The Internet of Things (IoT) is proliferating exponentially, exposing organizations to an increased risk of IoT-targeted attacks, such as botnets and DDoS attacks. In this blog post, I explore the challenges of dealing with the IoT and some approaches that organizations can use to reduce their risk as they adopt more IoT technologies.

According to the IEEE, by 2020 there will be somewhere between 28 and 30 billion physical devices connected to the Internet--excluding smart phones, tablets, and computers. These "connected devices" make up the IoT. This incredible growth curve presents challenges to organizations that choose to use IoT technologies. To compound the problem, there are no standards in place to help govern IoT device security.

There are a few emerging IoT standards and guidelines, but organizations must take action now to use them for governing their IoT devices. Since adding security almost always results in more expensive products, vendors do not prioritize the development of secure devices. Moreover, typical consumers are not as concerned with the security of a device as they are with its price and performance. However, as IoT-enabled security incidents continue to increase, consumers may shift their priorities, demand more secure products, and force vendors to adopt security standards.

When organizations use IoT technologies, they increase the number of access points that threat actors can target in a DDoS attack, thereby increasing their risk. Organizations must consider the risk of this increased attack surface within the context of their critical services. Most IoT technologies do not perform critical services within the organization, nor do they generate or host critical information. However, by performing a detailed risk analysis, organizations can ensure that critical information is not affected; otherwise the consequences could be disastrous. Organizations should also perform this analysis when they acquire new IoT technologies, change their networks, or react to changes in the threat environment.

While managing IT assets is nothing new, organizations can easily overlook IoT technologies because they can be introduced into the organization through non-traditional channels. For example, an organization might allow its employees to connect appliances such as smart home devices, wearables, and vehicle-embedded technologies to its network; however, it might not know these devices are connected. Organizations should have effective automated information technology asset management (ITAM) processes in place to enable them to recognize when devices--including IoT devices--are connected to the network and what software is installed on each one.

Each organization should assess its IoT technologies during risk management activities to determine if they support its critical services; if so, the organization should manage its critical services properly to ensure they aren't vulnerable to attacks. The organization should confirm that the approved methods for vulnerability analysis include using technology that can identify vulnerabilities in IoT. US-CERT publishes alerts for attacks that target IoT technologies.

IoT technologies can provide an organization with many benefits, such as increased integration, efficiency, and accuracy. As with all new technologies, organizations should conduct a formal analysis to estimate the risks, costs, and benefits of using IoT assets to support critical services. Organizations should also properly govern the use of IoT devices by using risk management, asset management, and vulnerability management.

Learn more about the Internet of Things by listening to these SEI podcasts: Security and the Internet of Things and Threat Modeling and the Internet of Things. Contact me at info@sei.cmu.edu if you have questions or comments about this blog post.