The rapid proliferation of internet-connected devices within business and industrial networks is driving the need for holistic third-party risk management practices at many organizations.
A recent study by the Ponemon Institute on behalf of Shared Assessments, a global membership organization focused on third-party risk management, showed high awareness of how IoT cybersecurity and third parties are often at odds in enterprise. IT and business leaders recognize the risk, and yet major gaps remain in existing security programs to address these risks.
Of the 630 respondents in the survey, nearly nine out of 10 expected their organizations to experience an IoT-related breach or cyber attack, but just 47% evaluated third-party IoT security vulnerabilities and privacy practices before working with a vendor. Though most survey-takers reported increases in the number of third parties their companies work with, less than one-third monitored the risk of IoT devices used or supplied by their third parties. Only 36% tracked the data the devices were transmitting outside the organization.
According to survey respondents, contributing factors include device proliferation, a relative lack of management support, budget and staff issues, and little accountability for IoT-related risks. "Although awareness of IoT risks within organizations is relatively high, that awareness is not translating into sufficient improvements in IoT risk management," said Charlie Miller, senior adviser at Shared Assessments.
The security of the IoT environment is becoming an increasingly critical issue at many organizations. IoT devices and services on enterprise networks and in industrial and operational technology (OT) environments can provide access to critical applications and data. Security incidents in these environments can result in major operational disruptions, malware distribution, data theft and denial of service (DoS) conditions.
Concerns over these issues have been exacerbated by the lack of basic security controls in many IoT devices, especially those connected to business networks. In recent years, attackers have routinely exploited vulnerabilities in IoT devices to assemble large botnets for launching DoS attacks and to distribute malware or spam. Mandates like California's IoT security law, Oregon's similar connected devices measure, and voluntary standards like NIST's guidance for IoT device manufacturers have sought to improve the situation. Even so, a majority of deployed IoT devices remain dangerously vulnerable to attack and security failures.
Here, according to Miller and others, are five measures that security and business leaders can take to address issues of IoT cybersecurity and third parties that can heighten risks.
1. Assess IoT security vulnerabilities in devices
Prior to integrating IoT systems into their networks, organizations should have a good understanding of inherent risks in the devices they are bringing on board, said David Forbes, principal at Booz Allen Hamilton. "You must understand what, if any, security controls the vendors have implemented within the devices themselves."
That means, for instance, verifying whether software is built on a secure platform, whether a device uses encrypted communications where necessary, and whether a device supports features such as strong access control. "Just as important to the devices' inherent security is the way they are deployed," Forbes said. "What data is available to the vendor? Who will have access to it, and how will it be used?"
As a general best practice, he advises that where appropriate, IoT devices and systems should be segmented off from other IT and OT networks. Controls need to be implemented to ensure devices are protected and cannot be used as an attack vector to other critical systems, Forbes said. "Without high-confidence visibility into your suppliers' security levels and protocols, it's extremely difficult to understand whether inbound materials or systems have been compromised," he said.
Miller from Shared Assessments also recommended organizations identify all the functions a particular device is capable of in order to eliminate unexpected surprises after it has been deployed. Verify whether the device implements all the appropriate logical and physical security controls needed to protect any data that is collected, stored or transmitted from unauthorized access and modification, he said. IT risk and security managers should verify whether the IoT devices they plan to procure have been certified to any standard, such as the Arm Platform Security Architecture certification for IoT devices. Products certified to these standards generally are regarded as having met industry best practices for security.
Ultimately, the goal should be to understand how the devices would impact the overall enterprise attack surface and security architecture. "Threat modeling is an excellent approach to better understand the architecture of IoT systems and how they will fit into enterprise security architectures," said Dan Cornell, CTO at Denim Group, a cybersecurity consulting firm.
2. Verify device security where possible
It's not enough just to assess and understand device risks. Where possible, organizations should actually verify device security and try to identify potential vulnerabilities.
Typically, vulnerability assessments of the devices themselves can be performed without the vendor's or manufacturer's authorization, Cornell said. But enterprises should review their licensing agreements, which may have prohibitions against practices such as reverse-engineering, he cautioned.
Performing security tests on any supporting services, though, will typically require the participation, or at least the explicit consent, of the IoT system provider. "Requesting the access to perform security testing is best done during the acquisition process when the enterprise has leverage, not after," Cornell said.
Many security issues in IoT systems -- especially in industrial environments -- involve insecure default configurations, added James Guinn, lead of Accenture's global cybersecurity business for the energy, utilities, chemicals and mining industries. For example, because many of the systems are designed with uptime and remote connectivity in mind, they sometimes tend to default to insecure configurations when a system is being rebooted or reinitialized.
Backdoors and other vulnerabilities that have been deliberately introduced into IoT components somewhere in the supply chain for covert surveillance and data gathering are another well-publicized issue, Guinn said. The U.S. government has, in fact, prohibited the use of products from certain companies, such as Chinese telecom suppliers Huawei and ZTE, for this reason.
But while organizations have to be cognizant of possible backdoor issues, Guinn added, in reality they are far more likely to encounter problems related to misconfigurations.
3. Protect remote access
Almost all internet-connected devices, especially in industrial and OT environments, support the manufacturers' ability to log into them remotely for loading updates and security patches and for tasks like checking system health. Often the contracts for the use of these devices explicitly give manufacturers the right to this access, Guinn said. And generally, he added, most organizations contract the company that manufactured their IoT systems to also maintain them, so they can have the highest degree of system uptime.
As a result, the manufacturer almost always has some level of backdoor access to manage these systems on behalf of the company that acquired them. "That means, by extension, the attack surface of a particular set of assets now reaches beyond your enterprise and your own operational technology infrastructure, into the infrastructure of the vendor and whomever they have attaching to their network," Guinn said.
James GuinnGlobal managing director, Accenture
To address this risk and ensure access is not being misused, Guinn recommends that organizations contractually assert their right to periodically vet their IoT vendors' programs, procedures and governance policies. "You've got to contractually have it embedded in your agreement that you can audit your vendor's security practices," he said.
In addition, organizations should also ensure they have the ability to do spot audits -- if not directly, then at least via a third party. "You need to be able to check to make sure the company you are acquiring these services from is actually doing what they said they would be doing," Guinn noted. He recommends presenting these audit requirements to the vendor as a partnering and teaming exercise rather than a security vetting process.
4. Vet your outsourcers
Many organizations outsource their IoT environments to third parties. A growing number of companies -- Amazon, Microsoft, Google and dozens of others -- offer a range of services designed to help companies internet-enable and manage environments and products. Manufacturers of consumer goods, for instance, often use such third-party IoT service providers to add internet connectivity to their products.
Industrial organizations might use them to collect and manage data from sensors on factory floors; city planners might use them for better managing traffic flows, and transportation companies for fleet management. "Very few organizations have the scale to develop and deploy IoT devices for their own environments," said Cornell. "So security challenges associated with IoT are almost all related to third-party and supply chain risk."
When organizations outsource their IoT environment to a third party, they need to vet it in the same way they would any technology vendor. As the responsible party, the organization that is doing the outsourcing must demonstrate adequate control assurance over the relevant risks, said Miller of Shared Assessments.
A third party responsible for deploying and managing an IoT environment should be able to provide a complete inventory of all connected devices and networks. Also important is demonstrating adequate controls for mitigating risks that are commensurate with the criticality and function of the data or service being provided, Miller said.
As part of the due-diligence process, organizations need to ensure the network that hosts IoT devices is properly secured, with strong authentication and network controls that limit access to the IoT environment. Check if the vendor has a response plan for security incidents in the IoT environment, and if they have a process for removing devices with inadequate security controls. Miller said it is also important to verify that the outsourcer monitors IoT activity for suspicious or anomalous system or user behavior.
"In some industries [such as] financial services and utilities, contracts for the outsourcing of so-called critical activities may require higher levels of assurance, such as specific requirements set by regulators or industry bodies such as payment card industry [council]," Miller noted.
An organization that gives third-party service providers virtual access to information systems must establish a certain level of mutual trust and transparency, Forbes of Booz Allen said. Risk and IT managers need to work with their suppliers to identify and track risk factors related to manufacturing locations, ownership, supplier relationships and available attack surface. Forbes added that the organization should implement continuous monitoring throughout a third-party product lifecycle and eventually expand the scope of vetting and monitoring to include subcontractors.
5. Make sure to consider all third-party risks
Risk management programs that target IoT cybersecurity and third parties need to consider both the initial security implications of deploying IoT systems and the ongoing risks, said Cornell. "Many IoT systems can be difficult if not impossible to upgrade after being fielded, so TPRM [third-party risk management] programs need to track the ability to update IoT systems over time as flaws are identified and hopefully addressed."
In addition, cybersecurity leaders should try to identify all exploitable weaknesses and access points into their supply chains, understanding why threat actors might be interested in targeting them and determining which high-value items might be at risk, Forbes said. The TPRM should address protocols and cyber hygiene such as access control, cyber awareness and training, incident response, media protection and physical security. It should also address data sharing between the vendor and with any second- and third-tier third-party subcontractors with whom they might be interacting, Forbes said.