Cyber security compliance standards exist to protect devices, data and people connected to the internet from the myriad threats facing them every day. For example, regulations like the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards ensure businesses operating in the power industry follow certain guidelines with regard to cybersecurity in order to keep the service they provide reliable. Typically, devices that fall within the scope of these regulations include computers, network devices, and other network-connected devices, such as industry-specific tools, card scanners, etc. But what happens when everything is connected to the network?
The basic philosophy behind the Internet of Things (IoT) is that most everything: objects, buildings, vehicles, can and should be connected to the internet. The potential benefits behind doing so are many, but these are just a few:
- Metrics and monitoring. Whether it’s your milk getting low, your back door unlocked at night, or the safety of a nuclear reactor, the main idea behind internet connected devices is to pull data out of the material world and put it into a digital format a human can manipulate to better understand the device in question. In business terms, the applications are nearly endless, as the kind of big data gathered by an IoT system would help increase efficiency, decrease waste and provide objective statistics for use in business decisions.
- Remote control. Working with objects in the physical world typically requires the user to share the same physical space as the object. The IoT will make objects (buildings, vehicles…) accessible remotely. The advantages should be obvious here, including freeing people up from physically working in uncomfortable or dangerous environments, management of satellite offices or stations, and most importantly, the possibility to control objects via automation.
- Interconnectivity. If the IoT was just about adding each device to the net as a discrete entity, it wouldn’t make much sense. The real power of the IoT comes with interconnecting devices to work together. The IoT is a system, a collection of objects communicating with each other and people. In business terms, this touches everything from manufacturing lines to point of sale devices, to inventory mechanisms. Along with automation, interconnectivity allows the IoT to create a logical network of objects designed around the way people use them.
- Automation. The concept of automation has been at the forefront since the industrial revolution, but automation happens in cycles, just like technology itself. What the IoT ultimately dangles in front of us is an autonomous network of objects, interoperating efficiently without any significant human input. The ramifications of such a system go beyond this survey, but it would be a completely new way of interacting with our environment, like developing a new sense. Initially, of course, the automation will be crude and cumbersome, with interconnectivity limitations determining what can be automated.
- Ease of use. Like smartphones, devices in the IoT will require intuitive, simple interfaces so that non-experts and even non-technologists can take advantage of the benefits. Far from being devices confined to IT shops and enterprise businesses, the IoT depends on popular use, so the innovations that bring it closer to that goal will be defined in large part by their usability.
But the IoT is a double-edged sword, and with these benefits come several drawbacks:
- Surveillance. Metrics and monitoring are great, as long as the data stays in the right hands. Otherwise, that information becomes a vulnerability, allowing third parties to know the intimate details of your environment. Whether hackers, state sponsored agents, or competition, someone will be after that information, because it has value, both to its owner and others.
- Hacking. Again, remote control functionality sounds great, as long as the person doing the remote controlling is an authorized user. Connecting a device to the internet means subjecting that device to the possibility of being taken over and damaged, defaced and/or compromised. This will be as true for IoT devices as it is for laptops and smartphones, so at the scale some IoT evangelists imagine, that’s a lot of potential exploitable inroads.
- Cascading failures and vulnerabilities. While interconnectivity increases functionality by linking a series of devices, it also handles failures and vulnerabilities in much the same manner. Discrete objects require more overhead to manage, but are isolated to themselves and their failure only impairs their own functionality. An interconnected system, on the other hand, is a series of dependencies. When one piece goes down, it interrupts a complex chain and renders other, working, parts useless. An old school example of this is exactly why the NERC standards were created in the first place. Likewise, a vulnerability in one piece of an interconnected system can render the entire system vulnerable. It seems a bit silly to imagine someone hacking a wifi light bulb and taking over a house, but that’s legitimately within the range of possibilities in the future.
- Faster errors. Every advance in automation is met with an increase in danger when something goes wrong. Much like a cascading failure, when something goes wrong in an automated environment, it interrupts the entire system, often moving the flaw from one stage of automation to the next, compounding the error each time. Furthermore, all of this happens so quickly that it’s very difficult for a human operator to make adjustments in time to prevent damage.
- Outsourcing difficulty. Although IoT devices will have slick interfaces, the difficulties they translate still exist, they’re just being handled by developers and other technologists at private companies. This means that as people become dependent on easy to use IoT devices, they also become dependent on the companies producing them, on the people working for those companies, on the technical knowledge they possess. This could have serious ramifications in the future, especially imagining an Internet of Living Things, where a conflict of interest could arise between a business’ goal and its users’ needs.
Given the risks that accompany the IoT, it makes sense that businesses required to follow compliance standards prepare themselves for what’s on the horizon. There’s time yet to prepare, as the rollout of the IoT will be extremely gradual, coming in stages, waves, with multiple generations of technology co-existing in the same space. But those organizations that prepare themselves ahead of time with a strategy on how to implement and secure the IoT within their environment can avoid some costly and potentially dangerous lessons.
Scenario #1: Attacks intended to cause physical damage.
We’ve already seen several instances where a cyber attack has led to real world damage, and that’s with a very limited amount of network connected devices capable of doing such a thing. The IoT would change that, putting a plethora of devices online capable of making physical changes. Something as simple as a pressure gauge, a security door, a furnace, or an HVAC unit, given enough internet connected functionality, could be hacked and changed to a point that it caused material damage.
Scenario #2: Data breach through a seemingly harmless device.
As part of the interconnectivity mentioned earlier, any IoT device that has access to other devices, or to a central computer, can be used as an entry point for further access. It’s unlikely you’d have your toaster set up to ssh into your home security system, but it’s more likely that a business would install a myriad of devices and, either through negligence or lack of ability, fail to secure each and every one. Compliance standards will help to regulate the methods by which organizations can protect themselves from these attacks.
Scenario #3: Unauthorized access to services.
Finally, without interrupting or damaging anything, malicious actors could simply collect the data generated by these devices and use or sell it however they see fit. Access restriction to the services and information IoT devices provide must be enforced to prevent unauthorized data mining.
The truth is we as a society, as a species, are still struggling to live in a world where the technology we’ve created has accelerated everything we do. We live in a time of great possibility, for good and bad, but often without the requisite time to stop and think.
Compliance standards are mostly reactive, with some foresight given to emerging trends, but focused mostly on known threats and problems. There will be a time when IoT devices become integrated into business practices, but before the compliance standards are written to secure them; some cutting edge organizations already face this issue. The admittedly large upside of IoT devices may coax some businesses into deploying them without fully considering the consequences, just as the initial digitization of business, still in process, came with little security.
What can be done then? As technology cycles out, the less time an organization has to spend reinventing the wheel of how it does business, the more it can focus on the business itself. Here are some key steps businesses can take to prepare for the IoT, especially if they fall under compliance standards that require documentation for audits.
- Functionality is not enough. Remember that making it work is only part of what’s required when establishing devices with network connectivity. Security should be factored in from the earliest planning stages, taking just as prominent a role as functionality. For cost saving reasons, this is often not the case, but in the long term, a solid security policy and perspective will save money, time and possible reputation.
- Visibility. As devices proliferate, it’s important to have a good system to track inventory, configuration, changes, etc. Even the complexity of a modern data center requires this kind of visibility to smoothly operate, so something as potentially intricate as the IoT will require organizations to have unparallelled visibility into their environments. The reason companies get breached is that someone outside the company sees a flaw or, more likely, a misconfiguration, before someone from the IT team sees and fixes it. By improving visibility, organizations can stay on top of what’s actually happening.
- Testing. Full visibility can only be obtained through regular testing to ensure expected configurations behave the way they are supposed to. By comparing the existing state of an environment to a desired state as defined by the organization, IT teams can know immediately when an asset falls out of compliance or a configuration is changed.
- Insurance. Security is like trying to go the speed of light: at best you can only get 99.9% there, and “at best” is rarely the scenario for cyber security. But whether you have a .1% gap or a 10% gap, you need to cover the remainder with a policy to protect your business in the event of a breach or major outage. Risk, and the resulting cost of coverage, depend on the particular security configuration, and environments with more security would be less likely to need their policies over time.
- Agility. Traditional IT shops have often been resistant to change. Change is what breaks things. This approach leads to a rusted in place infrastructure, fragile systems no one wants to touch and siloed knowledge. In an environment like this, implementing new technology, much less new compliance standards for that technology, causes dread and sometimes feet dragging, preventing projects from completing in a timely manner. But with the visibility and testing mechanisms mentioned above, change doesn’t have to be such a nightmare.
It can be difficult enough for a business to keep up with it’s particular IT environment, much less the IT field at large, but although it may seem counterintuitive, factoring in the way technology changes, its lifecycles, into everyday IT procedures makes the management of the particular environment much easier. Just like software development and deployment has been revolutionized by automation and DevOps (or DevOps-like) ideas, the way a business maintains its technological infrastructure should reflect the realities, good and bad, of an expanding and accelerating digital footprint, rather than continually trying to shove the square peg of their environment into a space that’s constantly changing shape. UpGuard can help you get there.
Important Changes in NERC CIP Compliance Between v3 and v5 Almost Compliant With NERC CIPv5? CIPv6 is On Its Way UpGuard and COBIT for SOX Compliance
The jump from version 3 to version 5 involves many new requirements. We'll look at some of the differences between the two and what they mean for businesses in the industry.
Read Article >
The NERC CIP v5 standards will be enforced beginning in July of this year, but version 6 is already on the horizon.
Read Article >
Yes, the SEC is serious about SOX compliance, and you should be, too—especially if you’re in IT.
Read Article >