices often function as part of a larger system; for example, interacting with the device manufacturer’s cloud-based software, services and data storage. This means sensitive data collected or used by the agency’s IoT devices might be accessed by and stored with one or more third parties. Make sure to include them in any threat modeling.
- IoT devices are frequently placed in locations that are physically accessible to attackers. Accordingly, threat modeling should assess the risk of local attacks against such devices, such as insertion of removable media, device theft, hardware tampering and wireless attacks.
- Employees might use some IoT devices personally, introducing risks related to personal information and privacy. For example, devices might record audio or video of employees or capture vital signs and other health information. Be mindful of both intentional and inadvertent recording of such data.
READ MORE: How these tools can help mitigate insider risk.
Determine the Best Risk Mitigation Strategies for Your Agency
Risk varies enormously among IoT devices. Consider the relative risk of a small gadget on an internal IoT-only network versus a lifesaving medical device in a hospital emergency room. If an IoT device is regulated, agencies must comply with all pertinent regulations. For other IoT devices, consider any applicable requirements of the NIST Cybersecurity Framework and the NIST Risk Management Framework, as well as the guidance in SP 800-213 and the control catalog in SP 800-213A.
Typically, it’s not feasible to apply a single set of cybersecurity requirements across all IoT devices. Supported capabilities vary from device to device, and missing capabilities usually can’t be added in the same way we might install anti-virus software on an operating system. Also, using an IoT device in one manner may create risks and impacts that don’t exist when the same device is used differently. As a result, the necessary mitigations can vary by use case.
In general, it’s prudent to take advantage of devices’ built-in cybersecurity capabilities, but be prepared to take additional steps to mitigate risk. For example, use separate networks for IoT devices and employ boundary protection devices — such as IoT hubs, gateways or firewalls — to restrict network traffic to and from the devices. This makes it harder for attackers to access devices and easier for agencies to monitor devices and detect suspicious activity. Having separate networks and placing IoT devices behind boundary protection devices are especially important if the devices can’t be updated or patched.
EXPLORE: How to keep mobile technologies safe with adaptive protection and device control.
Add Cybersecurity Protection or Retire Devices as Needed
Ideally, manufacturers will support IoT devices throughout their lifespans, releasing patches to correct vulnerabilities and taking other steps to address security issues. Realistically, however, some devices will not be supported. Agencies should be prepared to mitigate cybersecurity risk, preferably proactively, for legacy IoT devices.
Think in advance about how to compensate for problems in unpatchable devices — for example, a new OS vulnerability or a newly discovered weakness in a cryptographic algorithm used to protect data. Threat modeling should include these types of scenarios, then identify multiple ways to address them proactively, such as deploying network-based security technologies in proximity to vulnerable devices to monitor them closely.
In addition, agencies should determine criteria for deciding when a vulnerable legacy IoT device carries too much cybersecurity risk to be kept online. Remember, most IoT devices are intended to have relatively short lifespans, so planning for their retirement and replacement should be part of any security strategy.