internet of things (iot) - chapters site · and privacy? security and privacy risk management...

Internet of Things (IoT)

Securing the Connected Ecosystem

June 2018

Copyright © 2018 Deloitte Development LLC. All rights reserved. 2

People Analytics

Physical devices and objects intelligently connected

Delivery of the right information to the right place at the right time

Connection of people in more relevant and valuable ways

IoT

Things Process

Individual data streams are processed andanalyzed with algorithms

Making sense of the buzzwords: What is the Internet of ThingsInternet of Things (IoT) refers to a world of intelligent, connected devices that generate data for automating business processes and enabling new services


IoT and The information value loopIncreasingly, organizations are developing approaches to managing data, leveraging “brownfield” infrastructure, and developing new business models.

Standards

MAGNITUDEScope | Scale |

Frequency

RISKSecurity | Reliability |

Accuracy

TIMELatency | Timeliness

Act

Analyze Create

CommunicateAggregate

NetworkAugmentedIntelligence

SensorsAugmented Behavior

THINGS APPLICATIONS


Challenges Facing IoT and Industry 4.0 StrategiesThe need to digitalize and automate operations is now widely recognized as an opportunity for competitive advantage, but various challenges are impacting adoption.

Source: Siemens Financial Services, Practical Pathways to Industry 4.0, Spring 2018

Lack of access to proof points

Lack of a clear, phased, strategic plan

Lack of collaboration within the culture

Need for large-scale and rapid investment

Skills shortage and resistance to outsourcing

Concerns over cybersecurity and

data


IoT and Increased Cyber Risk

Copyright © 2018 Deloitte Development LLC. All rights reserved. 61 Digital Transformation, or Industry 4.0, is defined by McKinsey in the following way: “Industry 4.0 [is] the next phase in the digitization and automation

Innovations driving rapid growth also create complex cyber risks

Before interconnectivity, exposure involved breaching the physical security associated with the device (e.g., physical theft, physical damage to equipment, or product espionage)

As systems advanced and were attached to networks, newer points of exposure were introduced to the already vulnerable systems.

Technology now includes ever more complex, configurable, embedded processors and increased interconnectivity creating a myriad of newer innovative yet significant threats.

Cyberspace New assets Cyber attacksThe interconnected network of systems and assets (physical or virtual), that includes data, human resources, telecommunications networks, computer systems, etc.

The continuously evolving complexity of hardware/software components of cyberspace makes these assets the crown jewels of an organization; particularly data that once used to be physical such as personal information, intellectual property, etc.

Having recognized the value of these assets and the difficulty faced by organizations in dealing with the new threats, various actors are seizing the opportunities to exploit weaknesses to gain access to sensitive information.

Before interconnectivity Evolution Present Day

Evolution of Internet of Things (IoT) Innovations

In a world increasingly driven by inter-connected digital technologies and information, cybersecurity is more than just a strategic imperative, it is a fundamental part of doing business.


The rise of IoT cyber risks today

Complacency

Lack of awareness

Increased connectivity

New valuable digital assets

Motivated attackers

Limited resources

Unsecure technology &

processesEnvironmental and industry factorsIncreased connectivity: Organizations are moving toward IoT by adding more complex features and network connectivity to their products to stay competitive and meet customer demand.

New valuable digital assets: “Digital assets” including customer data, employee data, intellectual capital, etc., are increasing in size and number as the systems on which they are stored become virtualized and interconnected. As more data accumulates through the use of IoT devices, it often also becomes more valuable.

Motivated attackers:Adversaries have promptly recognized the value of digital assets and have become more and more motivated to steal that data or disrupt operations for their own advantage.

Factors that lead to security weaknessesUnsecure technology & processes: Many organizations often do not take security into account for their processes and technology.

Lack of awareness Many organizations lack an understanding of cyber threats and the need for proper cyber security to protect against threats.

Complacency: Many organizations have an over reliance on existing IT security processes and tools that may not apply well to new IoT technologies.

Limited resources: Many organizations lack appropriately skilled resources or strength in the existing IT organization to focus on addressing IoT-related cyber security issues.IoT Cyber Risk


The four attack vectors of the cyber threat actor

Logical

Periphery – Adjacent to Network Perimeter: The ability to leverage access and attack methodologies against an organization’s network perimeter and firewall settings in order to find holes and infiltration vectors.

Local – Inside the Network: The ability to compromise applications, operating systems, and computing equipment that resides within the boundaries of an organization’s network.

External – Outside the Network: The ability to compromise an organization by determining which external websites are used; subsequently compromising those sites and using them as infiltration vectors.

Human

Social Engineering: The use of three virtual, physical, and interpersonal techniques designed to deceive an organization into taking an unintended action.

The Insider: The ability to leverage pre-existing personnel within an organization or to physically insert operators into an organization in order to directly carry out threat operations.

Coercion: The ability to leverage threats, bribery, emotional appeals, and ideological reasoning to infiltrate organizations with highly sensitive information contained within their networks.

Physical

Supply Chain: The ability to sabotage the supply chain in order to compromise computer equipment.

Physical Infrastructure Nodes: The technology and capabilities to compromise physical nodes to include cell infrastructure, switching centers, SATCOM, WiMax, Antennas, Radio Relay, etc.

Physical Infrastructure Links: The technology and capabilities to compromise physical links to include fiber optic cable, RF signals, wireless signals, coaxial cable, telephone lines, satellite signals, microwave signals, etc.

Economic

Acquisition: The process of acquiring needed access through mergers, buy outs, or the use of monetary instruments to buy access to a select network or type of data via the open market, black market, or some other kind of trade/exchange relationship.

Development: The ability to conduct business development activities within a country for the purpose of using built infrastructure to facilitate a collection apparatus.

Sanction: The use of economic denial to force an entity into making a business purchase decision that can, in turn, be manipulated by an adversary to enable access opportunities.


With new innovative IoT functionality comes new cyber risksBy integrating the networking strength of IoT with exponential technologies like robotics and 3D printing, they are on a path to realizing scenarios like this one:

Connected, autonomous tarmac

The printed part should be delivered to the arrival gate. An autonomous vehicle picks it up and makes the delivery.

On-demand supply chain

The part used in the repair will need to be replaced upon landing, so before

arrival, a 3D printer at the arrival airport receives a signal to print the part.

In-air detection and notification

In mid-flight, an aircraft part recognizes it is not

functioning properly. The aircraft sends a message to the ground about the malfunctioning part for

repair upon arrival.

Connected Employee

The mechanic uses heads-up display eyeglasses to view reference

documents from the cloud. Using a borescope connected to a wireless tablet, the mechanic streams live

video to a remote engineer allowing the repair and inspection to benefit

from the engineer’s authority without the need for travel. As a result, the

aircraft is able to leave on time.

Intercept and use information maliciously or alter message to cause

delays / confusion

Intercept or alter signal to create delays. Use vulnerable 3D printer as entry point to infiltrate the broader supply

chain network

Autonomous vehicle is disabled or controlled

remotely to endanger lives / damage equipment on

the tarmac

The wireless connection is flooded and results in a denial-of-service attack


Audit Considerations


What is the typical scope of an IoT security audit?Audit scope

In order to audit the current state of the organization’s IoT security processes and provide recommendations against specific security requirements leveraging industry leading practices, the below activities should be considered:

Obtain and assess the completeness of policies, standards, and procedures compared to leading practices

Interview personnel responsible for security functions and perform procedural walkthrough interviews to understand the policies, standards, and procedures in place:

o Governance

o Security & privacy risk management

o Security event handling

o External communications

o Security education & training

o Program monitoring


What governance is in place for securing IoT devices across the organization?

Governance and leadership

Sample Audit ConsiderationsSample Audit Considerations

• What is the governance model around IoT security?

• Is there a single governance model in use and is it driven down from the top?

• Are groups from across the organization included in the governance model and operations?

• Is there a program framework that includes the future state vision?

• Is a strategy and roadmap in place to achieve future state goals?

• Is an overarching IoT security policy in place?

• Are security gates included throughout the device lifecycle (e.g., acquisition) where cybersecurity's signature is required?

Governance

Security Risk Management

Privacy Risk Management

Security Event Handling External Communications

Security Education and Training Program Monitoring


What risk management processes are in place regarding security and privacy?

Security and privacy risk management


• Are there formalized security and privacy IoT requirements?

• Are security and privacy requirements provided to manufacturers during IoT device procurement?

• Are security and privacy risk assessments and technical security testing completed for IoT devices during procurement and periodically once fielded?

• Are risk management thresholds established for triggering risk management decisions (accept, mitigate, transfer, avoid)?

• Are both program- and device-level security and privacy assessments completed prior to procuring IoT devices?

Governance






What processes are in place to keep IoT devices safe and secure once fielded?

Security event handling


• Does the organization subscribe to threat and information sharing feeds?

• Is a software-bill-of-materials (SBOM) obtained from the manufacturer and used to identify vulnerabilities at the software level?

• Is there a process and mechanism in place to identify and rollout patches as permitted by service level agreements?

• Is a process in place to handle security events once identified and feed incident handling as appropriate?

• Is a process in place to handle security incidents?

• Is technology in place to monitor for IoT device security events and incidents?

Governance






What information is exchanged with and obtained from external parties and how is it handled?

External communications


• What information is requested from the manufacturer for each of the organization’s IoT devices?

• Does the organization centrally store IoT device security attribute information in a central repository?

• Does the organization participate in information sharing groups, standards setting bodies, and conferences?

• How are inquiries from external parties handled and who is typically involved in generating responses?

• Are security points of contact identified for each manufacturer within the manufacturer’s corporate IoT/product security or R&D team?

Governance






What security training is provided to personnel to assist with securing IoT devices?

Security education and training


• Is security awareness training delivered to IoT security practitioners and other specific stakeholders across the organization?

• Are secure development lifecycle and privacy-by-design training delivered to IoT security personnel?

• Is training provided on each of the organization’s IoT security processes and when that process should be completed in the device lifecycle?

• Is a mechanism in place to track the effectiveness of the provided training?

• Is a competency-based learning (CBL) model in place to configure training per role, level of experience, and knowledge?

Governance






What processes are in place to know how well the IoT security program is performing?

Program monitoring


• Are key performance indicators for IoT security operations established, collected, and reported to leadership?

• Is a risk-based IoT device inventory in place, which consists of select security information including, but not limited to device risk profiles and previous security risk history?

• Is a program audit and assessment framework in place to identify if processes are being followed and are performed in alignment with industry leading practices?

Governance






Next steps


The following categories have been identified as having the highest positive impact to organization’s cyber risk profile.

Top 5 Initiatives to Secure IoT Environments

1 Business and IT Alignment (Improved Governance Processes)

2 Improved Network Visibility

3 Extend Network Segmentation and Vulnerability Management Capabilities

4Improved Management of Powerful IDs and Vendors

5Integrating IT and IoT security and threat management programs and platforms


What are some of the takeaways and actions that can be considered to address the complex issues that are being created?

What actions can be taken

• Conduct an audit of your current state IoT security organization to assist with the development of a strategy and roadmap to enhance security capabilities

• Establish a risk-based inventory of your IoT devices to allow for prioritization, analysis, remediation, and monitoring

• Hold IoT device manufacturers accountable to include cybersecurity within the design of their products by leveraging secure procurement processes

• Integrate cybersecurity into your procurement processes to better under the risk of the IoT devices you are fielding as well as what your own responsibilities are in securing the device

• Participate in security standards setting group/body meetings in order to have a major input into new standards before they are arbitrarily developed for your industries

What can be done now to help mitigate an organization’s cyber risk?

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2018 Deloitte Development LLC. All rights reserved.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

internet of things (iot) - chapters site · and privacy? security and privacy risk management...

Documents