Managing risks related to IoT and external suppliers

Recently, the scope of the attack has expanded further as the development of the Industrial Internet of Things has favored third party intervention, thus expanding vectors of indirect and equally effective attacks.

The Internet of Things (IoT) is one of the most important disruptive technologies of the last decade. IoT devices have moved from purely commercial purposes to everyday service, transforming the lives of homes and cities. These devices make it possible to efficiently manage operations, expand product offerings and deliver increasingly unique user experiences in an automated way like never before. This has not escaped the notice of the cybercriminals who managed to customize this new royal road to systems and data.

While its applications seem limitless, the Internet of Things presents new risks that companies need to consider. A recent study by Palo Alto Networks revealed that approximately 98% of the traffic of these connected objects in a professional environment is unencrypted. If we add weak password configurations, outdated software or even unpatched systems among the non-exhaustive list of vulnerabilities, attackers have many vectors to exploit to gain unauthorized access to an organization’s network.

Dive into the risks associated with the Internet of Things

This wave of technological advancement carries risks that have not yet been properly assessed or addressed. These can emerge from the company’s infrastructure, as well as from any external provider of outsourced smart devices, for business and home applications. These can include seemingly innocuous devices such as smart CCTV systems, motion sensors and air conditioners, as well as thousands of other devices.

In addition, cyber attacks are becoming increasingly automated and rely on artificial intelligence (AI) and machine learning. These “smart” threats can damage any business running faster through advanced machine speed attacks, exploiting their IoT networks. In order to counter this emerging threat, AI is now preferred to manage defense mechanisms and neutralize advanced threats within industrial systems. However, these are not immune to vandalism, especially if their data has been changed, or if the systems or AI are not configured properly.

Managing privacy and cybersecurity risks for the Internet of Things

Since there are no specific cybersecurity standards or guidelines for connected things, cybersecurity professionals find it difficult to manage the emerging risks of these technologies. For example, the Information Technology Laboratory (ITL) of the National Institute of Standards and Technology (NIST) is currently developing a framework for managing privacy and cybersecurity risks for the Internet of Things.

In May 2021, NIST published Establishing Trust in IoT Device Security: How We Get There?, a white paper outlining the landscape of trust mechanisms currently available to establish security for IoT devices in the marketplace. This post aims to start a dialogue about what it means to trust the cybersecurity of IoT devices used by individuals and organizations; Plus the different ways to gain that trust.

This document is part of a series of publications launched in 2019 by the National Institute of Standards and Technology (NIST) to provide more information and details about the cybersecurity of Connected Objects and risks related to data confidentiality.

Keeping pace with changing technologies

It is clear that considering the risks posed by IoT devices is an increasingly important criterion for ensuring the success of a corporate security strategy. As organizations like NIST define global frameworks that govern IoT cybersecurity and data privacy management, monitoring threats from third-party environments, and developing industry standards, regulations, and legal requirements is essential. Mapping the third-party environment allows companies, in particular, to manage the risks associated with suppliers while controlling costs.

Most of the IoT devices and technologies supporting enterprises are provided by third parties. As these companies are under the threat of malicious actors, this means that the majority of risks related to the Internet of Things originate from the supply chain, and therefore their overall security must be strengthened.

Leave a Comment