Documente Academic
Documente Profesional
Documente Cultură
(059131)
INTERNET
OFTHINGS:
RISK AND VALUE
CONSIDERATIONS
-HSMM
\ /
Internet o Things: Risk and Valu Considerations
V*
...
i
;
*
i
^ vs &
4*
.......
VJ
fc
...* . . . .
?iv
vv v-v
s ^ \--*x
afeo / ::
\r^
-i - ^ ^ ! / - f ,
L-l*
& ; - f v'. ;
>
'
. r ....
r-./W
//;
' N>
*s' i
:
\ ' k fStv
3* . i : :
* *! I
:*:
: * :-~.
-----!...U
!'/
.y
W'
**-v.
ISACA
----
"1
_______ . .
II- *
----------
'/Ifa -V
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT
Provide feedback:
leaders build trust in, and valu from, Information and nformation systems. Established in 1969, ISACA s
the trusted source of knowledge, standards, networking, and career development for information systems
audit, assurance, security, risk, privacy and governance professionas. ISACA offers the Cybersecurty
Center:
Nexus, a comprehensive set of resources for cybersecurity professionas, and COBIT, a business
www.isaca.org/knowledge-center
framework that helps enterprises govern and manage their information and technology. ISACA also
advances and validates business- criticai skills and knowledge through the globaly respectad Certified
information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the
ISACA (Oficia),
hito://iinkd.in/ISACAOfficiai
Governance of Enterprise IT (CGEiT) and Certified in Risk and Information Systems Control
(CRISC) credentials. The association has more than 200 chapters worldwide.
**A
DISCLAIMER
ISACA has designed and creaied Internet of Things: Risk and Valu Considerations white paper (the Work) primarily as an educational resource for assurance,
governance, risk and security professionas. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered
inclusive of all proper information, procedures and tests or exclusive of oiher information, procedures and tests that are reasonably dlrected to obiainlng the same resuits.
In determining the proprlety of any speciic information, prooeure or test, assurance, governance, risk and security professionas should appy their own professionai
judgment te the specific circumstances presenec by the particular systems or Information technology environment.
_ ...
v \>s>.
..........fcsjsv.
5Elon University, The Internet of Things Will Thrive by 2025, 14 May 2014, wv/w.elon.edu/docs/ev/eb/imagininglsurveys!2014_survey/E!on%20Pew%20Future%20f%2Qthe%2Qlnlemet%2QDf
%2Qmngs%2GRepc>rt%205-1.t-14.pdf
y
/i
-w. />*t<
.A.. **<*.
, Mr %
.y-'vN
tf>
w
........................
,
'i'.
**" ...
'
...
\
\
..................................................
V*.
....
www.idc,com/g&tdoc.jsp?containerd^243661
ACCESS
i twrAovraeECFnr
WAFB3VACT
mw*
JNtWlDtiWLS
So urce: ISACA 2014 IT Risk/Reward Barometer, ISACA, 2014, www.isac3.org/pages/2014-riskreward-barometer.aspx
8TQ
W5UCY
7
te net o isThiniDs
Business risk:
Health and safety
Reguatory compliance
* User privacy
* Unexpected costs Operational risk:
Inappropriate access to functionality
Shadow usage
* Performance Technical risk:
Devce vulnerabilities
Devce updates
* Devce management
Potentia
l
Busines
s
Benefit
s
New
Risk
Business Risk
Probabiy the most sgnfcant business risk is the potential
heaith and safety impact if the operation of a device is
subverted. Research shows that wireless, potentially lethal
attacks are possible against implantable biomedical devices,
such as a pacemaker or defibrillator. For example, a 2008
study concludes:
Our investigation shows that an implantable cardioverter
defibrillator (1) is potentially susceptible to malicious
attacks that vilate the privacy of patient information and
medical telemetry, and (2) may experience malicious
alteration to the integrity of information or State, including
patient data and therapy settings for when and how shocks
are administered.16
companies or
environment)
patient
care
in
clinical
Regulatory mandates often apply to the communicationenabled devices in the previous examples and others. If
regulatory mandates apply, the complexity of the regulated
environment can be compounded because of devices of this
type. For example, a PoS system in a retail location may be
built to conform to payment card industry (PCI) requirements,
but a smoke detector on the same network may not conform;
or a magnetic resonance imaging (MRI) machine may be built
to comply with the Health Insurance Portability and
Accountability Act (HIPAA) technical requirements, but the
thermostat in an operating theater may not comply.
Not only human agents, Le., attackers, can bring about these
health and safety mpacts; for example, malware can infect a
system with a critcal safety role, such as a navigation system
in an airplane, an automobile braking system or a smoke
sensor. Although it was later determined to not be the sol
cause, a malware infection of an airplane monitoring system
may have been a contributory factor in the crash of Spanar
fiight 5022 in 2008,21
In addition to health and safety risk, regulatory risk is also
possible. Regulatory concerns can occur when embedded
computing components:
Process potentially sensitive data (e.g., PoS systems that
process payment information)
Intersect with regulatory-govemed business
processes (e.g., financial reporing for public
2015 ISACA. Al rights rese'ved.
Technical Risk
At a technical level, embedded computing has the potential for a
more complex set of challenges than traditional IT. Embedded
(IoT) devices, like traditional computing devices, can be attacked,
* " * %.
&
...
/\
*
.1. %
r*
X\\
>iX
/X\1I
/>/xAl \rights
i rese'ved.
tsi
2015 ISACA.
r
''i'
sr---
' v-r
>
: .. & \
....
- m-.
........
........
&
.>:
Vate n .siXhi
/
s
k
a
n
d
onsider;
Stakeholder engagement and awareness are critical for loTrelated risk, as they are with any other risk. Following are some of
the key questions that practitioners shouid ask stakeholders when
loT deployment is being considered:
3. Who will have access to the device and how will their
identities be established and proven?
Figure 3 presents some important areas for practitioners to considerthe important things that practitioners should do and the
important things that practitioners should not do. This is a partial list and numerous other considerations will apply, based on individual
usage.
Dos
.
:
Don'ts
.V.
..- 3
vV *m
wsT
.
Sracuec//'/
or other stkehofders.
. :
:
>
regulatory mandates.
;::y:
|y^r^Gippey
<31 l
LvTlJ|igfl"
Uiayc.
~'~y
requirements;
________________________
: K/v//i<w
....
r.T.':.:v
. -.;rr'' r
devices to analyze
collected and transmitted by
:
asi
vulnerabilities.
Discount privacy considerations o
KCt
_______ .
- ....
VTX'XMZ
: . . - :......................
;c: r;**.
mm
:... ' :
....... :
_.
..........
rEih
f
- ; ; .....................................................
H '
..........................................- - - -
V-M
......................................
... . , ...
..
> . . . .. ., . .......
. . .
.. /.'TJ..i'.,'!'..
.*
: v.. i
..-v
...
S 8ggB8W
v...
i'iT.-'. -l*
. . . . - !
........
.......
.............................................................................
----------VVv
..
--c.
fc^aaM -
........ -
.... -i
U
*\l
*>
/
internet of Things: Risk and Valu Considerations
........
<\\' \ rW. \ ,M \ % \\
.ppipm
^ .
.......
p--"
V*^~'***..................................
| -#\1 W
\i \s^4
.;_...^^:^.-.::..V.:....--<
\ v/vw''*'A,.,,/v,v
...................... .
------------------~---
r * * ........................ .
?T
..
: .............
/* i. . ..
-#1 el / ni { r% i
n
i.
./
&*> ../ x,..
..
/
..........
.......
_,/
<* / " V*
*
\/
/w\
V-* ,
/
=r
W\ ;
v fvi. INy J / C : /
/ *. V** jf X/ S \
* - - VV!
ta V
\ ' f M V ' v
\
v,v
>
'V
& -# -- / /ov .| vT
*A A
v ^V
.
***'
>
8 / 2 :
;;\
I
fk / / / : / i i
,'I
'J 2
ny i
, ?/ iAWsT?
-
0 ' iil V I r r
m
W
:.
V>
/.
\ ' w^ r\ \m / v |'X /
f
4?w v ? .<l
-W.
xvaw-.vA-
JmwwwrtW.W
be life changing and lifesaving. IoT is n its very early stages and
already ubiquitous, although most people are unaware. Much more
is still to come.
The wave of changes from IoT also brings with it new and more
complex risk and problems. With the adoption of any change, it is
crucial to be well prepared. IoT can be a powerful concept, but making
use of it responsibly requires forward thinking, appropriate planning and
open dialog.