The Internet of Things (“IoT”), which contains sensors that take in information and actuators that act on the environment, presents significant challenges to assessing, managing and mitigating risk. Identifying assets and assessing the risks associated with these assets – for the purpose of applying scarce resources where most appropriate – is risk management in a nutshell. We cannot protect all things equally, at least not in a cost-effective manner.
Assets are varied and include desktops and laptops, tablets and phones, network gear, applications and more. Most of these items are maintained in an asset inventory with an owner for each asset identified. The category of data – such as electronic protected health information (EPHI), personally identifiable information (PII), payment card industry (PCI) – is often maintained and associated with each asset.
"Now is the time to take the first steps."
The IoT isn't just about thermostats and internet-connected refrigerators. In this new environment, assessing and understanding risk becomes exponentially more difficult; just creating an inventory can be challenging since mobile devices may move in and out of traditional network environments and may use proprietary communication protocols and network interfaces. Even when we can identify that an IoT device exists, assessing the level of risk is a daunting task.
New privacy concerns: Wearables represent new threats to the privacy of individuals. Consider that insurance companies are currently offering discounts for people who agree to wear devices that track fitness activity. Is it difficult to imagine that in the future, insurance companies might require these trackers in order to provide insurance at all? Or that these same companies might increase premiums for those whose trackers report low activity levels, thereby signaling lack of exercise for their wearers?
High stakes security: In the health care environment, the stakes have become higher, already. Failing to identify a typical device on our networks and not applying appropriate patches and other security controls could lead to a breach, and information could be compromised. I do not intend to downplay the seriousness of this type of an attack, which could lead to identity theft, medical record theft and the like. But, consider that failure to identify, assess the threats and vulnerabilities, and apply the appropriate controls on a medical device could cause death.
This is not just hype. An implantable pacemaker was first implemented in 1958; the first implantable insulin pumps were implemented in the early 1990s. More recently, these devices have or will become accessible remotely. This is inevitable. The risk that a device could fail, thereby requiring surgery to repair or replace the faulty component, can be offset by the capability to remotely access the device through a wireless technology. But, allowing remote access to an implantable device for the purpose of normal maintenance and support also provides the possibility, if not the probability, of illicit access.
Now is the time to take the first steps. Identify the unknown devices on your network. These devices may be transient, so discovery must be ongoing. Scanning for devices once per week is no longer sufficient, and traditional scanning itself may not be viable in IPv6 environments. Evaluate dynamic host configuration protocol (DHCP) logs, run scans of all known IP address ranges and invest in a wireless scanner. Further, interview members of your clinical engineering team and meet directly with physicians and researchers to fill in the gaps where technology has failed to identify connected devices.
Photo by Glenn Perry