Skip Navigation LinksASIS International / Membership / Member Center / Security Spotlight / Internet of Things Security

Internet of Things Security

​​​​Analysts from Forrester Research warn that as the Internet of Things (IoT) becomes more rapidly entwined with the physical world, the consequences of security failure escalate. As a result, the prospect for client safety, industrial operations, and national infrastructure will overshadow the protection of client data and become information security priorities. How should the security industry react?​

The following resources, ASIS International Seminar and Exhibits education sessions, Security Management articles, ASIS webinars and Council white papers, address these questions and offer practical responses and thoughts for t​he future marriage of IoT and security.

» View Past Security Spotlight Topics


Free Resources - ​ASIS Members Only

 

Internet of Things Security Assessment—Frameworks, Skills, and Controversy
Recorded education session, ASIS 2015

When It Comes to Cyber and IoT, There’s Strength in Numbers
Report from ASIS International Security Applied Sciences Ad Hoc Council, 2015

Sources of Information on the Internet of Things
ASIS IRC Reference Guide

Free Resources

ASIS website account (free) required

Is Your Refrigerator Spying on You?
ASIS Webinar, April 2016

Addressing the Cyber Risks to "Internet of Things" and Building Controls
Recorded Seminar session, ASIS 2016

Risks to Building Control Systems
Recorded Seminar session, ASIS 2015

The Internet of Things (IoT): Security’s New Frontier
Recorded Seminar session, ASIS 2015

Outdated Protocols and Practices Put the Io​T Revolution at Risk
Article from Security Management, March 2017

The Io​T Revolution
Article from Security Management, October 2015

Intelligent Infrastructure
Article from Security Management, April 2015

Ediscovery and the Security Implications of the Internet of Things
Security Management Online, April 2015

Mirai Attack - Incident Summary and Recommendations​​
Information provided by the ASIS IT Security Council, 2016

The Significant Technology Expansion that’s About to Happen: IoT, Sensors, and Analytics
Information provided by the ASIS International Security Applied Sciences Ad Hoc Council, 2015​

ITSC Top 6 Recommendations for Contrrol Systems Security​
Infographic​


Free Resources

The Internet of Things (IoT): Security’s New Frontier
Seminar Session 3309, September 2015
Speakers: Steve Till, President and CEO, Brivo, Inc.; LTC James Emerson, USMC (Ret.), COO, Managing Director of ICG, Inc.; and Rob Martens, Futurist and Director of Connectivity Platforms, Alegion

Each speaker provided an opening statement of the view of now IoT is and will be affecting the security industry. They followed up those comments with a view on how IoT changes security. On the plus side, they included the availability of more devices, more data, better analytics, and early warnings. Conversely, they believed IoT would lead to more things to be hacked, more privacy threats, data overload, and compatibility risks. Among their comments were the following:

  • IoT is not new to security because the industry has been connecting devices to a central software system long before IoT was in vogue.
  • To state that connecting all technologies can be connected without risks to security is dishonest. It’s up to security to be proactive in pointing out the risks and to be proactive in a collaborative way.
  • As researches develop new IoT devices, security is often sidelined, but the evidence of adds risk to what security is managing day-to-day.

The IOT Revolution
Security Management, October 2015
Author: Megan Gates, Assistant Editor

Through interviews with experts in top level positions with software, cloud, and IT service providers as well as reviews of government and private sector reports, the article zeros in four factors of concern to security professionals: the unintended side effects of the Internet of Things, support from companies manufacturing devices in the IoT, the aging of these devices, and the increasing use of wireless access points. The following take-aways are worthy of note:

  • With increased global connectivity, it’s unclear what’s being collected, who’s collecting it, and where it’s stored.
  • Globally, 53 percent of network-connected devices are aging, meaning vendor support is no longer available and increasing their vulnerability to compromise.
  • With the onset of the IoT, it’s critical can wireless devices are deployed properly and that the underlying network can support those devices.

Intelligent Infrastructure
Security Management, April 2015
Author: Holly Gilbert Stowell, Assistant Editor

A smart building turns the data collected from its sensors and equipment into actionable intelligence, giving operators one platform that controls everything from lighting to life safety systems. As a result, smart buildings are energy information systems that have diagnostic and performance monitoring feedback tools. Because corporate buildings account for 65 percent of electricity consumption in the United States, according to the EPA, smart building technology can save industries millions of dollars in energy costs. But smart buildings, and their web of wireless devices comprising the IoT, also introduce numerous cybersecurity concerns, including the following:

  • With the massive push to get IoT products to market, security is clearly an afterthought.
  • An enterprise will need to find a way to manage the “personal area networks” used by employees with the corporate network.
  • Integrating all the legacy systems in a smart building is a challenge, and efforts are being made globally to set standards to address cybersecurity concerns.

The article also includes a summary of the six themes in a Pew Research Center’s study, The Internet of Things Will Thrive by 2025.


Ediscovery and the Security Implications of the Internet of Things
Security Management Online, April 2015
www.securitymanagement.com
Author: Michele C.S. Lange

In a global study of business leaders, 96 percent said that they will be using the IoT “in some way” in the next three years. In a wired world, individuals leave digital fingerprints through personal devices as well as through interactions with establishments. The author contents that in the coming years, such IoT data trails will cause significant ediscovery and security issues for organizations. When IoT devices become the norm, legal and IT professionals will need to quickly address multiply concerns, including how IoT data can be gathered for litigation processing and review. The following points should be considered:

  • Determining whether IoT data is relevant to a lawsuit and if any privilege or privacy concerns exit will be a challenge.
  • The IoT explosion is driving backup and retention difficulties.
  • Companies will have to take a proactive stance on securing storage for their company’s IoT data needs.

The Significant Technology Expansion that’s About to Happen: IoT, Sensors, and Analytics
ASIS International Security Applied Sciences Ad Hoc Council, 2015
Author: Steve Surfaro, chair

As IoT begins to converge with sensors and analytics, the technology landscape is poised to change yet again. The author cites numerous examples of how IoT is being used in various industries, including health care, law enforcement, transportation, retail and public safety. To answer the question, why now, he points to three scalable improvements in each part of the IoT puzzle:

  • Analytics such as LPR and facial recognition run more effectively in cameras with more powerful processing.
  • IP cameras are more powerful, providing consistent processing and image quality to encode.
  • The sensor is no longer an edge, but more like a node in the IoT network linking consuming devices (such as smart phones and wearables) supported by infrastructure and stored in the cloud.

The continued growth in demand from subscribers for better voice, video, and mobile broadband experiences is encouraging the industry to look ahead at how networks and be readied to meet future capacity and performance demands. Nonetheless, device, network, and application security is critical to IoT’s adoption.


ASIS Members Only

Internet of Things Security Assessment—Frameworks, Skills, and Controversy
Seminar Session 4130, September 2015
Speaker: Jonathan Lampe, CISSP, Direct Supply Corporate Information Systems, Foundation and Architecture Team.

The speaker opened by describing what companies want from IoT. Among his points were that they learn how people use their products, they receive cues when people toss or trash their product, and they receive cues when people are ready to buy or add additional needs. He added, however, that there are no experts on IoT and that when companies realize the liability, IoT could become the security manager’s problem. He discussed current security skills that can be applied to IoT and added others that are still needed within the profession, including mapping skills to a body of knowledge. He presented the top ten list from the Open Web Application Security Project (OWASP) of IoT trends, then described whether each trend was a mature issue or an emerging concern. Among the latter were the following:

  • The U.S. Federal Trade Commission’s advice on privacy.
  • Insufficient security configuration of devices and the security of the data collected.
  • Poor physical security of devices when installed as well as the data.

When It Comes to Cyber and IoT, There’s Strength in Numbers
ASIS International Security Applied Sciences Ad Hoc Council, 2015
Author: Steve Surfaro, chair

An IoT device model, referenced in the article, defines the three aspects of IoT: the Thing itself (the device); the Local Network, wired or wireless, using Ethernet, Bluetooth, or other connectivity; and the Internet. The IoT in safety and security represents a networking paradigm where interconnected, smart sensors are powered, are protected, are continuously generating data, and are transmitting data over the Internet. The author defines eight layers that are needed to make the IoT sensor operational and secure. The following points are also emphasized:

  • The two most significant vulnerabilities of IoT devices are password attacks and identity spoofing.
  • To sustain the high performance, security demands, and increases in the numbers of IoT sensors and devices, improvements in the authentication process is necessary.
  • To encourage corporations to invest in security safeguards, they need to be convinced of the consequences of suffering a breach and the coverage available through cyber insurance.

Sources of Information on the Internet of Things
ASIS IRC Reference Guide

This comprehensive review of articles, papers, and recorded educational sessions on this topic available through ASIS International can assist security professionals as they develop, implement, and manage the complexities of today’s interconnected transactions.