The Internet of Things: Wireless Network of Uniquely Identifiable Connected Devices
The Internet of Things (IoT) may be defined as a wired or wireless network of uniquely identifiable, connected devices which can process data and communicate with each other. Reinfurt (2016) discussed many different types of IoT devices such as service gateways, device shadows, rule engines, and device wake-ups, all of which have challenges and pose security risks. The technology of some of these devices is advanced and can function offline. They don't have to be programmed, and they can't support network technology.
This development has not only created security risks, but also had an economic impact (Institute of Electrical and Electronics Engineers [IEEE], 2017). Behaviour modification on our part is an important component for risk reduction. There's no need for us to have "smart" devices at home if we don't really need them - a "look before you leap" attitude is key. It's important to understand what the Internet is connecting before making the decision to connect.
Additionally, cloud service has its own risks. It doesn't function when the network is down and defaults to send sensitive information through alternative routes. This is a major problem. These devices have created a gateway from our homes and offices to the computer world, increasing efficiency and reducing work. However, the sacrifices we've made have compromised our privacy and security. The number of devices that are added every year is projected to reach nearly a trillion in the future. These devices have revolutionised industries and are commonly used in day-to-day operations for tasks like lighting, heating, security systems, and in "smart" homes, phones, and TVs, among other things. IoT devices have a tremendous impact on our infrastructure, including bridge construction, manufacturing, power plants, agriculture and many more areas. In agriculture, for example, farmers use these devices to predict rainfall in a certain area and monitor soil humidity and crop planting. According to Jones (2018), IoT devices are not made by traditional companies like Microsoft, Cisco, and Dell, but by computer electronics. "IoT devices usually make their Wi-Fi connections, and do all of their internal computing, using very, very tiny chipsets, many of which are custom-made for the specific device they're in."
"Like any good computing device, they run firmware... In a worst-case scenario, that firmware might serve as the launching point for a botnet inside your organization's network" (Jones, 2018). In other words, the potential for destruction of security and privacy is limitless, causing havoc in our way of life. It is needless to say that a strong policy for smart devices is necessary to prevent this calamity. We underestimate how many of these devices we use daily. The medical field makes extensive use of IoT devices for patient care and to monitor medical procedures and devices such as pacemakers, blood pressure machines, and cardiac monitors. These medical assistive devices are increasingly used for elderly patients who live alone. This innovative technology, like voice assistance monitors and safety features in homes, has helped them lead meaningful, independent lives. Many IoT devices are not designed to connect to a network or other devices, but they now have the capability to do so without addressing the need to protect the device from unauthorized users, ultimately causing a network risk (Rouse, 2017). Another necessary behaviour modification on our part is to pay attention to the latest firmware to guard against security compromise.
Periodic checks on passwords and turning off UPnP are essential as most hackers try to get into the system through this vulnerability. Our transportation system also uses smart devices like the speed limit digital monitor, traffic control, road assistance, which are all extensions of IoT devices intertwined with transportation communication. Cremer, D.D., Nguyen, B., & Simkin, L. (2016) discussed the integrity of the system and the influence of the IoT, the dark side behaviors and how these behaviors are related to the IoT process. The dark side is when consumers are using smart TVs, smartphones, Wi-Fis where the data is being collected on them without them even knowing about it. Basically, their devices are monitoring them, recording and storing the personal data or business data in the cloud with a protected password. This is an issue, especially when devices can be easily accessed and become botnets such as Marai (Mathais, 2016). Marai took advantage of weak security controls on a variety of IoT devices (Symantec Security Response, 2014). These devices and applications are used almost in everything in our way of life; hence it is imperative that they are secure and free of risk. On a larger scale even, our national security could be at risk if there are no security risk policies for these devices. Interestingly, our recent hacking of Facebook, Twitter in the 2016 presidential election is one such example.
The scope of the IoT devices is unimaginable as they are used in Rolls-Royce to Kohler toilets at home, to our home coffee makers. Opinions from Expert: Some of the best practices as stated in IEEE IoT Best Practices (2017) include endpoint security and tamper resistance by using port locks, camera covers, webcam covers, USB and Ethernet covers, and strong boot level passwords. By this simple action, it generates an additional layer of security. The limited lifecycle of the IoT devices creates an area of vulnerability. Upgrades and details of the patches to the consumer and policy should be in place to safeguard a security breach. Companies should also have the IoT devices undergo dynamic testing, which will discover vulnerabilities of the new and the old code. All companies should have policies and procedures to protect data on device disposal. Additionally, strong encryption, strong authentication will be additional layers of security. Increasingly, individuals are working from home, making it a haven for hackers to access sensitive information.
Recommendations are to use strong encryption, used wire connectivity, check manufacturer sites for updates, perform audits of IoT, and change passwords frequently (IoT Security Foundation [IoTSF], 2016). The IoT security compliance framework members and reviewers created a pragmatic guidance protocol for businesses to improve their functionality and to prevent compromise of customers' privacy and security; it is a guide and a best practice guideline for managers, developers, engineers, logistics, and manufacturing staff. The compliance process includes a checklist and a questionnaire, and this must be retained in a file by the organization (IoTSF, 2016). The US Chamber of Commerce, headed by Executive Director Matthew Eggers (2017), summarizes there is no silver bullet to cybersecurity and recommends policies to be embedded and global and industry, public and private and to create smart city registration. It is no doubt the IoT has created economic growth, but it has also opened risks which should be managed across the internet. He emphasizes IoT cybersecurity is best when embedded in global and industry-driven standards along with public and private collaboration.
According to Justine Young Gottshall (2017), her best practices for IoT include data collection, privacy and security, policy creation, action plans and training, compliance, and the responsible party. The most challenging issue is the rate at which deployments are taking place and keeping pace with IoT privacy compliance. Bojanova, I., and Voas, J. (2017) discussed the trustworthiness of the IoT. The challenges include lack of standardization and certification, lack of regulatory oversight, lack of control, large-scale vendors, and, lastly, the inconsistency of the definition of the IoT. The suggested solution could be a cybersecurity risk assessment, authentication, and authorization. Security basics involve encryption, authentication, physical security, and integrity (resilience). The main goal is to make it very difficult to access by an unauthorized user (Mathais, 2016). Lastly, audits, background checks, training, audit and management oversight are all needed to prevent security compromise. Proposed IoT Policy: Version Control Revision Originator Change Date Change Description Approver Name Approved Date 1.0 Amul Arya 06/27/2018 Initial Policy Suggestion Pending Pending.
Introduction: The objective of our Internet of Things (IoT) policy is to protect and respect the confidentiality, integrity, and availability of our employees, company, and clients, and to ensure IoT devices are effectively and securely used on our network and in our processes and projects. This policy only applies to IoT devices and extends to all functional areas and employees unless explicitly excluded. Thank you in advance for your support and effort in enforcing and following this policy for the benefit of all. Please direct any questions or comments to either our Compliance Officer or Chief Information Security Officer (CISO). Exemptions: Currently, there are no exemptions to this policy.
Where compliance is not technically feasible or justified by business needs, an exemption may be granted. Exemption requests must be submitted in writing to the CISO, including justification and benefits attributed to the exemption. Unless otherwise stated, both the CISO and the COO have the authority to grant waivers (Greene, 2014). Policy Violation: Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries, a termination of employment relations in the case of contractors and consultants, and dismissal for interns and volunteers. Additionally, individuals are subject to civil and criminal prosecution (Greene, 2014). Goals and Objectives: Define a standardized process to validate and secure IoT devices, minimize the risk of IoT devices on the company network, and ensure the usage of IoT devices is done in a secure manner.
References:
Bojanova, I., & Voas, J. (2017). Trusting the Internet of Things. IT Professional,19(5), 16-19. doi:10.1109/mitp.2017.368095 Cremer, D. D., Nguyen, B., & Simkin, L. (2016). The integrity challenge of the Internet-of-Things (IoT): On understanding its dark side. Journal of Marketing Management,33(1-2), 145-158. doi:10.1080/0267257x.2016.1247517 Eggers, M. J. (2017, October 23). Internet of Things (IoT) Cybersecurity Policy (United States, Chamber of Commerce, NIST). Retrieved from https://www.nist.gov/sites/default/files/documents/2017/10/23/mattheweggers_slides.pdf
Gottshall, J. Y. (2017, September 1). 5 Best Practices for IoT Privacy Compliance. Risk Management, 64(8), 14-15. Greene, S. S. (2014). Security program and policies: Principles and practices (2nd ed.). Indianapolis, IN: Pearson IT Certification. Institute of Electrical and Electronics Engineers. (2017, May). Internet of Things (IoT) Security Best Practices. Retrieved from https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_may_2017.pdf
IoT Security Foundation. (2016, December). IoT Security Compliance Framework. Retrieved from https://iotsecurityfoundation.org/wp-content/uploads/2016/12/IoT-Security-Compliance-Framework.pdf
Jones, D. (2018, January 31). Does your organization need an IoT policy? – Pluralsight – Medium. Retrieved from https://medium.com/pluralsight/does-your-organization-need-an-iot-policy-f09e3e3f967f
Mathais, C. (2016, December 22). Stampede of IoT Devices Means Tighter Network Security - Aerohive Blog. Retrieved from https://blog.aerohive.com/stampede-of-iot-devices-means-tighter-network-security/
Reinfurt, L., Breitenb??cher, U., Falkenthal, M., Leymann, F., & Riegg, A. (2016). Internet of things patterns. Proceedings of the 21st European Conference on Pattern Languages of Programs - EuroPlop 16. doi:10.1145/3011784.3011789 Rouse, M. (2017, March). What is IoT policy (Internet of Things policy)? - Definition from WhatIs.com. Retrieved from https://internetofthingsagenda.techtarget.com/definition/IoT-policy-Internet-of-Things-policy
Symantec Security Response. (2016, October 27). Mirai: What you need to know about the botnet behind recent major DDoS attacks. Retrieved from https://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks
Glossary of Terms: IoT – Internet of Things; the Internet of Things is defined as a wired or wireless network of uniquely identifiable connected devices which can process data and communicate with each other. IEEE – Institute of Electrical and Electronic Engineering; a group of professionals in technology who provide recommendations on policy and procedure. UPnP – Universal Plug and Play; defined as a set of network protocols. CISO – Chief Information Security Officer; a senior-level executive responsible for the vision and goals of the organization. COO – Chief Operating Officer; responsible for the day-to-day operations of the organization. VLAN - Virtual Local Area Network; a group of workstations, servers, network devices which are connected. Firmware – defined as software embedded in hardware by the manufacturer and stored in read-only memory. IOTSF - Internet of Things Security Foundation; it addresses the security concerns of the IoT.
The Internet of Things: Wireless Network of Uniquely Identifiable Connected Devices. (2019, Dec 26). Retrieved from https://papersowl.com/examples/the-internet-of-things-wireless-network-of-uniquely-identifiable-connected-devices/