Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as an IoT device. So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together.
The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats that they may face, and potential danger in case of exploitation. On identification of these risks, they are prioritized and countermeasures are adopted to treat these risks.
These traditional approaches are based on certain assumptions, the primary one being that the dynamism is extremely low. When you identify the assets, this would be one-time activity and these assets won’t change much in a risk assessment period of say 6 months at the least. What if the number of assets and the risk associated with them were to change every minute or day? Clearly, the risk assessment methodologies such as NIST SP 800-30, OCTAVE, FRAP, etc are not equipped to handle the complexity which IoT presents us.
In this blog post, we will try to understand the current methods of risk assessment, their shortcomings in their application to complex systems such as IoT, and propose certain methods to handle the issues at hand.
In the earlier blog post on Risk Management, we learned about risk management being defined as:
A process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level, and then maintaining that acceptable level.
If we apply the same definition in the IoT environment, the overall concept of risk management remains the same. Wouldn’t it? In principle, yes. However, let us understand the practical challenges here. Risk Assessment is an integral part of Risk Management. Risk assessment has certain methodologies through which we can assess the risk(s) faced by the organization. If we apply, NIST SP 800-30, we need to identify the assets ( IT only), the vulnerabilities, and the threats faced, and then the calculation of risk and propose countermeasures to treat the risk and then monitor the complete system.
Let’s take another one. The Facilitated Risk Analysis Approach (FRAP) is focused on identifying the systems that really need assessing to reduce time and costs. It analyses one system, application, or business at a time. Data is gathered and threats to the business operations are prioritized based on their criticality. Since it is a qualitative approach, you ask experts to gather around and discuss the risks which this particular asset, system, or application would face.
If you observe these methodologies, you would appreciate the fact that they are focused on identifying critical assets and the harm that may occur to them or the threats faced by a particular asset or application. This means you follow the asset-based approach or a threat-based approach when you use these methodologies.
Clearly, the approach taken by these methodologies applies best to a static system. When the complexity and dynamism in the system change every minute, such risk assessment methodologies will not stand the test of time. Risk is a complex word in itself. It is a probabilistic measure of a threat exploiting a vulnerability. When threats and vulnerabilities change on a continuous basis, the calculation (quantitative) or identification (qualitative) of risks faced becomes an enormous challenge.
An IoT device is not much of a complete system in itself. It needs the help of many parts to fully function and be usable. It is like a part of the body which is useless without the complete body. In extremely simple terms, an IoT system would be made up of at least 3 components – application, cloud environment and Thing environment. All these would communicate with each other using application programming interfaces. The following article explains this in detail - https://www.rfpage.com/what-are-the-major-components-of-internet-of-things.
Let us consider a situation now:
An organization deploys IoT devices to monitor, analyze and optimize the electricity consumption in a small town. Whenever a new electronic device is switched on or off, the devices would send real-time reports to a cloud environment through a network specifically designed to connect all the IoT devices together. This is one of the very common scenarios faced by an organization that is working on the deployment of integrating the IoT into a concept such as Smart Cities.
As a security professional, if you would apply the traditional approaches to understand the risks in this environment, your report would be old by the time you finish counting the total number of assets. This is because the traditional approaches are based on a concept called periodicity which is based on an assumption that the risks faced by an environment will not change for a short period of time. Another assumption is that when we gather a group of experts in a room and ask them to list all the threats, they would be able to do with ease because they have prior knowledge about the systems and the environment. The third and one of the possible notion is that the assets can never be an attack platform. The assets are always of value to us.
If we apply all the 3 assumptions to our example, some of the shortcomings of these approaches would be very clear.
Periodicity – New devices will join and leave the environment every moment, and hence the assumption that the environment would not change stands invalid here.
Knowledge – While the experts may try to identify some of the basis of the threat the knowledge they have, it is completely impractical to call them every time a device is added or removed.
Attack platform – What if the IoT devices are hacked and they start controlling the entire network or the devices?
So what is the solution?
Given the complexity and the dynamism of the system involved, we need to break the complete problem into multiple parts and work on the solution. I propose that we segregate the static and dynamic components of these complex systems. If we consider our earlier example, we would find that there are certain components that would not change over a period of time.
1. The total number of sensors deployed.
2. The network interface.
3. The APIs
4. The cloud environment.
We can apply the traditional approaches to these aspects and also bring in real-time monitoring of these systems.
For the dynamic part, we can take the help of artificial intelligence and machine learning. Just like a self-driving car learns to identify scenarios where it has to stop, avoid and anticipate the moves of several other vehicles, in a similar manner, machine learning can be deployed to identify all such possible scenarios basis which risks can be identified and treated further.
What do you think about it? Share your thoughts in the comment(s) section below.