A big hello to fellow Information security and IT Professionals. Today we will talk about key security and Data privacy related considerations for Internet of Things (IOT) devices. IOT adoption have grown organically and IOT security requirement is playing a catch up game. Let us begin our journey by defining IOT.
The Internet of Things (IOT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
In the Internet of Things, all the things that are being connected to the internet can be put into three categories:
- Collect information and then send it.
- Receive information and then act on it.
- Or both
Now let us deep dive into some of the key consideration from Information security/ Risk and Data privacy related perspective for IOT devices
Risk and Data privacy related perspective for IOT devices
Security by Design
It is very important to catch and fix the vulnerabilities/weakness in the early stages of development cycle. We could start with Threat modelling by utilising STRIDE framework and start designing the security controls in resonance with threat modelling outcome. It is also important to consider applicable regulatory requirements early in the cycle.
Privacy by Design
IOT devices in general are very heavy on amount of personal data they collect/process and it is very important to implement Data privacy related control early in development cycle. It is also worth to note that Data privacy regulations are getting stricter across the globe in line with GDPR and CCPA requirements. We should also perform Data privacy Impact assessments (DPIA) at the onset of new device development.
Privacy by design, along with data minimisation and use limitation practices, are equally important to comply with applicable Data privacy regulations. Purpose of data collection should resonate with Data processing.
IOT Device Identification
The IOT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks. It is important to maintain the inventory of IOT devices with periodic/real-time updates.
IOT Device Configuration Management
Secure configuration management of IOT device is one of the most important security consideration. An authorised user should only be able to change the device’s software and firmware configuration. Access to IOT device configuration files should be restricted and real time activity monitoring should be implemented along with rule based automation.
Secure disposal of IOT Device
It is very important to implement controls around safe disposal/destruction of IOT devices. Specially for IOT devices dealing with Sensitive Personal Information.
It should be important how the IOT device protects the data that it stores and sends/transmit over the network from unauthorised access and modification. Encryption controls for Data protection at rest and in transit is important.
Strong Identity & Access management strategy is need of the hour including least privilege and need to know principles. The device should limit access to its local and network interfaces. For example, the IOT device and its supporting software should gather and authenticate the identity of users attempting to access the device, such as through a username and password.
Software and Firmware Update
A device’s software and firmware should be up-gradable using a secure and configurable mechanism. For example, some IOT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
It is important to put process in place to monitor and validate the update (patch/version) status of each IOT device in IOT inventory. Pen test should be performed on regular basis or post major upgrade and critical/high risk findings should be remediated on priority.
Cybersecurity Event Logging
IoT devices should log cyber security events and make the logs accessible to the owner or manufacturer. If possible, we should implement rule based alerts to detect and act on suspicious activities. Integration with SIEM solution should be looked at.
We should ensure that configuration files activity Logs are monitored continuously and audited on a regular basis.
Integrated Risk Management for IOT
It is important to integrate the risk management of IOT devices with existing Firm wide risk management processes including risk identification, assessment, treatment and tracking via Risk register.
We should also consider existing best practices and security frameworks including NIST guidelines on IOT management and CCSK IOT security framework.
With this we will take a pause. Please feel free to suggest your thoughts/ questions in comments section of the blog. Happy Reading!
Deepesh Kumar works as Associate Director – Information Security Risk Management in Novartis. He has also worked with Morgan Stanley and JPMorgan Chase & Co. He holds CISSP, PMP, CIPP-E, AWS Cloud solution Architect, Azure Architect Design, and other Information Security relevant Certifications.