The Internet of Things
The growth of network-connected devices, systems and services comprising the Internet of Things (IoT) provides efficiencies and personalization of experience that is attractive to both manufacturers and consumers. Network connected devices, systems, and services are also increasingly integrated with and relied upon by the Nation’s critical infrastructure, leading to a national dependency. The characteristics of the IoT ecosystem also result in multiple opportunities for malicious actors to manipulate the flow of information to and from network connected devices. Important processes that once were performed manually, and therefore enjoyed a measure of immunity against malicious cyber activity, are growing more vulnerable. Recent large scale distributed denial of service attacks foreshadow increasing in the U.S. and elsewhere.
In 2008, the U.S. National Intelligence Council warned that the IoT would be a disruptive technology by 2025. The Council said that individuals, businesses, and governments were unprepared for a possible future when network interfaces reside in everyday things This warning remains valid, though it now seems certain that the IoT will be disruptive far sooner than 2025. More recently in January 2014, the Director of National Intelligence (DNI) stated that the complexity and nature of these systems means that security and safety assurance are not guaranteed and that threat actors can easily cause security and/or safety problems in these systems.
Several statistics validate the Government’s concerns: the number of Internet-connected devices first outnumbered the human population in 2008, and that number continues to grow faster than the human population. By 2013, there were as many as 13 billion Internet-connected devices, and projections indicate that this will grow to 50 billion or more by 2020, generating global revenues of greater than $8 trillion by 2020. Many of these systems are visible to any user, including malicious actors, as search engines are already crawling the Internet indexing and identifying connected devices.
The IoT is the latest development in the decades-old revolution in communications, networking, processing power, miniaturization, and application innovation and has radically altered communications, networks, and sensors. The IoT is a decentralized network of objects, applications, and services that can sense, log, interpret, communicate, process, and act on a variety of information or control devices in the physical world. However, the IoT differs from previous technological advances because it has surpassed the confines of computer networks and is connecting directly to the physical world. Just as modern communications have fundamentally altered national security and emergency preparedness (NS/EP), the IoT has had a similar transformative impact.
Throughout the communications revolution, a plethora of existing and new technologies have led to astonishing improvements in the efficiency and effectiveness of Government and private sector operations and capabilities; yet the IoT differs in the pace, scale, and breadth of deployment of interconnected devices, which has resulted in immense benefits to individuals and organizations. Despite the benefits, the IoT is accompanied by risk associated with increased dependencies, expanded number of devices, and associated interconnections that will create a large attack surface with numerous potential threat vectors.
The increased attack surface and national dependence on these new systems, either directly or through the critical infrastructure systems, in which they are embedded, has made the IoT and new systems natural targets for criminals, terrorists, and nation states that wish to exploit them. These dependencies will continue to increase as the IoT permeates all sectors of the economy and all aspects of people’s lives. While all users have to cope with this expanded attack surface, IoT applications in the NS/EP domain must be hardened against the potential risks.
The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits. However, an FTC report notes that connected devices raise numerous privacy and security concerns that could undermine consumer confidence.
“The only way for the IoT to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the IoT to be fully realized.”
The IoT universe is expanding quickly, and there are now over 25 billion connected devices in use worldwide, with that number set to rise significantly as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue to invest in connected devices, according to data cited in the FTC.
Security was one of the main topics addressed at an FTC workshop, primarily due to the highly networked nature of the devices. The report includes the following recommendations for companies developing IoT devices:
Commission staff recommended that companies consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
FTC staff also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. It acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some IoT devices may have no consumer interface.
Regarding legislation, staff concurs with many stakeholders that any IoT-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology. The report, however, reiterates the Commission’s repeated call for strong data security and breach notification legislation. Staff also reiterates the Commission’s call from its 2012 Privacy Report for broad-based privacy legislation that is both flexible and technology-neutral.
The FTC has a range of tools currently available to protect American consumers’ privacy related to the IoT, including enforcement actions under laws such as the FTC Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act; developing consumer education and business guidance; participation in multi-stakeholder efforts; and advocacy to other agencies at the federal, state and local level.
Without a doubt, the IoT makes our lives easier and has many benefits; but we can only reap these benefits if our Internet-enabled devices are secure and trusted. The following are important steps you should consider to make your IoT more secure.
Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.
Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.
Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.
Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don't provide any protection.
While the benefits of IoT are undeniable, the reality is that security is not keeping up with the pace of innovation. As we increasingly integrate network connections into the critical infrastructure, important processes that once were performed manually (and thus enjoyed a measure of immunity against malicious cyber activity) are now vulnerable to cyber threats. Increasing dependence on network-connected technologies has grown faster than the means to secure it.
The IoT ecosystem introduces risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality through large-scale distributed denial-of-service attacks, and potential disruptions to critical infrastructure.
Many of the vulnerabilities in IoT could be mitigated through recognized security best practices, but too many products today do not incorporate even basic security measures. There are many contributing factors to this security shortfall. One is that it can be unclear who is responsible for security decisions in a world in which one company may design a device, another supplies component software, another operates the network in which the device is embedded, and another deploys the device. This challenge is magnified by a lack of comprehensive, widely-adopted international norms and standards for IoT security. Other contributing factors include a lack of incentives for developers to adequately secure products, since they do not necessarily bear the costs of failing to do so, and uneven awareness of how to evaluate the security features of competing options.
As with all cyber security efforts, IoT risk mitigation is a constantly evolving, shared responsibility between government and the private sector. Companies and consumers are generally responsible for making their own decisions about the security features of the products they make or buy. The role of government, outside of certain specific regulatory contexts and law enforcement activities, is to provide tools and resources so companies, consumers, and other stakeholders can make informed decisions about IoT security. Specifically, these principles are designed for:
There is, however, no one-size -fits -all solution for mitigating IoT security risks. Not all of the practices listed below will be equally relevant across the diversity of IoT devices. These principles are intended to be adapted and applied through a risk-based approach that takes into account relevant business contexts, as well as the particular threats and consequences that may result from incidents involving a network-connected device, system, or service.
Security should be evaluated as an integral component of any network-connected device. While there are exceptions, in too many cases economic drivers or lack of awareness of the risks cause businesses to push devices to market with little regard for their security. Building security in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed.
By focusing on security as a feature of network-connected devices, manufacturers and service providers also have the opportunity for market differentiation. The practices below are some of the most effective ways to account for security in the earliest phases of design, development, and production.
Enable security by default through unique, hard to crack default user names and passwords. User names and passwords for IoT devices supplied by the manufacturer are often never changed by the user and are easily cracked. Botnets operate by continuously scanning for IoT devices that are protected by known factory default user names and passwords. Strong security controls should be something the industrial consumer has to deliberately disable rather than deliberately enable. Build the device using the most recent operating system that is technically viable and economically feasible. Many IoT devices use Linux operating systems, but may not use the most up-to-date operating system. Using the current operating system ensures that known vulnerabilities will have been mitigated.
Use hardware that incorporates security features to strengthen the protection and integrity of the device. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity.
Design with system and operational disruption in mind. Understanding what consequences could flow from the failure of a device will enable developers, manufacturers, and service providers to make more informed risk-based security decisions. Where feasible, developers should build IoT devices to fail safely and securely, so that the failure does not lead to greater systemic disruption.
Promote Security Updates and Vulnerability Management Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates, and vulnerability management strategies. In designing these strategies, developers should consider the implications of a device failure, the durability of the associated product, and the anticipated cost of repair. In the absence of the ability to deploy security updates, manufacturers may be faced with the decision between costly recalls and leaving devices with known vulnerabilities in circulation.
FOCUS ON: NTIA Multi-Stakeholder Process on Patching and Updating The National Telecommunications and Information Administration (NTIA) has convened a multi-stakeholder process concerning the “ IoT Upgradability and Patching” to bring stakeholders together to share the range of views on security upgradability and patching, and to establish more concrete goals for industry-wide adoption.
Build on Recognized Security Practices Many tested practices used in traditional IT and network security can be applied to IoT . These approaches can help identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption to IoT devices. Start with basic software security and cybersecurity practices and apply them to the IoT ecosystem in flexible, adaptive, and innovative ways.
Refer to relevant Sector-Specific Guidance, where it exists, as a starting point from which to consider security practices. Some federal agencies address security practices for the unique sectors that they regulate. For example, the National Highway Traffic Safety Administration (NHTSA) recently released guidance on Cybersecurity Best Practices for Modern Vehicles that address some of the unique risks posed by autonomous or semi-autonomous vehicles. Similarly, the Food and Drug Administration released draft guidance on Postmarket Management of Cybersecurity in Medical Devices.
Practice defense in depth. Developers and manufacturers should employ a holistic approach to security that includes layered defenses against cybersecurity threats, including user-level tools as potential entry points for malicious actors. This is especially valuable if patching or updating mechanisms are not available or insufficient to address a specific vulnerability. Participate in information sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public and private partners. Information sharing is a critical tool in ensuring stakeholders are aware of threats as they arise.
The Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC), as well as multi-state and sector-specific information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs), are examples.
Prioritize SecurityMeasures According to Potential Impact Risk models differ substantially across the IoT ecosystem. For example, industrial consumers (such as nuclear reactor owners and operators) will have different considerations than a retail consumer. The consequences of a security failure across different customers will also vary significantly.
Focusing on the potential consequences of disruption, breach, or malicious activity across the consumer spectrum is therefore critical in determining where particular security efforts should be directed, and who is best able to mitigate significant consequences.
Should IoT security measures focus on the IoT device? Since the purpose of all IoT processes is to take in information at a physical point and motivate a decision based on that information (som etimes with physical consequences), security measures can focus on one or more parts of the IoT process.
Promote Transparency across IoT Where possible, developers and manufacturers need to know their supply chain, namely, whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization. Reliance on the many low -cost, easily accessible software and hardware solutions used in IoT can make this challenging. Because developers and manufactures rely on outside sources for low -cost, easily accessible software and hardware solutions, they may not be able to accurately assess the level of security built into component parts when developing and deploying network-connected devices. Furthermore, since many IoT devices leverage open source packages, developers and manufacturers many not be able to identify the sources of these component parts. Increased awareness could help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies. Depending on the risk profile of the product in question, developers, manufacturers, and service providers will be better equipped to appropriately mitigate threats and vulnerabilities as expeditiously as possible, whether through patching, product recall, or consumer advisory.
Connect Carefully and Deliberately IoT consumers, particularly in the industrial context, should deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption. IoT consumers can also help contain the potential threats posed by network connectivity by connecting carefully and deliberately, and weighing the risks of a potential breach or failure of an IoT device against the costs of limiting connectivity to the Internet.
In the current networked environment, it is likely that any given IoT device may be disrupted during its lifecycle. IoT developers, manufacturers, and consumers should consider how a disruption will impact the IoT device’s primary function and business operations following the disruption.
The Interagency International Cyber Security Working Group (IICS WG) was created in response to recommendations from NISTIR 8074 Volume 1 [1]. The IICS WG coordinates on major issues in international cybersecurity standardization. The IICS WG established an IoT (IoT) Task Group to develop this Report on the status of international cybersecurity standards that are relevant to IoT.
The timely availability of international cybersecurity standards is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures. The intended audience is both the government and public. The purpose is to inform and enable policymakers, managers, and standards participants as they seek timely development of and use of such standards in IoT components, systems, and services.
To gain insight on the present state of IoT cybersecurity standardization, five IoT technology application areas are described. These application areas are not exhaustive but are sufficiently representative to use in an analysis of the present state of IoT cybersecurity standardization.
Building upon NISTIR 8074 Volume 2, this Report describes eleven cybersecurity core areas and provides examples of relevant standards. IoT cybersecurity objectives, risks, and threats are then analyzed for IoT applications in general and for each of the five IoT technology application areas. Cybersecurity objectives for traditional IT systems generally prioritize Confidentiality, then Integrity, and lastly Availability. IoT systems cross multiple sectors as well as use cases within those sectors. As such, the priority of the individual’s cybersecurity objectives may be prioritized very differently, depending on the application. The proliferation and increased ubiquity of IoT components and systems are likely to heighten the risks they present.
Standards-based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications. Through analysis of the application areas, cybersecurity for IoT is unique and will require tailoring of existing standards, as well as, creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.
The Department of Defense (DOD) has identified numerous security risks with IoT devices and conducted some assessments that examined such security risks, such as infrastructure-related and intelligence assessments. Risks with IoT devices can generally be divided into risks with the devices themselves and risks with how they are used. For example, risks with the devices include limited encryption and a limited ability to patch or upgrade devices. Risks with how they are used—operational risks—include insider threats and unauthorized communication of information to third parties. DOD has developed IoT threat scenarios involving intelligence collection and the endangerment of senior DOD leadership—scenarios that incorporate IoT security risks (see figure). Although DOD has begun to examine security risks of IoT devices through its infrastructure-related and intelligence assessments, the department has not conducted required assessments related to the security of its operations.
DOD has issued policies and guidance for IoT devices, including personal wearable fitness devices, portable electronic devices, smartphones, and infrastructure devices associated with industrial control systems. However, GAO found that these policies and guidance do not clearly address some security risks relating to IoT devices. First, current DOD policies and guidance are insufficient for certain DOD-acquired IoT devices, such as smart televisions in unsecure areas, and IOT device applications. Secondly, DOD policies and guidance on cybersecurity, operations security, information security, and physical security do not address IoT devices. Lastly, DOD does not have a policy directing its components to implement existing security procedures on industrial control systems—including IoT devices. Updates to DOD policies and guidance would likely enhance the safeguarding and securing of DOD information from IoT devices.
GAO reviewed reports and interviewed DOD officials to identify risks and threats of IoT devices faced by DOD. GAO also interviewed DOD officials to identify risk assessments that may address IoT devices and examined their focus areas. GAO further reviewed current policies and guidance DOD uses for IoT devices and interviewed officials to identify any gaps in policies and guidance where security risks may not be addressed.
GAO recommended that DOD (1) conduct operations security surveys that could address IoT security risks or address operations security risks posed by IoT devices through other DOD risk assessments; and (2) review and assess its security policies and guidance affecting IoT devices and identify areas, if any, where new DOD policies may be needed or where guidance should be updated. DOD reviewed a draft of this report and concurs with GAO's recommendations.
Limited quantified information exists on the costs and benefits of the General Services Administration's (GSA) smart buildings program's key technologies. GSA officials stated that the approximate cost of equipping a building with these technologies ranged between about $48,000 to $155,000. However, they stated that accurately calculating installation costs is challenging because GSA typically installs these technologies in selected buildings incrementally and sometimes as part of other capital improvement projects. Additionally, GSA officials identified perceived operational benefits of the smart buildings program's key technologies, including that these technologies enable officials to more precisely identify building system problems and more closely monitor contractors. However, existing data on the smart buildings program are of limited usefulness in quantifying the program's benefits. For example, according to GSA officials, while data from an application within GSAlink that estimates avoided costs from addressing each fault that GSAlink identifies are useful for prioritizing maintenance actions, the imprecise estimates preclude their use as a measure of actual avoided costs in quantifying program benefits.
GSA does not have documented, clearly defined goals for the smart buildings program, nor has GSA developed performance measures that would allow it to assess the program's progress. These omissions are contrary to leading practices of results-oriented organizations identified in previous GAO work. GSA officials verbally described broad goals for the smart buildings program to GAO, but the agency has not documented these goals. Further, because GSA has not clearly defined its verbally expressed goals, it cannot demonstrate progress in achieving them. For example, GSA officials said that the agency cannot measure progress for the stated goal of improving tenant productivity and comfort because of the subjective nature of individual tenant preferences, such as for office temperatures. Additionally, GSA has not developed performance measures to assess the program, and GSA's lack of data that can be used to quantify benefits of the program impedes its ability to measure the success of the program. Without clearly defined goals, related performance measures, and data that can be used to measure its progress, GSA is limited in its ability to make informed decisions about the smart buildings program.
GSA faces challenges in implementing the smart buildings program and has taken steps to mitigate these challenges. Since smart building technologies are Internet-connected, they are potentially vulnerable to cyberattacks that could compromise security or cause ha