• Subscribe

NIST Considers Cybersecurity Framework Covering IoT

Bluetooth devices, wireless television sets, smartwatches, and other electronics comprise the growing network of interconnected devices, often called the Internet of Things (IoT). Research firm Gartner predicts that the IoT will have more than 20 billion devices connected to one another by 2020. It has, in many ways, made our lives substantially easier. Whether it means being able to check your texts from your watch, using a webcam to video chat, or even using your car’s internal computer to answer phone calls, the IoT has integrated technology into our lives in a very streamlined and efficient way. While this technology has made certain tasks much easier, more and more companies and consumers are asking how safe these devices truly are.

Consumers often assume that whatever they are buying, particularly when it is a technology-related item like Internet-climate control or a smart fridge, is not only a functional product but is secure in an electronic sense, as well. However, instances such as when NBC’s story a man hacked into an Internet-connected baby monitor to scream at a ten month-old-baby are becoming increasingly common. Hackers have found it incredibly easy to hack and invade numerous IoT devices that consumers use on a daily basis and, because of this, everyday people are at a much greater risk of hijacking of social media accounts, involuntary extraction of personal files, or identity theft. Wearable electronics and other IoT devices like VoIP phones or IP cameras often use unsecured or poorly secured methods to access more secure connections, such as those in corporate offices or businesses. Once someone with malicious intent has gained access to the IoT device, they are often able to get inside the network that it is connected to, even if that network is more secure.

Even massive Internet address lookup services like Dyn, which facilitates information tranfer across domains from large, tech-based companies like Spotify, Twitter, and Reddit had its servers attacked by a coordinated, IoT-based DDOS attack. This global attack, which utilized an IoT botnet used to flood Dyn’s networks, prevented its customers from using or even accessing its domains for nearly 12 hours. While this may not seem like a lot of time, the amount of traffic pushed through sites like Amazon, Twitter, The New York Times, and others is huge, and all of these sites had their traffic and likely their revenue damaged by this large-scale attack.

In the face of these attacks, many companies that routinely use IoT devices are alarmed that they may not have basic security measures or up-to-date firmware. Gartner estimated that, “…by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.” Take a firm that uses IP-based climate control in its data centers. Hackers could, in theory, use that climate control system to turn up the heat in server rooms, causing the servers within to overheat and cause severe damage to the firm and any customers or clients. In their IoT enterprise risk report, ForeScout Technologies outlines seven major devices that could present a serious risk to company and consumer privacy and safety. This includes security cameras, which could be disabled or tampered with to aid a break-in. They even claim that smart TVs, printers, phones, and smart lightbulbs can be hacked in roughly three minutes due to inadequate security measures. It seems highly unlikely that consumers will willingly forego the convenience of wireless printing, smart video conferencing, or a wristwatch phone interface. So then, what is being done about this increasingly worrying trend?

The National Institute of Standards and Technology (NIST), recently held a workshop detailing a potential update of its Cybersecurity Framework for Critical Infrastructure (CSF). The primary goal of this framework is to provide a sound basis for private and public organizations, companies, and government agencies to better assess and monitor their specific cybersecurity risks. NIST released the first version in 2014, and it has been adopted at around a 30 percent rate. The focus of the most recent CSF meeting dealt specifically with the danger of IoT products, signaling the increasing risk of using these products.

Megan Brown, Kat Scott, and Matt Gardner of Wileyconnect.com reported that the framework could be adopted to include more consumer-centric approaches to sensible cybersecurity, since so many of the IoT products in question are marketed towards making consumers’ every-day tasks more convenient. At present, much of the guidance revolving around IoT technologies centers around corporate clients, but people who may not update firmware, who may not use different passwords, and who just may not be as careful as they should be, have much fewer guidelines to follow. There are some, such as Michelle Drolet of networkworld.com, who have put together comprehensive lists of basic, consumer friendly tips to secure IoT devices. Even so, a version of CSF that is not only widely available but widely accessible will go a long way in ensuring incidents like those described above happen at a much slower pace. While the NIST is still working on Version 1.1 of the CSF, the overarching goals appear to be simplification, accessibility, and more broad protections because not just ‘Critical Infrastructure’ is at risk.

IoT technology represents some of the most innovative ways that society has improved the lives of both everyday consumers and big business. Wearable electronics, Internet based appliances, and IP-based monitoring devices have ushered in a new era of convenient technology that has already made our lives substantially easier and more integrated than ever before. Mounting security concerns is a substantial issue, but with proper information and a proactive, uniform approach, the livelihoods of people, of consumers, who otherwise would be harmed by those with malicious intentions, will be saved.

 

Read More:

“Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015″ (Rob van der Muelen, Gartner)

“How the Dyn DDoS attack unfolded” (Tim Greene, NetworkWorld.com)

“How Hackable is Your Smart Enterprise?” (ForeScout)

“Framework for Improving Critical Infrastructure Cybersecurity” (NIST)

“Cybersecurity Framework Updates Coming, Including on the Internet of Things” (Megan Brown, Kat Scott, Matt Gardner, Wileyconnect.com)

Copyright for image: Photographer, Stock Photo, License Summary.