NIST report, experts say security of IoT, mobile devices must be addressed
Physical, sensing, actuating, computing and other security access control systems — including the spectrum of biometric usage such as biometric access and security systems; door, parking facilities, elevators, communication facilities, and rooms; occupant interface dashboards; and universal control and monitoring systems — are among the issues discussed in the recently released National Institute of Standards and Technology’s (NIST) Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT), prepared by the Interagency International Cybersecurity Standardization Working Group.
Another emerging risk, NIST said, is augmented reality applications that require access to a variety of sensor data such as video and audio feeds and geolocation.
Regarding implementation of cryptographic techniques for information assurance, “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system,” is vital.
According to the report, “The timely availability of international cybersecurity standards is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures. The intended audience is both the government and public. The purpose is to inform and enable policymakers, managers, and standards participants as they seek timely development of and use of such standards in IoT components, systems, and services.”
The report noted that identity and access management and related standards enable the use of secure, interoperable digital identities and attributes of entities to be used across security domains and organizational boundaries that include people, places, organizations, hardware devices, software applications, information artifacts, and physical items.
“Standards for identity and access management support identification, authentication, authorization, privilege assignment, and audit to ensure that entities have appropriate access to information, services, and assets” are also essential. “In addition, many identity and access management standards include privacy features to maintain anonymity, unlinkability, untraceability, ensure data minimization, and require explicit user consent when attribute information may be shared among entities.”
Significant identity and access management standards must be included in risk management techniques and specifications to assert identity and authentication, as well as enforce access policy on a range of platforms.
Consequently, “restricting physical access to IoT network and components” is key because, “Unauthorized physical access to components could cause serious disruption of IoT system’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.”
The report emphasized that, “Preventing unauthorized access to any building control system is paramount to securing smart buildings. Thus, the main objective must be to protect the interfaces to and between each system, even when they may be overlaid on top of one another. A domino effect caused by the compromise of one system leading to the compromise of another, cannot be allowed happen. It is also important for fail-safes and backup systems to be in place in the event of a malfunction of any one of the systems. Since some of these systems may be dynamic and impossible to model in each-and-every scenario, robust modeling and testing must be done to handle foreseeable situations. Occupant safety is also a vital objective.”
Thus, smart buildings require identity verification to prevent unauthorized access to any building control system.
The NIST interagency report comes on the heels of a Ponemon Institute and Shared Assessments sponsored survey of “553 individuals who have a role in the risk management process and are familiar with the use of IoT devices in their organizations” in order to “understand organizations’ level of awareness and preparedness for the upcoming enterprise IoT wave.
The survey report, The Internet of Things: A New Era of Third-Party Risk, revealed, “Participants in the study are aware that IoT introduces new security risks and vulnerabilities into their organizations. However, efforts to mitigate third-party risks in the IoT ecosystem are lagging. According to the research, companies are relying on technologies and governance practices that have not evolved to address emergent IoT threat vectors. Such potential risks include the ability of criminals to harness IoT devices, such as botnets, to attack infrastructure and launch points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities.”
Similarly, NIST reported “IoT systems cross multiple sectors as well as use cases within those sectors” found “the priority of the individual’s cybersecurity objectives may be prioritized very differently, depending on the application. The proliferation and increased ubiquity of IoT components and systems are likely to heighten the risks they present. Standards based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications. Through analysis of the application areas, cybersecurity for IoT is unique and will require tailoring of existing standards, as well as, creation of new standards to address popup network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.”
NIST’s report was prepared in order, “To gain insight on the present state of IoT cybersecurity standardization, five IoT technology application areas are described. These application areas are not exhaustive but are sufficiently representative to use in an analysis of the present state of IoT cybersecurity standardization. Connected vehicle (CV) IoT enables vehicles, roads, and other infrastructure to communicate and share vital transportation information. Consumer IoT consists of IoT applications in the residence as well as wearable and mobile devices. Health IoT processes data derived from sources such as electronic health records and patient generated health data. Smart building IoT includes energy usage monitoring systems, physical access control security systems and lighting control systems. Smart manufacturing IoT enables enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services.”
NIST’s interagency report’s conclusions focused on “the issue of standards gaps and the effective use of existing standards.”
“For identified priorities,” the report concluded, “agencies should work with industry to initiate new standards projects in Standards Developing Organizations (SDOs) to close such gaps. In accordance with US government policy, agencies should participate in the development of IoT cybersecurity standards and, based upon each agency’s mission, agencies should cite appropriate standards in their procurements. Also, in accordance with US government policy, agencies should work with industry to support the development of appropriate conformity assessment schemes to the requirements in such standards.”
The Ponemon Institute and Shared Assessments survey report said respondents are so “pessimistic about their companies’ ability to minimize IoT risks” because “the major barriers to addressing the risk are: a lack of priority, insufficient resources and boards of directors that are not fulfilling their oversight responsibilities and making management accountable. Specifically, only 30 percent of respondents say managing third-party IoT risks is a priority in their organizations and only 25 percent of respondents say the board of directors wants assurances that IoT risks among third parties is being assessed, managed and monitored appropriately. Because it is not a priority and leadership is not engaged, it is understandable that necessary resources are not being allocated.”
“The recent interagency report on the state of IoT cyber standards is a warning that without a standardized set of requirements in place, IoT devices — including the energy sensors in the federal government buildings — are susceptible to cyberattacks. While the report includes recommendations for a number of connected devices, including connected vehicles and smart medical devices, it consistently highlights the need for standardizing mobile device security,” Biometric Update was told by Bob Stevens, Vice President of Public Sector at Lookout.
“When it comes to network security,” Stevens said, “existing standards are not specific enough to mitigate the risk associated with mobile and IoT devices. And thanks to the rapid pace of innovation currently taking place when it comes to technology, we must not only consider security processes that address the threats of today, but also the attacks of the future that we can only assume will be bigger, faster and harder to protect against.”
He said, “Lookout recently conducted a survey of 200 government IT and cybersecurity specialists and found that 60.5 percent of government agencies reported they had experienced a security incident involving a mobile device. Despite this, many agencies are operating under outdated assumptions about what is ‘good enough’ to protect mobile devices. Many have turned to enterprise mobility management (EMM) solutions and restrictive mobile policies to protect their networks from mobile threats. Still, these approaches aren’t enough to protect the networks from mobile-based attacks.”
Stevens warned that because, “Mobile devices have become an integral part of virtually every person’s day-to-day lifestyle,” combining “this societal norm with the growing mobile threat landscape, and it’s evident that the need for standard mobile security practices is reaching an all-time high.”
He commended “NIST for informing the government and the public of the serious cyber threats that connected devices pose to national and personal security,” but also encouraged “public sector agencies to continue to work closely with private sector providers to protect against the threats and risks that exist for mobile devices.”
As the Ponemon Institute and Shared Assessments survey indicated, “According to respondents, the number of IoT devices in their organizations is expected to double in the next two years, from an average of 9,259 to an average 18,631. IoT growth is being driven by the potential to increase efficiencies and improve business outcomes by collecting better data about things in the workplace. However, to ensure the security risks do not outweigh the benefits, new strategies that holistically consider risks in the organization’s entire IoT ecosystem are needed.”
“The pace of innovation in IoT and the varying standards for security among third parties make it hard to ensure the security of these devices and applications, according to 72 percent of respondents. In addition, the drive for innovation requires new approaches to IT strategies and tactics, and 61 percent say adoption of the cloud is driven, in part, by the need to innovate in the IoT ecosystem. Forty-two percent of respondents say the number of vendors they use makes it difficult to manage the complexities of IoT platforms.”