866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What is the Internet of Things? Blog Feature
AVANI DESAI

By: AVANI DESAI

Print/Save as PDF

What is the Internet of Things?

Cybersecurity Assessments

 

What is IoT? - Internet of Things

 

What Is The Internet of Things (IoT)?

Though machines have been communicating with other machines for decades, the encompassing term of IoT wasn’t officially coined until 1999.  By definition, the IoT consists of any device that is connected through the Internet to other devices--this can mean anything, all types of tools including cell phones, connected refrigerators, aviation, and automobile devices, heart monitors, continuous glucose monitors, insulin pens, and even a biochip responder implanted in a farm animal.

What Are The Benefits?

"Connection between our tools not only makes our personal lives easier and likely safer, but businesses have also already realized the benefits of improved efficiencies and productivity."

Every new development usually leads to another addition to the IoT, and it’s no wonder, as there are many benefits to such devices.  The connection between our tools not only makes our personal lives easier and likely safer, but businesses have also already realized the benefits of improved efficiencies and productivity. In healthcare, they can track behavior, improve patient outcomes and reduce healthcare costs. In agriculture, they can provide analytics, optimize resource consumption, and monitor the need for maintenance prior to breaking down, as well as obtain data from within animals. The aforementioned “connected cow” is a very real thing--farmers are using chips embedded on various parts of their cows to increase productivity.  A device connected to the tail, for example, can tell the farmer when the cow will be going into labor, just as one connected within the ankles can yield peak fertility data.

Are There Any Challenges?

Of course, with any new technology, there are challenges.  Because advancements happen all the time, businesses are constantly racing to implement every new, relevant device without pay proper attention to the security of those devices as they are incorporated into the larger networks.  Such oversight is not good, as according to Symantec, IoT attacks grew 600% between 2016 and 2017, largely due to default passwords and other unpatched vulnerabilities, and the onslaught held steady in 2018.  Each new addition to the IoT means another connection to the Internet, and if these devices are not sufficiently protected and secured, they remain vulnerable to attack.  Any susceptibility is cause for concern, but in some cases, these gadgets are collecting and storing data on the device—imagine if any of that sensitive or critical information gets hacked.  In fact, we are seeing these kinds of data breaches almost daily.

"individual consumers themselves are now demanding protection over their personal information..."

It’s a problem, especially since another challenge is privacy.  Protection of personal information has always been important for regulators, but individual consumers themselves are now demanding protection over their personal information, especially since some organizations are not even aware of the data that is being collected or stored on these connected devices—that kind of oversight leaves the door wide open for the kind of data breaches that could lead to not only reputation loss but huge fines from regulatory bodies regarding the stolen data.

What’s Next?

So what do we do about this?  First things first, the devices utilized in your business should be assessed for security risks, and there are a few good places to begin. Various frameworks related to IoT security and privacy have been released by many different bodies, and organizations may also choose to combine risks and guidance of several. Of the many available, here are a few to consider.

The first framework that we’ll highlight is the IoT Security Compliance Framework released by the IoT Security Foundation that includes a set of best practices related to organization governance, security by design, encryption, network and application security, manufacturing, and implementation security.  Version 2 of the Framework was released in December 2018 and incorporates updates to the requirements for a variety of applications, including business-to-business (B2B) applications.

The UK Code of Practice for Consumer IoT Security is another framework that should be considered when pursuing IoT security.  Of a different vein, the Code of Practice includes 13 guidelines that cover default passwords, vulnerability policy, software patching, secure storage, secure communication, minimizing exposure to attack, software integrity, personal data protection, resiliency, monitoring, deletion of personal data, device installation, and maintenance, as well as data input validation.

Furthermore, NIST has also developed its “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”  Within the publication NISTIR 8228,  three high-level risk areas to address cybersecurity and privacy risks regarding the IoT are identified—device security, data security and privacy of personal information.  The risks outlined in these three areas are intended to help both organizations and manufacturers overcome the challenge of managing the risks of their relevant devices, and the publication not only outlines vulnerabilities but also provides a few recommendations for addressing them.

Not to be outdone, the Open Web Application Security Project (OWASP) also released its IoT top 10 risks in 2018, and the risks they highlight apply particularly to building, deploying, and managing IoT systems.  For reference, their unified listing of top 10 risks includes:

  1. Weak, guessable, or hardcoded passwords
  2. Insecure network services
  3. Insecure ecosystem interfaces
  4. A lack of secure update mechanism
  5. Use of insecure or outdated components
  6. Insufficient privacy protection
  7. Insecure data transfer and storage
  8. A lack of device management
  9. Insecure default settings, and
  10. Lack of physical hardening.

Finally, the Cloud Security Alliance features its own IoT Controls Framework, and theirs focuses specifically on several domains with controls intended to mitigate risks relating to confidentiality, integrity, and availability.  As another interesting angle, the Framework also maps to their Cloud Controls Matrix (CCM) for cloud providers that have been assessed or are considering assessment, against the CCM.

How Can Schellman Help?

Though the frameworks themselves are very helpful, sometimes an outside review can further bolster security, and our professionals have been assessing against security and privacy frameworks since 2002.  A readiness assessment of any kind can help organizations better determine where the control gaps are within an organization—once the control gaps have been remediated, Schellman can further provide a variety of attestations or non-attestation reports against the framework to validate the security of an organization’s IoT environment to clients, potential clients, or interested parties.

If your organization is already undergoing a SOC 2 examination, a SOC 2 + examination can include IoT security controls from any predefined security framework or custom-developed framework, and the additional subject matter added to the SOC 2 examination can be mapped to the established set of SOC 2 controls.  This combined report could meet several needs within an organization, providing the best reassurance that devices and data are secure.

If you or your organization are interested in pursuing such any of the aforementioned assessments, please contact one of our professionals with any of your questions.

About AVANI DESAI

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.