Depending on the source you consult, by 2020 the number of internet-connected devices worldwide could range from 26 billion (Gartner) to 50 billion (Cisco). At either end of the spectrum, the number is staggering. Clearly, marketplace forces such as increasingly available broadband internet, decreased cost of connecting, expanded use of the cloud, growing numbers of devices built with Wi-Fi capability and sensors, and the lowered cost of technology have combined to create the perfect environment for the Internet of Things (IoT).
The impact of IoT is already well underway. This latest and perhaps most ubiquitous technology trend, which Jim Tully, chief of research for IoT at Gartner, London, defines as “a network of physical objects that contain technology that allows those objects to sense and interact with their surroundings and interact with those surroundings for business benefit,” is an integral part of our lives (see “Examples of IoT” below). Its fans extol IoT’s convenience, speed, personalization, and ease of use. Businesses tout its cost savings, safety enablement, revenue generation, and data-gathering abilities.
However, some view the implications of IoT’s billions of connections and terabytes of data and know that the benefits, while substantial, have a dark side: security risks, loss of privacy, and a diminished capacity for people to control their own lives. Kenneth Mory, principal for Stronghold Solutions International and former city auditor for Austin, Texas, states, “The horizon risks that IoT introduces are orders of magnitude beyond those of the present. These new vulnerabilities have grave implications for IT security and cybersecurity.”
Internal auditors have distinct reasons to ponder what IoT means for their organization. They may be called on to offer advice to management on the benefits and potential competitive edge IoT can provide. However, they must also monitor the new risks it introduces and the compensating controls required. They cannot afford to assume that something once fixed stays fixed. Just as a high tide raises all boats, the rapid development cycle for IoT means an equally rapid evolution of risks. Internal auditors need to stay attuned to these changes and be prepared to keep their organizations apprised.
An Array of Risks
|Examples of IoT|
Many IoT devices are so well embedded in everyday, modern life that we may not realize they are there. But IoT abounds, as indicated by this small sample suggested by Jim Tully, chief of research for IoT at Gartner, London:
- Cars: Modules track a driver’s behavior — how he or she accelerates, takes the corners, stamps on the brakes. This information allows insurance companies to match the risk of individual drivers with their own specific premium. It can also enable insurance companies to offer “pay as you go” insurance, in which the premium is determined by the amount of time the car is driven or where it is — on a remote country road or in a big city at rush hour.
- Parking: Sensors monitor city streets and determine whether parking spots are being used. They then link to a mobile app that guides the driver to an available spot.
- Lighting: New lighting can track the location of people in buildings, providing safety benefits (ensuring their area is lighted) and cost savings (shutting off lights in unoccupied spaces).
- Toys: Some toys are equipped with cameras that can recognize the faces of individual children. They can then “learn” about those children and interact with them in a highly personalized way.
- Agriculture: Sensors in the fields track moisture and sunlight, suggest better use of irrigation, and even predict the timing of the harvest.
- Government: Many cities employ IoT-enabled “smart city” apps to handle tasks such as pollution monitoring and traffic management.
Few would likely disagree that IoT’s hyperconnectedness presents risks. There are, however, differences of opinion on the nature of those risks.
Some see the risks in fairly apocalyptic terms. They believe that when everyday activities are monitored and people output information on a near-continual basis, the level of profiling and targeting will grow, leading to increased social, economic, and political struggles. They suggest a need for ways people can disengage from the network, to stop sending and receiving data. Tully considers the disconnect options with some skepticism: “IoT is everywhere,” he says. “There’s no way to get away from a lot of it.”
However, other views of IoT-related risks are more pragmatic: financial loss affecting profitability (a hacker taps into a smart electric meter and steals energy), business interruption (due to a denial-of-service attack), loss of competitive advantage (attacks of any kind by a business rival), governmental upheaval (propaganda or hacktivism), and even loss of life (damage to pacemakers or equipment in hospital operating theaters). Mory points to another risk, loss of market share, which results when “the organization fails to adopt IoT and take advantage of the opportunities and benefits it can provide.”
Mory refers to the upside risk of IoT, a perspective that is sometimes overlooked in the very real concern about security and privacy. But there is a reason the IoT market is expanding rapidly, despite the inherent risk: It provides benefits that many individuals and businesses believe outweigh the associated risk. Customers appreciate the way IoT devices make their lives easier by anticipating and addressing their needs and preferences (e.g., constantly adjusting household temperature based on home conditions and homeowners’ schedules; brewing a cup of coffee to the individual’s precise taste, with the ability to monitor brew status remotely).
Businesses that use IoT devices in their own processes, or whose employees use IoT devices, may realize competitive advantage over less tech-savvy rivals, save money through device-generated efficiencies and real-time monitoring, enjoy more immediate and personalized engagement with customers, and reap increased return on their marketing investment through more effective and precisely targeted marketing messages. Companies that manufacture IoT devices are likely to see increased earnings due to customer demand and may even find opportunities to create new lines of business. And everyone, individuals and businesses alike, will benefit from the increased focus on cybersecurity — and resulting adoption of commonly accepted standards and business efforts to earn consumer trust — that IoT devices generate.
Whether the risk is upside or downside, it is a pragmatic issue that presents internal audit an active playing field in which to identify, assess, and mitigate risk. But internal audit cannot serve as the lone outpost on risk. Other areas must engage as well. However, Steven Babb, director and independent consultant at Newton Leys Consulting Ltd., Berkshire, U.K., says that management may not be fully aware of the risk — possibly because it is not articulated in business terms — and that policy has not caught up to define IoT usage. “IoT is typically wrapped up as part of cybersecurity, which is getting increased management exposure, but more still can be done,” he says. “Also, IoT covers areas that are typically not under the remit today of information security departments.”
Corbin Del Carlo, director, internal audit, IT security and infrastructure at Discover in Riverwoods, Ill., points to another group that needs to engage in management of IoT risks: software developers (programmers). “A lot of programmers have always dealt with closed systems,” he says. “They may not be aware of what connectedness implies. As the third line of defense, auditors need to talk to them and make them aware of the risk.”
Bringing Risks to Light
For Babb, internal audit’s role in IoT is “all about visibility and risk — helping risk management teams highlight that the risk is real, quantify the exposure, and bring it to management’s attention,” he says.
Del Carlo echoes that focus. “We have to challenge threat vectors,” he explains. “We have to be willing to offer suggestions of things that could be done to improve security. We have to be willing to ask questions about vendor-driven threats.” Del Carlo adds that vendors likely are not manufacturing the devices they produce alone. He questions whether vendors know who is making the parts they rely on in their supply chain. “Are they testing those parts to ensure they are up to our security specifications?” he asks.
Peter Rhys Jenkins, Worldwide Watson IoT architect, IBM, in Dartmouth, Mass., reinforces the need for security throughout the manufacturing process. “I want my refrigerator to be every bit as secure as a government device,” he says.
Organizations that implement IoT devices should have a strategy for their deployment. M. J. Vaidya, principal, EY, Atlanta, notes that although the internal audit function may not participate in defining that strategy, “It is a critical ingredient in ensuring the strategy is implemented in a good way, from a risk management perspective.”
A productive first step for internal auditors to address IoT is to conduct a risk assessment of the IoT in use in their organization. The risks will vary from one company to the next, depending on the type of IoT systems present and the business process they support. Once the risks are identified, internal audit can ensure that mitigating controls are in place and operating effectively, always keeping in mind the context in which the IoT systems function.
When examining context, it’s important to remember that nothing exists in a vacuum. Del Carlo recalls an incident from the 2015 Black Hat USA Conference, during which hackers assumed the challenge of remotely taking over the controls of an internet-connected vehicle. Their approach was relatively simple. The vehicle manufacturer had not implemented password protection on the internet-facing aspect of the car’s radio. “The designers felt there was nothing sensitive in the radio, so there was no need to protect it,” Del Carlo explains. “And they were right about the radio alone. But that point of entry was the gateway to the rest of the car.” Context is everything.
Areas of Engagement
Taking on the risks associated with IoT is a massive challenge that depends on teamwork across the organization. However, in the spirit of even the longest journey beginning with a single step, there are several initial activities in which internal audit can engage.
Look for a Policy When addressing security-related issues within an enterprise, one of the first steps is to determine whether a policy exists and is up to date. While few organizations appear to have an IoT-specific policy at this point, many reference the topic through their “bring your own device” (BYOD) policy. Babb explains that most BYOD policies cover only a small subset of devices that fall under the IoT banner. He adds, “Many of the devices will be brought in by staff, but equally many will be purchased by the organization and used. Of these, many will fall outside the remit of IT and security, so the risks emanating from them may be hidden.”
Mory adds that although his previous employer, the City of Austin, had no umbrella policy to deal with IoT, there were policies to address the use of flash, portable drives, and other portable devices such as phones and laptops.
IoT security shortcomings present an opportunity for internal audit to play a significant role by working with the cybersecurity team, IT, legal, and the privacy function to advise on the development of an IoT policy. Existing policies relating to passwords, patching, and system monitoring will need to be revised to place IoT clearly within their scope. New or updated policies may be required around network segmentation and access control. Approved devices and uses must be spelled out, and the implications clearly identified not only for employees, but also for business partners, suppliers, and customers who have connections to the company’s network.
Check Inventory Enforcing an IoT policy is difficult without a clear understanding of the number and types of IoT devices present within the organization. Babb and Mory agree that inventories, if they exist, are likely to be incomplete or siloed, as opposed to presenting a comprehensive view. Some inventories may cover devices the organization has purchased, but fail to mention the consumer devices brought in by employees.
Once the inventory provides the needed information, appropriate controls can be put into place. Del Carlo’s company, Discover, places a priority on protecting its network. “We have a general ban against noncompany devices,” he says. “We won’t allow them onto our network. We provide a ‘guest’ network people can use to connect those devices; all they can get is the internet.” Discover also installs virtualization software on the phones it provides to segment the data, and it has a stringent perimeter defense system. Laptops are encrypted and the data can be wiped remotely. Even then, Del Carlo notes, “Every day these controls block hundreds of exploits from attackers of various sophistication levels. But without constant vigilance against the onslaught, it is unlikely any organization could stop every single attack.”
Educate Management Regardless of management’s degree of awareness about IoT risks at this moment, there seems to be consensus that some additional education would be useful. Mory says that some management is aware of the general concepts behind IoT, but lacks a core understanding of the opportunities and threats it presents. In his view, internal audit has a clear role to play in helping management understand and manage the risks.
Vaidya agrees that education is important, “from the board level to the tactical level and across not just IT, not just executives, not just product development, not just manufacturing, but across the business.”
Review Security Jenkins lists some basic but necessary steps auditors can test after implementation. “With regard to provisioning, when a new device joins the cloud for the first time, make sure the mechanism used to connect is encrypted,” Jenkins says. He also advises verifying that the cloud itself is secured, password hashes are stored away from other related identification, and data coming from and to devices is encrypted. Jenkins adds: “Over-the-air firmware updates are necessary to keep equipment up to date. Make sure that process is done securely.”
Getting a Handle on IoT
It seems impossible to discuss IoT for any length of time without landing back at a mention of risks. But Tully points out that quite a few IoT devices are deployed for safety. They exist to reduce risk. “Take structural sensors in bridges, for example,” he notes. “These sensors warn of excessive loads and stresses — they are linked to traffic control systems that will stop traffic entering the bridge. Internet-connected carbon monoxide detectors and smoke detectors are similar. They are deployed directly for risk reduction.”
But most in the internal audit and information security fields might argue that it’s not the purpose of the device that worries them — it’s the connectedness and the near-certain impossibility of completely securing an organization, its assets, or the people who use the systems. Del Carlo agrees, but he won’t stop trying to lock it down. “There’s a saying that you can’t make anything foolproof because fools are so ingenious,” he says. “But we can’t just give up. I work for a bank. We are where the money is — literally. We have to maintain the highest possible level of security.”
IoT offers internal auditors an opportunity to serve in a role they don’t often get to inhabit: advocate. They can stand up for individual and enterprise users of IoT devices. “Installing security inside IoT devices is difficult and time-consuming, but necessary,” Jenkins says. “The companies that manufacture the devices say they are doing it, and doing it well. But, are they? Internal auditors need to make them prove it.”