{"id":31565,"date":"2019-11-27T09:58:20","date_gmt":"2019-11-27T14:58:20","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=31565"},"modified":"2022-08-08T04:57:51","modified_gmt":"2022-08-08T08:57:51","slug":"iot-security-model","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/iot-security-model\/31565\/","title":{"rendered":"Why it’s time to build a security maturity model for the Internet of Things"},"content":{"rendered":"

The market for Internet of Things (IoT) is growing at a rapid pace \u2013 we have devices like the Nest home thermostat and the Amazon Echo to thank for that. For those that don\u2019t know about IoT, it\u2019s essentially the inter-connectivity of devices in today\u2019s world. According to IoT Analytics, in 2020 we reached 423 million IoT connections worldwide<\/a>, predicting we\u2019ll reach 2.5 billion by 2025.<\/p>\n

Great in some cases, but worrying for cybersecurity. Why? Cybercriminals are increasingly realizing how vulnerable connected devices truly are. Kaspersky detected 105 million attacks on smart devices in the first half of 2019<\/a> \u2013 up seven times on the first half of the previous year. Clearly, the threat of cyberattacks on the IoT is too important to ignore.<\/p>\n

How an IoT attack hit the Target<\/h2>\n

In 2016, Industrial Internet Consortium<\/a> (IIC) experts agreed the cybersecurity industry needed to implement more tailored models of security for IoT devices<\/a>. Doing so would help industries choose cybersecurity protection measures that meet their business needs. Here\u2019s an example. Back in 2013, retail giant Target\u2019s network was breached by hackers<\/a> who used malware to collect around 40 million payment card details in just over two weeks. After an investigation, they found the perpetrators accessed the secure network through the retailer\u2019s heating and air conditioning.<\/p>\n

The heating, ventilation and air conditioning (HVAC) industry incorporates many IoT elements into its product systems, from controllers and measurement tools to mobile applications for remote management. The risk is clear: many of these elements can be accessed remotely. While that\u2019s normally to allow personnel to update building conditions from external locations, it provides more entry points for hackers.<\/p>\n

The main problem with supporting the proper level of security for infrastructure with newly-introduced IoT elements is the uncertainty about what needs to be done, which measures need to be applied and to what extent. The other issue is posed by specific requirements to safety, continuity and real-time execution, which may be violated by inconsiderate introduction of security mechanisms. For HVAC elements, they need continuous support of temperature and humidity conditions, so the availability of remote control and monitoring data is necessary.<\/p>\n

In Target\u2019s case, a structured approach could have helped to determine both the protection measures needed across the whole network and the organizational requirements to support the optimal security processes and avoid losses.<\/p>\n

Why should you develop an IoT cyber-threat protection strategy?<\/h2>\n

\"iot
\nCreating a cohesive cyber-threat protection strategy is a challenging task, especially when dealing with IoT and the many smart devices and industries that are connected. But it can be done. One common strategy is the IoT Security Maturity Model<\/a>.<\/p>\n

Ultimately, an IoT security maturity model will identify a business\u2019s entire production and process chain, conclude appropriate means of protection and help those responsible for that system\u2019s security implement those methods.<\/p>\n

How to build a security maturity profile<\/h2>\n

A security maturity model describes a selection of security practices \u2013 including the implementation of access control, protection of stored or transmitted data, or the management of security updates \u2013 which are needed to define the approach by which a business protects itself from IoT cybersecurity threats. This might be happening on an individual basis, but a more mature, systemic approach to security will group these practices in to three main areas: governance or organizational security management, the provision of security by design and security hardening. Then, using the business priorities, needs and the purpose of every security practice in the particular context, security maturity profile should be secure enough.<\/p>\n

This approach is key to assessing how well security practices are implemented in the concrete context. Let\u2019s, for example, consider security monitoring. For some IoT components, checking the diagnostic logs \u2013 where all issues are recorded \u2013 from time to time is more than enough. Some others, however, need to be protected against malware. \u00a0Components that pose a medium threat should collect and analyze information from a variety of sources and involve human expertise. The most critical systems operate continuous real-time monitoring of all relevant types of security events using the most appropriate means and ubiquitous automation.<\/p>\n

That said, even a comprehensive approach alone doesn\u2019t make for a mature security implementation. The ability to adapt to specific requirements for each individual industry, or even specific systems, is vital. With IoT devices covering everything from the personal to industrial<\/a>, it\u2019s important to consider the primary focus of each area when assessing the best security model to use.<\/p>\n

As the threat of malware<\/a> in IoT devices continues to thrive, a mature IoT security implementation will be vital to protect our homes, workplaces and even our health from cybercrime. But the model itself needs implementation processes to fully reach its defensive capabilities. By combining best practice with action, we can allow security experts to make sure they are best defending every step of the IoT ecosystem \u2013 helping make our lives and our workplaces safer \u2013 now and in the future.<\/p>\n

More information about IIC IoT Security Maturity Model can be found<\/a> at the Industrial Internet Consortium\u2019s site.<\/p>\n","protected":false},"excerpt":{"rendered":"

From sensors that regulate farm irrigation to fridges that order food, businesses and homes are filled with more connected devices than ever before. But at what cost for security?<\/p>\n","protected":false},"author":2532,"featured_media":31577,"template":"","coauthors":[3581],"class_list":{"0":"post-31565","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-enterprise-cybersecurity","7":"emagazine-category-internet-of-things","8":"emagazine-tag-safety-technologies","9":"emagazine-tag-secure-by-design"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/iot-security-model\/31565\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/iot-security-model\/20258\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/31565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2532"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/31577"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=31565"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=31565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}