Let's face it: Most enterprises aren't building their own Internet of Things (IoT) systems. Very few organizations have the scale to develop and deploy IoT devices of their own in their environments — the hardware tends to be specialized, most of the software doesn't look like the stuff their corporate horde of Java developers use to write code, and there just isn't enough value for risky projects like that to make sense. So, enterprises tend to buy consumer IoT devices and shoehorn them into their corporate security architectures — and it can be challenging to get them to properly fit. This doesn't mean that enterprises are helpless in the face of IoT security risks, but it does make enterprise IoT security a supply chain problem.
Risks and Consequences of Not Addressing These Issues
IoT devices and systems represent additional enterprise attack surface — the same as allowing users to "bring your own device" for mobile devices. These devices expose the organization to the same types of risk as other devices deployed on the corporate network. Security flaws in IoT devices can lead to device takeover and the exposure of sensitive data, and they provide attackers a foothold in the corporate network that can be used to launch additional attacks.
Additionally, these IoT systems tend to traffic in a lot of sensitive data, including confidential and proprietary information, and information that has privacy implications. This data will leave the corporate firewall and be processed by services hosted by the IoT system provider and places the burden on the enterprise to understand how these IoT systems affect their risk posture.
Best Practices for Assessing and Managing IoT Third-Party Risk
Third-party risk must be approached in a structured manner as part of an overall vendor risk management program. New IoT systems that are going to be deployed on enterprise networks and process sensitive enterprise information need to be run through a vetting process, so the organizations understand the change in risk exposure. This process can share many of the same characteristics of a standard vendor risk management program but may need to be augmented to address some of the specific concerns that IoT systems raise. Because these systems incorporate specialized hardware with potentially nonstandard operating systems, questions about upgrade practices, and support life cycles are of particular interest.
Threat modeling is an excellent approach to better understand the architecture of IoT systems and how they will fit into enterprise security architectures. This involves enumerating the various assets in the system, identifying the connections between them, and crafting a list of potential weaknesses.
Security assessments can also be performed against the IoT devices themselves as well as the supporting Web services and other assets. Typically performing assessments of the devices themselves can be done without authorization — although enterprises should review their licensing agreements, which may have prohibitions against practices such as reverse engineering. Performing security tests of supporting services typically requires the participation — or at least explicit consent — of the IoT provider. Requesting the access to perform security testing is best done during the acquisition process when the enterprise has leverage — not after.
Questions That Security Leaders and Risk Managers Must Ask
Ultimately, there are many questions that go into the process of evaluating potential IoT systems vendors to determine the impact their products will have on an enterprise's IoT environment. A couple that represent a good starting point include:
- What are the security characteristics of these IoT devices and their supporting services?
- What practices does this vendor have in place during their systems development life cycle to help build secure systems?
- How will deploying these IoT devices impact our overall enterprise attack surface and enterprise security architecture?
IoT Risks the Third-Party Risk Management Program Should Cover
A third-party risk management program targeted at IoT risks should cover the standard concerns of confidentiality, integrity, and availability as applied to the data the IoT system will have access to. If the IoT system is going to have access to data that puts them in scope for any compliance or regulatory laws, that likely increases the requirements for evaluation.
These programs need to look at the initial security implications of deploying IoT systems, as well as the ongoing risks as time passes and vulnerabilities are identified. Many IoT systems can be difficult, if not impossible, to upgrade after being deployed, so third-party risk management programs need to track the ability to update IoT systems over time as flaws are identified and hopefully addressed.
Existing Frameworks and Standards
There are some emerging standards for IoT security, but none have made a significant impact across the industry. The OWASP Internet of Things project has links to a number of valuable resources for organizations looking to understand the security implications of IoT devices and associated services for consumers, enterprises, and industrial consumers. These include a Top 10 list of risks, security testing methodologies, and an example of a flawed system for testing practice, as well as other materials.
The European Union Agency for Cybersecurity (ENISA) has also published some valuable materials for organizations wanting to build and/or deploy secure IoT systems. It would be valuable if there were a dominant security framework for IoT systems, but the variability in architecture and use cases for these systems makes it challenging to craft guidance and evaluation standards that can prescriptively be applied across the entire category.
Because most enterprises don't build their own IoT systems, risk from enterprise IoT is largely a supply chain issue. Organizations wanting to take advantage of the potential benefits of IoT systems in enterprise environments would be well-served to start evaluating this third-party risk during the acquisition process in order to best anticipate and address security risks associated with the IoT system they're looking to adopt.