How to Evaluate Cyber Risk in the Internet of Things?
The Internet of Things (IoT) is here. Sensors. Actuators. Home Automation. Smart Cities. Industrial Control Systems. Critical National Infrastructure. Essential Services. The list goes on – and it’s all being connected to our communications networks. According to IoT Analytics, by 2025 the total number of connected devices will top 27 billion. Many of these devices, especially those produced on masse at low cost are inherently insecure, wherein their components or associated software have been linked to common vulnerabilities.
Often, these devices are procured and deployed in critical settings without any knowledge of the vulnerabilities associated with them.
It follows, that as the number of devices increases, so too will the attack surface of an organisation’s network. Furthermore, no longer is data loss the primary threat – IoT devices can have real-world, physical impact. These threats are difficult to assess, for a number of reasons. Firstly, asset discovery is difficult. Not all devices are discoverable on a WiFi network, as many edge nodes are beginning to take advantage of cellular technology – especially with the advent of 5G.
Secondly, even if devices are discovered, the security implications of their presence on the network is difficult to assess. What software is running on them? Are there any known vulnerabilities with the components? Do they have default passwords, or SSH ports enabled? What risk do all of these factors pose?
These are the sorts of questions that keep a digital security architect up at night – well, the good ones anyway. But how do we find out answers to these questions?
The as-is approach involves hiring security experts to run expensive penetration tests and cyber analysis on the devices in your network. However, with 12 billion active devices in the world today, it is simply not feasible to assess every device manually like this.
The key, therefore, is to automate those tasks which are tedious and time consuming. Ultimately, the risk assessment of a network still requires the expert experience of a security professional. But the collation of the information which informs that assessment can (in theory) be automated. For example, when one security researcher deconstructs a device to discover its components, and assesses their capabilities, that information is siloed within a single organisation, or in many cases, with an individual. For a market with such enormous demand and no practical way to fill it, this is a huge inefficiency.
With Iotabl, security experts can share that information with one another once discovered, slowly but surely mapping the Internet of Things. This means that an individual security expert will be able to evaluate the risk of the entire network in a much shorter period of time, whereas previously they would have to spend a lot of time manually researching, investigating, and deconstructing each and every device that touches the network.
This means that the real value of a security expert – their experience, knowledge, qualifications and opinions – can be put to much better use. After all, it is the assessment of the network which is valuable – not the manual collection of information.