Security associations and professionals offer thorough yet complex checklists to measure the cybersecurity effectiveness of IoT systems. Crack open guidance from NIST 800-160, to the FDA, to the IoT Security Foundation on a Friday night after the kids are in bed and dive in with a glass of Cab – keep the bottle handy.
I’ve always been a fan of the KISS principle when the difference between focusing on the main issues versus getting mired in details isn’t going to yield materially different results. And yes, I’m a big fan of the 1040EZ form and dream of a time when congress approves tax reform designed so we can all do our own taxes easily. Ahem, no more politics, I promise.
So here’s a cut at the tenets of an Enterprise IoT Security EZ form. I’d love to hear your thoughts.
Tenet 1 – It’s All About the Device
Risk management for IoT hinges upon assessing groups of related devices distinctly from one another. Healthcare biomedical and industrial assembly line systems are more critical to the business than printers and temperatures sensors. So in the EZ form, the first section questions how devices are uniquely identified, classified, grouped, and treated differently from a risk analysis perspective.
Tenet 2 – Criticality is King, and the King Demands Values
In a pack of cards the King has a relative value to the rest of the deck so you can make trade-offs while playing and have a chance to win. In IoT security, devices need a criticality value to inform the business what is important. It is a mashup of considerations based on safety, financial, compliance, and likely attacker threat profile. The values need to propagate across the IT tool stack used to monitor and assess risk or else the only game to play is Indian poker.
Tenet 3 – MAD: Mutually Assured Design (not Destruction)
Just like two nations with nuclear weapons, IoT devices and their environment can destroy each other. A new MAD doctrine is needed, but instead of being based on Destruction it should be constructive and based on Design safeguards, and it needs consider four main areas:
How secure is the device from attack?
Is the administrative plane locked down?
What safeguards exist between the device and the rest of the network?
How prepared is InfoSec to see and stop involving their IoT systems?
To wrap up, an EZ IoT Cybersecurity form produces an overall score for how I’m doing. It is based on examining groups of IoT devices in my environment, each with a risk score based on the observed threat & exposure combined with a measure of their criticality to my business. If I want to reduce my overall risk score, then I’d pay more attention to the systems that have a higher impact to the bottom line. Perhaps I will need to buy a more secure IP video camera to protect against the Mirai virus or whitelist (or micro-segment) my remaining Windows XP dialysis machines from their network neighbors to be ready for latest WannaCry variant.