Devices built for the Internet of Things (IoT) are increasingly finding their way onto organizational networks. Even modest predictions estimate more than 20 billion IoT devices (thermostats, cameras, coffee makers, light bulbs, printers, etc…) will be connected to networks across the world by 2020. While these devices provide a good deal of convenience to end users across an organization, each IoT device added to a network expands the attack surface available to threat actors. The need to account for each device on the network should be a primary concern for your security team, but it can be a daunting when you consider the number of variables involved in securing numerous devices from a host of different manufacturers.
To help address the challenges posed by the rapidly expanding IoT, the National Institute of Standards and Technology (NIST) has released the report Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NISTIR 8228). This is first in a series of reports aimed at security executives looking to better secure their networks and data from threat actors.
According to NIST computer scientist and report co-author Mike Fagan, “the report is mainly for any organization that is thinking about security on the level of the NIST Cybersecurity Framework.” He adds that “it’s targeted at the mode of thinking that an organization would have — more resources, more people, more ability, but also more risk of attack because of all those things. It’s bad when a single house is attacked, but if a million bank account passwords are stolen, that has a much larger impact.”
Fagan notes that the trouble with IoT devices, when compared to conventional computers, and most mobile phones and tablets, is that “An IoT device might even have no interface at all, or have no way to install security software…but it still might connect to your network and be visible electronically to an enemy looking for a potential way in. It’s this kind of incongruency with expectations that we want to help an organization think through before they bring IoT devices onto their network.”
The new report is a companion to NIST’s Cybersecurity Framework and SP 800-53 Rev.5, though unlike those documents, it’s sole purpose is to provide guidance rather than requirements. “IoT is still an emerging field [and] some challenges may vanish as the technology becomes more powerful,” Fagan said. “For now, our goal is awareness.”