14 July 2019

3 ways IoT devices compromise security

By: Kelsey Reichmann 

The National Institute of Standards and Technology released a new report June 27 detailing the cybersecurity and privacy risks associated with the Internet of Things and solutions for how government agencies can manage them.

IoT devices can create cybersecurity vulnerabilities for government agencies by exposing private data, the accuracy of data or data availability and may compromise personally identifiable information. As the popularity of the devices grows, so too does scrutiny. In March, a bipartisan group in Congress proposed the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019” that would require that devices purchased by the U.S. government meet certain minimum security requirements.

Here are three ways the report, titled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” can compromise security:

They are vulnerable to the physical world


IoT devices are particularly vulnerable because they interact with the physical world differently than IT devices. For example, IoT devices can manage items such as heating coils, cardiac electric shock delivery, electronic door locks, unmanned aerial vehicle operation, servo motors, and robotic arms, the report said. This gives them ability to make physical changes to their environment and potentially endangering human safety.

They can be difficult to manage

IoT devices are often accessed, managed, and monitored differently than traditional devices. The report refers to IoT devices as “black boxes” that offer little visibility into their composition, software, and configuration. IoT devices commonly lack management features and interfaces, which can make it difficult to manage them.

They can require excessive management

IoT devices often have different cybersecurity capabilities than traditional IT devices. The report stated that managing cybersecurity on IoT devices can be difficult and even excessive. This is a result of how built-in cybersecurity measures and after-market security measures differ from IT devices.

The report recommended adjusting policies and processes as a way to mitigate these risks.

No comments: