The Internet of Things (IoT) is the platform of objects and devices connected to the Internet. Alarmingly for higher education institutions, IoT can pose some serious risks. Not only are their networks at risk, but some organizations also have to worry about risks to their own hardware and software products. Even some industries not traditionally considered technology (computer) related are moving into this realm. One example is the auto industry, whose products affect all of us. Many new vehicles have computer systems in them, which means that they could be compromised the same as any other computer. Likewise, the facilities department on campus might worry about occupancy sensors, printers, cameras, or other campus-installed devices being hacked. In this blog, we primarily focus on how organizations should approach the risks associated with IoT on their networks.
Managing risk in the IoT world is challenging; however, many of the classic risk management principles still apply. The approach we discuss involves four steps:
- Developing risk tolerances
- Identifying risks
- Mitigating risks
- Reviewing and monitoring controls
Similar to the classic risk management approach, risk management of IoT succeeds only if the right people are involved in the process. Possible parties to include in the risk management process are IT staff, end users, the information security office, and upper management. Like most projects, seeking managerial support in the beginning helps foster the initiative's success. Risk management with IoT takes time and resources. In addition, IoT is constantly changing, and the risk management process must adapt with these changes, making it a continual process.
Determining Your Organization's Risk Appetite
The first step for any type of risk management is understanding your organization's risk appetite: how much risk the institution can tolerate while continuing to conduct its business. Risk appetite is unique to each campus. Some smaller institutions cannot absorb a lot of risk, while a larger one might have the resources and abilities to absorb some risk. Risk appetite depends on the institution's core strategic goals, objectives, and priorities. These assets could include the institutional brand, research or operational data, financial accounts, or student records and admission applications.
Risk appetite for IoT depends heavily on where IoT is used. Risk managers need to look at the two main types of IoT: IoT they control and IoT they don't control. The former category includes IT-issued IoT devices. The latter, or "shadow" IoT means the devices staff or students and faculty bring in or connect to the network. These devices include health bands and smartwatches, which might constantly try to connect to the campus's wireless network. It is important to consider both types of IoT devices when conducting a risk assessment.
Identifying Risks
Another important aspect of risk management is identifying risks. IT organizations should think about both controlled and uncontrolled IoT to decide what is a risk and what is not. They should create a risk management plan to address the IoT risks identified.
Network administrators should watch the network for occurrences that seem out of place or out of the ordinary. They should be educated on the daily happenings of the network on a normal day in order to spot these unanticipated occurrences.
It is also important to know where the holes are likely to be in the network, if there are any. These areas need extra monitoring because they may be more vulnerable to attack.
IT staff should also know what devices are connected to the network and what the traffic associated with each connection should look like. Due to the large number of devices now connected to networks because of IoT, the attack surface has grown immensely. More devices mean more connections. More connections mean more places for malicious individuals to infiltrate the network.
Mitigating Risks
Organizations must implement a risk mitigation plan that includes controls and solutions for mitigating risks of IoT. These solutions can include firewalls, bring your own device (BYOD) or mobile device management (MDM) policies, and network segmentation.
Firewalls monitor network traffic and only permit traffic that is allowed access to the network. They can be used to mitigate external risks to the network.
BYOD and MDM policies are important ways to address IoT risks. If employees, faculty, and students can bring their personal devices to campus and connect them to the network, the institution's attack surface expands even more. To mitigate this risk, IT organizations should have a policy in place for mobile devices. Whether campus community members are or are not allowed to bring their own devices to campus and what rules they must follow if allowed to bring them should be clearly laid out in the policy.
Network segmentation is another control that can help mitigate risks. This allows the IT department to minimize access to parts of the network based on who needs to access what. Not every person should have full access to the network, so segmenting the network gives the organization the ability to provide people access to parts of the network essential for their work while preventing their access to sometimes sensitive areas.
To implement any of these controls, the IT department or Information Security Office proposing the controls needs to get approval from upper administration.
Monitoring Controls
Monitoring controls are important to test the effectiveness of the controls put in place. It is also important to review the risk plan implemented to account for changes in risk or residual risk that remains after a risk has been mitigated. New risks also arise from new technologies or from mitigated risks, all of which need to be accounted for and added to the risk management plan. As IoT expands, new risks will continue to form. The IT organization must review and monitor its risk plan because of the fast-growing world of IoT.
Adapting to IoT Risks
The world of IoT will continue to grow over time. Banning IoT on campus is not an effective strategy for any institution. All campuses will need to accept some level of IoT because of the many benefits they make possible for users. Developing a risk management plan now will only help your future adoption of IoT devices. Otherwise, your institution might be left behind as IoT becomes more popular and more widely used. Risk management is a continuous process, but with the right team and dedication, risk management will help you effectively control IoT risks. Every IT organization can effectively manage the risks IoT brings to campus by implementing effective risk management.
Resources
- ISACA paper: Internet of Things: Risk and Value Considerations [http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/internet-of-things-risk-and-value-considerations.aspx]
- IoT Evolution article: "Risk Management in the IoT: An FBI Perspective"
- Wall Street Journal article: "Internet of Things Security Issues Require a Rethink on Risk Management"
Teresa Mock is a second-year master’s student studying Information Security Policy and Management at Carnegie Mellon University. She received her bachelor’s degree in History from Bethany College in Bethany, West Virginia. For the last two summers, Mock has worked an internship at the Government Printing Office in Washington, D.C. Aside from Information Security and Risk Management, she is also interested in photography, ice hockey, and travel.
Kayla Paden is a master's of Information Security Policy and Management student at Carnegie Mellon University, Heinz College. She completed her bachelor’s degree in Mathematics from Grove City College. Currently, Paden is working with a nonprofit to combat human trafficking. She is interested in risk management, information security policy, and employee training and awareness.
© 2015 Teresa Mock and Kayla Paden. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.