The National Institute of Standards and Technology in the US
recently released
an interagency report on cybersecurity for the Internet-of-Things (IoT).
The Interagency International Cybersecurity Standardization
Working Group (IICS WG) was established in December 2015 by the National
Security Council's Cyber Interagency Policy Committee. The purpose of the IICS
WG is to coordinate on major issues in international cybersecurity standardisation
and thereby enhance U.S. federal agency participation in international
cybersecurity standardization.
The Interagency
Report on Status of International Cybersecurity Standardization for the
Internet of Things (IoT) examines the current state of international
cybersecurity standards development by voluntary consensus standards bodies for
IoT.
The Report is meant to inform and enable policymakers,
managers, and standards participants as they seek timely development of and use
of cybersecurity standards in IoT components, systems, and services.
The Report notes that trustworthiness of IoT systems will
require active management of risks for privacy, safety, security, etc. Traditional
IT security focuses on CIA (confidentiality, integrity, and availably). As many
IoT components interact the physical world through sensors and actuators, IoT
security is also connected to physical security involving threats to people,
their objects, and their environment.
IoT also connects traditional Internet and mobile
capabilities and industrial control systems, leading to risks for critical
information infrastructure.
Traditional information systems generally prioritise
Confidentiality, then Integrity, and lastly Availability, while control systems
and IoT systems usually prioritise Availability first, then Integrity and
lastly Confidentiality.
Risks and threats
Connected vehicles
Connected Vehicle (CV) technology is expected to enable
vehicles, roads, and other infrastructure to communicate and share vital
transportation information. CVs would be subject to physical safety, as well as
privacy concerns.
V2V (vehicle-to-vehicle), V2I (vehicle-to-infrastructure),
and V2X (combination of V2V and V2X) communications lead to an increased attack
surface for connected cars.
In addition, users may connect and have access to their
vehicles through their smartphones, and personal information on these
components need to be protected from unauthorised access through the vehicle.
Similarly, the vehicle must be protected from threats that may come through the
mobile device.
Potential safety-critical risks include driver distractions
(volume, wipers, etc.) and engine shutoff or degradation. Internet connectivity
in infotainment consoles has introduced threats to passenger safety as a result
of intercommunications between vehicle controls and entertainment. spoofed,
manipulated, damaged, and missing sensors and actuators, could cause vehicles
to behave unpredictably.
Consumer IoT
Here, ensuring the confidentiality, integrity, availability
of consumer data and services is the primary challenge. Hackers compromise the
data integrity and operation of other electronic components on the same network,
using the Consumer IoT device as a conduit. As connected IoT technologies
extend their reach to consumer components critical to basic home functions (e.g.,
thermostat), cyber criminals could target them in ransomware attacks or other
traditional cyberattacks directed to collecting highly-sensitive personal
information.
Moreover, the rising popularity of connected consumer
components also makes them ripe targets for criminals who seek to execute
coordinated, widespread cyberattacks causing systemic harm across the Internet.
A prominent example is the disruption of Domain Name System (DNS) provider Dyn
and associated Internet services in October 2016.
The Report recommends that consumer components should use
strong and readily updatable firmware and robust authentication practices, such
as strong password requirements. Using encryption or a virtual private network
(VPN) connection to the local network may provide protection against unauthorised
eavesdropping and protect the login credentials of the IoT consumer components.
Health IoT
In addition to data security and privacy impacts, attacks on
medical devices and the IT networks they connect may physically affect patients,
causing illness, injury, or even death. This harm may stem from the performance
of the device itself, impeded hospital operations, or the inability to deliver
care.
Major security objectives in this area include: Protect
patient safety from network originated inauthentic commands to actuators; Protect
patient sensor data from tampering to allow correct algorithmic response;
Protect medical device processing capability; Protect patient data where the
data forms part of a treatment and monitoring regime; Protect patient
information from unauthorized disclosure or modification; Ensure patient
information is available to authorized entities when it is needed; Ensure
prompt and secure patch delivery to medical devices; Ensure continuous security
risk management throughout the device lifecycle.
Smart Buildings
Smart buildings may contain several sets of IoT components
that each have their own security objectives, risks, and threats. Here the
primary objective is preventing unauthorised access to any building control
system and preventing a domino effect caused by the compromise of one system
leading to the compromise of another. Robust modelling and testing are required
to handle foreseeable situations.
There are several challenges with securing smart buildings. Interoperability
between systems and components from different vendors could introduce
weaknesses for an attacker to exploit. Once one system becomes compromised, it may
serve as an avenue for an attacker to traverse laterally into another. Moreover,
employees and visitors moving around inside and around the building, and
carrying components connected to various networks introduces further
vulnerabilities.
Smart Manufacturing
Industry 4.0 comprises a system built on automation,
cyber-physical systems, cloud computing, and the Industrial Internet of Things
(IIoT).
Challenges in this area arise from fundamental differences
between IT and OT (operational technology). Organisational structure separate
engineering, management and decision-making processes for enterprise business
operations and the production environment. In recent decades, advanced
technologies involving computer-based systems have been progressively
integrated into manufacturing
Successful malicious actors could extort ransom from a
company to release the system from their control, copy sensitive proprietary
information that can be sold to other companies or other governments, or
install software that can affect a product’s performance.
There have been state-sponsored efforts to infiltrate and
steal information from companies involved in defence manufacturing.
Attackers who successfully penetrate the security systems in
processes used to produce arms and equipment for the military may have the
capability to alter or halt production processes to affect these items’
reliability, safety, or security, putting the lives of service personnel at risk.
Current standards
landscape
The Report identifies several challenges in the development
of standards for IoT cybersecurity.
Some IoT systems have direct connections to owner networks,
while others directly connect to non-owner networks and some have direct
connections to both.
IoT systems could comprise highly distributed IoT components
that have a variety of owners or may effectively have no defined owner. Some
IoT systems are intended for use by or association with a particular person or
group of people, while others are autonomous.
IoT components sometimes are largely static. Their software
cannot be updated and configuration cannot be changed as needed.
Some IoT components process data locally, while others have
their data processed remotely, and some do both.
IoT components are also highly heterogeneous in terms of operating
systems, network interfaces/protocols, functions, etc. Many IoT systems rely on
proprietary protocols for data communication.
IoT systems are often deployed as part of highly dynamic
systems and system environments. Many IoT systems do not provide centralised
management capabilities for the owner, while many others can be remotely
controlled by first parties (e.g., manufacturers).
Some IoT components are deployed in physically unrestricted
locations. This could imply inability to provide physical security.
Annex D of the Report (page 63) presents a listing of
international cybersecurity standards that the IoT
Task Group has identified to be IoT relevant. The authors caution that it
is not a complete list and it is also a one-time, static listing.
The standards have been organised by the eleven core areas
of cybersecurity described in the Report: Cryptographic Techniques, Cyber
Incident Management, Hardware Assurance, Identity and Access Management, Information
Security Management Systems, IT System Security Evaluation, Network Security, Security
Automation and Continuous Monitoring, Software Assurance, Supply Chain Risk
Management and System Security Engineering.
In some areas standards are available, while in others
standard have not been developed yet. Further development is required in
certain areas. For instance, there are many cryptographic standards being used
to protect data in transit and at rest and to provide for strong
authentication. Many of these standards can support IoT systems. There are also
standards developed specifically to support IoT systems. However, cryptographic
techniques will need adjustments and innovations to accommodate the IoT. Scalability,
performance, memory- and power-limited devices, and constrained communication channels
pose cryptographic challenges in the context of IoT.
The Report also identifies possible gaps in standards; for
example, the application of blockchain in cryptographic techniques, the
inability to use software patches to fix flaws in cyber incident management and
the requirement of new standards to address IoT networks that have the
potential for spontaneous connections in the realm of network security.
The uptake of available standards, even when available, has
been slow. The Report notes that in view of the continuing, rapid innovation of
IT, the inventory of IoT relevant cybersecurity standards will remain dynamic.
The Report recommends that agencies should further review possible
standards gaps and work with industry to initiate new standards projects in
SDOs to close gaps. The Report also says that agencies should support the
development of appropriate conformity assessment schemes to the requirements in
such standards. The type, independence and technical rigor of conformity
assessment should be risk-based, taking into consideration the cost to the
public and private sectors, including their international operations and legal
obligations.
Read the Report here.
