The Internet of Things: Wireless Network of Uniquely Identifiable Connected Devices
Problem: The Internet of Things (IoT) may be defined as a wired or wireless network of uniquely identifiable connected devices which can process data and communicate with each other. Reinfurt (2016) discussed many different types of IoT devices such as service gateways, device shadows, rule engine, device wake up, all of which have challenges and security risk. The technology of some of these devices are advanced and can function offline, don’t have to be programmed, cannot support network technology and this have not only created a security risk but an economic impact as well. (Institute of Electrical and Electronics Engineers [IEEE], 2017) Behavior modification on our part is an important component for risk reduction. It is not necessary for us to have “”smart devices at home if we don’t need to-“” “”look before you leap attitude”” it is important to know what the internet is connecting before one opts to connect.
Additionally, cloud service has its own risk as it does not function when network is down, it sends sensitive information through an alternative route as default. This is a major problem. These devices have created a gateway from our homes, our offices to the computer world increasing the efficiency and reducing work. The sacrifice that we have made has compromised our privacy and security. The number of devices that are added every year is projected to reach almost trillion in the future. These devices have revolutionized the industry and are being used in day to day operations from lighting, heating, security system, and “”smart home””, “”smart phone””, “”smart tv””, amongst other things. IoT devices have a tremendous impact on our infrastructure, bridge construction, manufacturing, power plants, agriculture and many more. In the field of agriculture farmers are using these devices to predict rainfall in a certain area, soil humidity, and crop planting. According to Jones (2018), IoT devices are not made by traditional companies like Microsoft, Cisco, Dell, but made by computer electronics. “”IoT devices usually make their Wi-Fi connections, and do all of their internal computing, using very, very tiny chipsets, many of which are custom-made for the specific device they’re in.
How it works
Like any good computing device, they run firmware… in a worst-case scenario, that firmware might serve as the launching point for a botnet inside your organization’s network”” (Jones 2018). In other words, the potential destruction of security and privacy are limitless causing havoc in our way of life. It is needless to say; a strong smart device policy is necessary to prevent this calamity. We underestimate how many of these devices we use daily. The medical field uses IoT devices commonly for patient care and to monitor medical procedures and medical devices like the pacemakers, blood pressure machines, and cardiac monitors. These medical assistive devices are increasingly used for the elderly patients, who live alone. This innovative technology like voice assistance monitors and safety features in their homes has helped them to have meaningful and Independent lives. Many IOT devices are not designed connected to a network or other devices, but now they have the capability to do so without addressing the need to protect the device from unauthorized users, ultimately causing a network risk. (Rouse, 2017) Another behavior modification in our part is to pay attention to the latest firmware to guard against security compromise.
Periodic checks on password and turning off Upnp, are essential as most hackers try to get into the system through this vulnerability. Our transportation system also uses smart devices like the speed limit digital monitor, traffic control, road assistance, which are all extensions of IoT devices which are intertwined with transportation communication. Cremer, D. D., Nguyen, B., & Simkin, L. (2016) discussed the integrity of the system and the influence of the IoT, the dark side behaviors and how these behaviors are related to the IoT process. The dark side is when the consumers are using smart tv, smartphones, wi-fis, where the data is being collected on them without them even knowing about it. Basically, their devices are monitoring them, recording and storing the personal data or business data in the cloud with a protected password. This is an issue especially when devices can be easily accessed and become botnets such as Marai. (Mathais, 2016) Marai took advantage of weak security controls on a variety of IoT devices. (Symantec Security Response,2014) These devices and applications are used almost in everything in our way of life, hence It is imperative that they are secure and free of risk. On a larger scale even, our National security could be at risk if there are no security risk policies for these devices. Interestingly our recent hacking of Facebook, twitter in the 2016 presidential election is one such example.
The scope of the IOT devices are unimaginable as they are used in Rolce Royce to Kohler toilets at home, to our home coffee makers. Opinions from Expert: Some of the best practices as stated in IEEE IoT best practices (2017) include endpoint secure and tamper assistant by using port locks, camera covers, web cam covers, USB and ethernet covers, and strong boot level passwords. By this simple action, it generates an additional layer of security. The limited life cycle of the IoT devices creates an area of vulnerability. Upgrades and details of the patches to the consumer and policy’ should be in place to safeguard a security breach. Companies should also have the IoT devices undergo dynamic testing, which will discover vulnerabilities of the new and the old code. All companies should have policies and procedures to protect data on device disposal. Additionally, strong encryption, strong authentication will be additional layers of security. Increasingly, individuals are working from home making it a heaven for hackers to access sensitive information.
Recommendations are to use strong encryption, used wire connectivity, check manufacturer sites for updates, perform audits of IoT, and change passwords frequently. (IoT Security Foundation [IoTSF], 2016) The IoT security compliance framework members and reviewers created a pragmatic guidance protocol for business to improve their functionality and to prevent compromise of customers privacy and security it is a guide and a best practice guideline for managers, developers, engineers, logistics, and manufacturing staff. The compliance process includes a checklist and a questionnaire, and this must be retained in a file by the organization. (IoTSF, 2016) The US chamber of commerce headed by Executive Director Matthew Eggers (2017) summarizes there is no silver bullet to cybersecurity and recommends policies to be embedded and global and industry, public and private and to create smart city registration. It is no doubt the IoT has created economic growth, but it has also opened risks which should be managed across the internet. He emphasizes IoT cybersecurity is best when embedded in global and industry driven standards along with public and private collaboration.
According to Justine Young Gottshall (2017) and her best practices for IoT include data collection, privacy and security, policy creation, action plans and training, compliance and the responsible party. The most challenging issue is the rate at which deployments are taking place and to keep pace with IoT privacy compliance. Bojanova, I., & Voas, J. (2017) discussed that trustworthiness of the IoT and the challenges include lack of standardization and certification, lack of regulatory oversight, lack of control, largescale vendors, and lastly inconsistency of the definition of the IoT. The suggested solution could be cybersecurity risk assessment, authentication, and authorization. Security basics involve encryption, authentication, physical security, and integrity (resilience). The main goal is to make it very difficult to access by an unauthorized user. (Mathais, 2016). Lastly, audits, background checks, training, audit and management oversight are all needed to prevent security compromise Proposed IoT Policy: Version Control Revision OriginatorChange DateChange Description Approver Name Approved Date 1.0 Amul Arya06/27/2018Initial Policy Suggestion Pending Pending
Introduction: The objective of our Internet of Things (IoT) policy is to protect and respect the confidentiality, integrity, and availability of our employees, company, and clients and to ensure IoT devices are effectively and securely used on our network and in our processes and projects. This policy only applies to IoT devices and extends to all functional areas and employees unless its explicitly excluded. Thank you in advance for your support and effort in enforcing and following this policy for the benefit of all. Please direct any questions or comments to either our Compliance Officer or Chief Information Security Officer (CISO). Exemptions: Currently, there are no exemptions to this policy.
Where compliance is not technically feasible or as justified by business needs, an exemption may be granted. Exemption requests must be submitted in writing to the CISO, including justification and benefits attributed to the exemption. Unless otherwise stated, the CISO and the COO have the authority to grant waivers. (Greene, 2014) Policy Violation: Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries, a termination of employment relations in the case of contractors and consultants, and dismissal for interns and volunteers. Additionally, individuals are subject to civil and criminal prosecution. (Greene, 2014) Goals and Objectives: Define a standardized process to validate and secure IoT devices Minimize the risk of IoT devices on the company network Ensure the usage of the IoT devices is done in a secure manner
Bojanova, I., & Voas, J. (2017). Trusting the Internet of Things. IT Professional,19(5), 16-19. doi:10.1109/mitp.2017.368095 Cremer, D. D., Nguyen, B., & Simkin, L. (2016). The integrity challenge of the Internet-of-Things (IoT): On understanding its dark side. Journal of Marketing Management,33(1-2), 145-158. doi:10.1080/0267257x.2016.1247517 Eggers, M. J. (2017, October 23). Internet of Things (IoT) Cybersecurity Policy (United States, Chamber of Commerce, NIST). Retrieved from https://www.nist.gov/sites/default/files/documents/2017/10/23/mattheweggers_slides.pdf
Gottshall, J. Y. (2017, September 1). 5 Best Practices for IoT Privacy Compliance. Risk Management, 64(8), 14-15. Greene, S. S. (2014). Security program and policies: Principles and practices (2nd ed.). Indianapolis, IN: Pearson IT Certification. Institute of Electrical and Electronics Engineers. (2017, May). Internet of Things (IoT) Security Best Practices. Retrieved from https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_may_2017.pdf
IoT Security Foundation. (2016, December). IoT Security Compliance Framework. Retrieved from https://iotsecurityfoundation.org/wp-content/uploads/2016/12/IoT-Security-Compliance-Framework.pdf
Jones, D. (2018, January 31). Does your organization need an IoT policy? – Pluralsight – Medium. Retrieved from https://medium.com/pluralsight/does-your-organization-need-an-iot-policy-f09e3e3f967f
Mathais, C. (2016, December 22). Stampede of IoT Devices Means Tighter Network Security – Aerohive Blog. Retrieved from https://blog.aerohive.com/stampede-of-iot-devices-means-tighter-network-security/
Reinfurt, L., Breitenb??cher, U., Falkenthal, M., Leymann, F., & Riegg, A. (2016). Internet of things patterns. Proceedings of the 21st European Conference on Pattern Languages of Programs – EuroPlop 16. doi:10.1145/3011784.3011789 Rouse, M. (2017, March). What is IoT policy (Internet of Things policy)? – Definition from WhatIs.com. Retrieved from https://internetofthingsagenda.techtarget.com/definition/IoT-policy-Internet-of-Things-policy
Symantec Security Response. (2016, October 27). Mirai: What you need to know about the botnet behind recent major DDoS attacks. Retrieved from https://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks
Glossary of Terms: IoT – Internet of Things; the Internet of Things may be defined as a wired or wireless network of uniquely identifiable connected devices which can process data and communicate with each other. IEEE – Institute of Electrical Electronic Engineering; are a group of professionals in technology who provide recommendations on policy and procedure. UPnP – Universal Plug and Play; defined as a set of network protocols. CISO – Chief Information Security Officer; senior level executive responsible for vision and goals of the organization. COO – Chief Operating Officer; – Responsible for day to day operations of the organization. VLAN – Virtual Local Area Network; these are a group of workstations, servers, network devices which are connected. Firmware – Defined as software placed in hardware by the manufacture and can read only memory. IOTSF – Internet of things security foundation; it addresses the security of concerns of the IoT.