– NIST has issued a draft report examining the cybersecurity vulnerabilities and privacy risks posed by Internet of Things (IoT) devices, including healthcare IoT.
“Many organizations are not necessarily aware they are using a large number of IoT devices. It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do,” NIST observed in its draft report “Considerations for Managing IoT Cybersecurity and Privacy Risks.”
In the report, NIST laid out a number of high-level considerations that could impact management of the cybersecurity and privacy risks for IoT devices as compared to conventional IT devices.
- IoT devices interact with the physical world in ways conventional IT devices usually do not
- IoT devices often cannot be accessed, managed, or monitored in the same ways conventional IT devices can
- Availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than for conventional IT devices.
NIST explained that IoT cybersecurity and privacy risks can be viewed in terms of three risk mitigation goals:
- Protect device security — prevent a device from being used to conduct attacks, including participating in DDoS attacks against organizations, eavesdropping on network traffic, or compromising other devices on the same network segment.
- Protect data security — secure the confidentiality, integrity, and/or availability of data collected by, stored on, processed by, or transmitted to or from the IoT device.
- Protect privacy — ensure individuals’ privacy impacted by processing of personally identifiable information beyond risks managed through device and data security protection.
Meeting each of the risk mitigation goals involves addressing a set of risk mitigation areas, according to NIST. Each risk mitigation area defines an aspect of cybersecurity or privacy risk mitigation considered to be most significantly or unexpectedly affected for IoT by the risk considerations.
For each risk mitigation area, there are one or more expectations organizations usually have for how conventional IT devices help mitigate cybersecurity and privacy risks. Finally, there are one or more challenges that IoT devices may pose to each area.
The end result of these linkages is the identification of a structured set of potential challenges with mitigating cybersecurity and privacy risk for IoT devices that can be traced back to the relevant risk considerations.
Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas.
NIST advised organizations to understand IoT risks and mitigation challenges, adjust organizational policies and processes, and implemented updated mitigation practices.
NIST is seeking public comments on the draft report. These comments are due by Oct. 24, 2018, and can be emailed to firstname.lastname@example.org.
Threats to IoT devices are real and growing. A recent advisory from the FBI warned that these cybercriminals are searching for and compromising IoT devices to use as proxies for internet request to route traffic for cyberattacks and network exploitation.
IoT devices that are being targeted include connected medical devices, routers, wireless radio links, time clocks, streaming devices, IP cameras, smart garage door openers, and network-attached storage devices.
Cybercriminal use compromised IoT devices to send spam e-mails; maintain anonymity; obfuscate network traffic; mask Internet browsing; generate click-fraud activities; buy, sell, and trade illegal images and goods; conduct credential stuffing attacks, which occurs when cyber actors use an automated script to test stolen passwords from other data breach incidents on unrelated web-sites; and sell or lease IoT botnets to other cyber actors for financial gain.
The FBI advised organizations to look for indicators of compromised devices, such as a major spike in internet use and charges, devices or internet connections running slow, and unusual outgoing traffic.