Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
12/23/2020
10:00 AM
Dan Cornell
Dan Cornell
Commentary
50%
50%

Enterprise IoT Security Is a Supply Chain Problem

Organizations that wish to take advantage of the potential benefits of IoT systems in enterprise environments should start evaluating third-party risk during the acquisition process.

Let's face it: Most enterprises aren't building their own Internet of Things (IoT) systems. Very few organizations have the scale to develop and deploy IoT devices of their own in their environments — the hardware tends to be specialized, most of the software doesn't look like the stuff their corporate horde of Java developers use to write code, and there just isn't enough value for risky projects like that to make sense. So, enterprises tend to buy consumer IoT devices and shoehorn them into their corporate security architectures — and it can be challenging to get them to properly fit. This doesn't mean that enterprises are helpless in the face of IoT security risks, but it does make enterprise IoT security a supply chain problem.

Related Content:

How to Pinpoint Rogue IoT Devices on Your Network

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

Risks and Consequences of Not Addressing These Issues
IoT devices and systems represent additional enterprise attack surface — the same as allowing users to "bring your own device" for mobile devices. These devices expose the organization to the same types of risk as other devices deployed on the corporate network. Security flaws in IoT devices can lead to device takeover and the exposure of sensitive data, and they provide attackers a foothold in the corporate network that can be used to launch additional attacks.

Additionally, these IoT systems tend to traffic in a lot of sensitive data, including confidential and proprietary information, and information that has privacy implications. This data will leave the corporate firewall and be processed by services hosted by the IoT system provider and places the burden on the enterprise to understand how these IoT systems affect their risk posture.

Best Practices for Assessing and Managing IoT Third-Party Risk
Third-party risk must be approached in a structured manner as part of an overall vendor risk management program. New IoT systems that are going to be deployed on enterprise networks and process sensitive enterprise information need to be run through a vetting process, so the organizations understand the change in risk exposure. This process can share many of the same characteristics of a standard vendor risk management program but may need to be augmented to address some of the specific concerns that IoT systems raise. Because these systems incorporate specialized hardware with potentially nonstandard operating systems, questions about upgrade practices, and support life cycles are of particular interest.

Threat modeling is an excellent approach to better understand the architecture of IoT systems and how they will fit into enterprise security architectures. This involves enumerating the various assets in the system, identifying the connections between them, and crafting a list of potential weaknesses.

Security assessments can also be performed against the IoT devices themselves as well as the supporting Web services and other assets. Typically performing assessments of the devices themselves can be done without authorization — although enterprises should review their licensing agreements, which may have prohibitions against practices such as reverse engineering. Performing security tests of supporting services typically requires the participation — or at least explicit consent — of the IoT provider. Requesting the access to perform security testing is best done during the acquisition process when the enterprise has leverage — not after.

Questions That Security Leaders and Risk Managers Must Ask
Ultimately, there are many questions that go into the process of evaluating potential IoT systems vendors to determine the impact their products will have on an enterprise's IoT environment. A couple that represent a good starting point include:

  • What are the security characteristics of these IoT devices and their supporting services?

  • What practices does this vendor have in place during their systems development life cycle to help build secure systems?

  • How will deploying these IoT devices impact our overall enterprise attack surface and enterprise security architecture?

IoT Risks the Third-Party Risk Management Program Should Cover
A third-party risk management program targeted at IoT risks should cover the standard concerns of confidentiality, integrity, and availability as applied to the data the IoT system will have access to. If the IoT system is going to have access to data that puts them in scope for any compliance or regulatory laws, that likely increases the requirements for evaluation.

These programs need to look at the initial security implications of deploying IoT systems, as well as the ongoing risks as time passes and vulnerabilities are identified. Many IoT systems can be difficult, if not impossible, to upgrade after being deployed, so third-party risk management programs need to track the ability to update IoT systems over time as flaws are identified and hopefully addressed.

Existing Frameworks and Standards
There are some emerging standards for IoT security, but none have made a significant impact across the industry. The OWASP Internet of Things project has links to a number of valuable resources for organizations looking to understand the security implications of IoT devices and associated services for consumers, enterprises, and industrial consumers. These include a Top 10 list of risks, security testing methodologies, and an example of a flawed system for testing practice, as well as other materials.

The European Union Agency for Cybersecurity (ENISA) has also published some valuable materials for organizations wanting to build and/or deploy secure IoT systems. It would be valuable if there were a dominant security framework for IoT systems, but the variability in architecture and use cases for these systems makes it challenging to craft guidance and evaluation standards that can prescriptively be applied across the entire category.

Conclusion
Because most enterprises don't build their own IoT systems, risk from enterprise IoT is largely a supply chain issue. Organizations wanting to take advantage of the potential benefits of IoT systems in enterprise environments would be well-served to start evaluating this third-party risk during the acquisition process in order to best anticipate and address security risks associated with the IoT system they're looking to adopt.

A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.