Enterprise cybersecurity

Why it’s time to build a security maturity model for the Internet of Things

From sensors that regulate farm irrigation to fridges that order food, businesses and homes are filled with more connected devices than ever before. But at what cost for security?

Art by

sodavekt

Share article

iot security model

The market for Internet of Things (IoT) is growing at a rapid pace – we have devices like the Nest home thermostat and the Amazon Echo to thank for that. For those that don’t know about IoT, it’s essentially the inter-connectivity of devices in today’s world. According to IoT Analytics, in 2020 we reached 423 million IoT connections worldwide, predicting we’ll reach 2.5 billion by 2025.

Great in some cases, but worrying for cybersecurity. Why? Cybercriminals are increasingly realizing how vulnerable connected devices truly are. Kaspersky detected 105 million attacks on smart devices in the first half of 2019 – up seven times on the first half of the previous year. Clearly, the threat of cyberattacks on the IoT is too important to ignore.

How an IoT attack hit the Target

In 2016, Industrial Internet Consortium (IIC) experts agreed the cybersecurity industry needed to implement more tailored models of security for IoT devices. Doing so would help industries choose cybersecurity protection measures that meet their business needs. Here’s an example. Back in 2013, retail giant Target’s network was breached by hackers who used malware to collect around 40 million payment card details in just over two weeks. After an investigation, they found the perpetrators accessed the secure network through the retailer’s heating and air conditioning.

The heating, ventilation and air conditioning (HVAC) industry incorporates many IoT elements into its product systems, from controllers and measurement tools to mobile applications for remote management. The risk is clear: many of these elements can be accessed remotely. While that’s normally to allow personnel to update building conditions from external locations, it provides more entry points for hackers.

The main problem with supporting the proper level of security for infrastructure with newly-introduced IoT elements is the uncertainty about what needs to be done, which measures need to be applied and to what extent. The other issue is posed by specific requirements to safety, continuity and real-time execution, which may be violated by inconsiderate introduction of security mechanisms. For HVAC elements, they need continuous support of temperature and humidity conditions, so the availability of remote control and monitoring data is necessary.

In Target’s case, a structured approach could have helped to determine both the protection measures needed across the whole network and the organizational requirements to support the optimal security processes and avoid losses.

Why should you develop an IoT cyber-threat protection strategy?

iot cybersecurity model
Creating a cohesive cyber-threat protection strategy is a challenging task, especially when dealing with IoT and the many smart devices and industries that are connected. But it can be done. One common strategy is the IoT Security Maturity Model.

Ultimately, an IoT security maturity model will identify a business’s entire production and process chain, conclude appropriate means of protection and help those responsible for that system’s security implement those methods.

How to build a security maturity profile

A security maturity model describes a selection of security practices – including the implementation of access control, protection of stored or transmitted data, or the management of security updates – which are needed to define the approach by which a business protects itself from IoT cybersecurity threats. This might be happening on an individual basis, but a more mature, systemic approach to security will group these practices in to three main areas: governance or organizational security management, the provision of security by design and security hardening. Then, using the business priorities, needs and the purpose of every security practice in the particular context, security maturity profile should be secure enough.

This approach is key to assessing how well security practices are implemented in the concrete context. Let’s, for example, consider security monitoring. For some IoT components, checking the diagnostic logs – where all issues are recorded – from time to time is more than enough. Some others, however, need to be protected against malware.  Components that pose a medium threat should collect and analyze information from a variety of sources and involve human expertise. The most critical systems operate continuous real-time monitoring of all relevant types of security events using the most appropriate means and ubiquitous automation.

That said, even a comprehensive approach alone doesn’t make for a mature security implementation. The ability to adapt to specific requirements for each individual industry, or even specific systems, is vital. With IoT devices covering everything from the personal to industrial, it’s important to consider the primary focus of each area when assessing the best security model to use.

As the threat of malware in IoT devices continues to thrive, a mature IoT security implementation will be vital to protect our homes, workplaces and even our health from cybercrime. But the model itself needs implementation processes to fully reach its defensive capabilities. By combining best practice with action, we can allow security experts to make sure they are best defending every step of the IoT ecosystem – helping make our lives and our workplaces safer – now and in the future.

More information about IIC IoT Security Maturity Model can be found at the Industrial Internet Consortium’s site.

IoT and embedded security

Kaspersky solutions help you address cybersecurity threats to IoT systems and your business.

About authors

Ekaterina Rudina is an analyst for Kaspersky who specializes in threat research, modelling and risk assessment for critical infrastructure defense. She holds a PhD in Computer and Network Security and contributes her expertise to developing national standards with IEE, ITU and Industrial Internet Consortium. When she’s not saving the world’s infrastructure, she enjoys reading, sewing and sketching.