Connected devices increasingly create a cybersecurity stress for businesses of all sizes across all industry types. Attempting to try to secure data environments increasingly requires establishing cybersecurity frameworks for Internet of Things (IoT) devices. In an attempt to ease the burden of data environment information security, the National Institute of Standards and Technology (NIST) issued a call for papers on April 18, 2018 for the creation of data security standards over IoT devices.

Internet of Things Risk Management

What is the Internet of Things?

Any device has an ability to connect to the internet or another device fall under the broad definition of Internet of Things (IoT). If you’re using a smart home device in your house, like lights that you can control through your smartphone? That’s an IoT device. Those Bluetooth headphones you love so much? IoT. That oil and gas real-time monitoring of pipelines? IoT.

Today, IoT drives efficiency. People protect their homes with security systems they can monitor from their phones. Businesses are easing data monitoring burdens by incorporating productivity tools. Manufacturers are streamlining their processes by enabling their Supervisory Control and Data Acquisition (SCADA) systems.

What are the security risks of using IoT devices?

People control computers. We can turn them on and off making sure that we protect their security when we’re not around. However, the IoT environment exists specifically to help automate activities so that we interact less with devices and engage with more information.

For example, in the healthcare industry, pacemakers equipped with IoT capabilities allow doctors to better monitor hearts. In your home, you’re connecting your doorbells to security cameras, to your smartphone.

Unfortunately, the same sensors that collect and communicate data bring with them a risk. When you share information between devices connected across your internal networks, you have firewalls, passwords, and encryption that protects the information. The sensors and connections between Bluetooth enabled devices, however, can’t handle the same kinds of protection that larger devices can.

What is a Bluetooth connection?

Bluetooth connections are short-distance, low-frequency radio wave signals that use little power. They connect devices to one another, usually within a 30-foot range. However, despite the connectivity of the anchored device to the internet, the Bluetooth connection is not always a network-enabled device.

For example, headphones can connect to a smartphone that connects to the internet, but they need the primary anchored device to reach the internet. Meanwhile, a smartwatch may have a cellular connection capability as well as a Bluetooth capability. In that case, the IoT device connects to both the anchored device (a smartphone) as well as the cellular data on the internet.

In the security realm, the Bluetooth connection is called “lightweight.” Because of the low radio frequency and low power consumption, they have little “weight” in terms of overall ability. They act as a tethering device and, often, can’t integrate independently.

What are the biggest IoT risks?

Since Bluetooth enabled and IoT devices connect in a variety of ways, they also create a variety of security concerns. The five predominant security gaps for establishing a risk management process include:

Authentication

When you connect your laptop to a network-based service, you usually try to incorporate a username and password. Moreover, if you’re really focused on security, you’re hopefully including multi-factor authentication which involves using either a device that provides another code or a biometric like a fingerprint.
Bluetooth connections create a unique “address” similar to an IP address. However, since you can’t put a password over that connection like you can with a router, the device doesn’t provide a high level of authentication.

Confidentiality

Since the connection between the devices isn’t secured by an authentication method, the information transmitted between the two may not remain confidential. In many ways, this problem is similar to the “public wifi” connection problem. Since there’s no password and no encryption, the information passing back and forth can be easily intercepted.

Authorization

Bluetooth connections do not have the complexity to protect the devices from unauthorized users and programs. In traditional networking, you can control the data that individual users can access. However, since Bluetooth devices don’t allow you to create passwords and usernames, you also can’t define by the user what data they can access.

Integrity

Since you can’t authenticate the users or set authorizations, you can’t ensure that only the right people are accessing the information going across the Bluetooth connection. In other words, anyone can get in between the devices to intercept the information traveling from the Bluetooth device to whatever else it is connecting to.

Pairing

Pairing the Bluetooth IoT device with a smartphone, tablet, or computer requires you to establish an information sharing connection between them. If you leave the primary device open to a Bluetooth connection for your IoT connections, other devices searching for “Bluetooth” connectivity can see yours as well which gives malicious actors an opportunity to connect to your primary device.

What is the goal of NIST’s “Lightweight Cryptography” project?

IoT devices range in price and sophistication. An IoT syringe for disseminating pain medication needs a different level of security from headphones that connect to an MP3 player. If someone hacks into the pain medication IoT syringe, they can not only steal health data but overdose a patient. Someone hacking into an MP3 player steals payment card information or other personal data but might not necessarily kill a person.

However, NIST recognizes the importance of creating standards to protect all devices. As part of its standardization goal, NIST spent four years consulting with industry groups that include smart power grid experts and car manufacturers.
The current draft of the NIST Lightweight Cryptography Standardization Process focuses on minimum requirements that include authentication encryption with associated data (AEAD) focusing on coding that helps prevent brute-force attacks against the devices. Additionally, the project focuses on ensuring that solutions maintain low energy, low power, and rapid speed.

How ZenGRC Enables NIST Compliance

ZenGRC provides an easy-to-use solution that allows compliance managers to stay up-to-date on changes in the information technology compliance area. The built-in seed content includes NIST 800-53 and all its 1,000 objectives.

When the standards change, we change with them. Instead of having to constantly seek out information to update your compliance stance, we provide a single-source-of-truth that provides updates to standards and regulations ensuring that you remain continuously compliant despite the constantly evolving state of the cybersecurity industry.

For more information about how ZenGRC enables continuous compliance, contact us for a demo.

NIST 800-53 and FedRAMP act as the peanut butter and jelly of governmental compliance fundamentals. While NIST 800-53 sets out prescriptive controls for data integrity, FedRAMP offers the complimentary controls for cloud service providers (CSP). This means that for any organization trying to be fully compliant for government work, understanding how NIST 800-53 and FedRAMP are integrated is an important part of the compliance stance.

Why Do I Care About NIST 800-53?

If you plan to work with government agencies, you should care about NIST 800-53. The Federal Information Security Act of 2002 (FISMA) requires agencies to develop, document, and implement programs to protect information. FISMA not only applies to agency assets, but also to those provided or managed by another agency, contractor, or other source.

In other words, that awesome government contract you want? Chances are it’s going to require FISMA compliance.

NIST 800-53 offers prescriptive requirements to help you meet these compliance needs. This is distinct from using the NIST Cybersecurity Framework as your compliance foundation.

What Does NIST 800-53 Require?

NIST 800-53 offers guidance for creating privacy and security policies and controls. At the highest level, the standard gives you a road map for creating IT asset assessments based on risk tolerance.

In building an effective assessment plan, NIST 800-53 defines ten specific key activities. At the most basic level, they want you to create policies, establish oversight, ensure communication, define controls, create time frames, select audit/assessor teams, and store documentation.

This is one of the places where GRC automation is most effective. When you break down communication silos, you more easily share information and documentation between internal stakeholders. In addition, when you have a single location for storing documentation of your controls and policies, your oversight requirement is easier.

Where Does FedRAMP Fit In?

FedRAMP helps you implement the NIST 800-53 in relation to cloud service providers (CSP). NIST 800-53 requires your organization to take into account system/platform and organization-related considerations.

Often, organizations hire third party service providers, such as CSPs. This means that you may not have direct control over the security or privacy controls used in those external systems, and you have to review them differently. Under “3.2.3 Tailor assessment procedures”, NIST 800-53 allows you to tailor the assessment procedures listed in Appendices F and J to meet these kinds of needs.

When tailoring your review, you can use FedRAMP to meet those goals.

What are FedRAMP’s three main principles?

FedRAMP focuses on creating a risk tolerance model to review your CSP’s ability to keep information secure. The three tenets of managing information systems are reviewing confidentiality, integrity, and availability of data transmitted, processed, or stored by the information system.

FedRAMP offers you a way to focus your CSP risk within the boundaries of the NIST 800-53. For example, FedRAMP lists three risk levels: low, medium, and high.

These levels are based on how a security compromise would impact business activities, damage assets, and result in financial loss and harm to others. For example, a low risk associated with a cybersecurity event might involve access to a draft of this blog post as part of an event that compromises a Google Drive account that only contains random blog post drafts. The worst that can happen is erasure of a few hours of work. A medium risk might involve an attack on the WordPress hosting site, in which a year’s worth of posts get changed to the wrong information but no identifying user data gets compromised. A high risk event might be taking down the entire corporate site for several days.

As you think about your risk levels for all of your different assets, remember that different business areas may have different risks.

How do you use FedRAMP to determine risk?

FedRAMP has a two step process to determine the risk. First you need to determine what type of service provider you have. To do this, FedRAMP offers the following chart:

Platform as a Service (PaaS) and Software as a Service (SaaS) are considered “major applications,” so they require a higher level of scrutiny. Meanwhile, Infrastructure as a Service (IaaS) is a “general support system.” When you apply this determination within your NIST Target Profile, think about your reliance on the CSP. If you heavily rely on your CSP for daily business activities, your risk is highly integrated with that of your CSP.

Let’s go back to the example above. Blog content can easily be replicated, though the information is valuable in terms of time spent researching and writing. If the CSP has a cyber event, there will be an inconvenience, but little harm is done. However, if consumer data is located in that cloud drive as well, then the risk is higher for everyone.

In addition, FedRAMP provides ways to review the risk associated with the deployment of the services. These can be public, private, for government community only, or hybrid. By understanding your CSP’s audience, you can understand their approach to security as well.

How to automate NIST 800-53 and FedRAMP for successful FISMA compliance

When reviewing CSPs, controlling user access is the first line of defense. This means that you need to constantly monitor who has access to what systems.

When you automate NIST 800-53 and FedRAMP to meet FISMA compliance requirements, you create a smoother process to keep these authorizations updated. With a larger organization, keeping track of the different individuals who have access becomes more complicated. Having a single location where all the user authorizations are documented makes it easier to incorporate the appropriate oversight.

In addition, since the authorizations listed in your FedRAMP analysis will likely overlap with your NIST analysis, automating the documentation process not only saves time but keeps information consistent.

Incorporating a CSP into your business activities means adjusting your NIST 800-53 evaluation. In doing this, you will need more documentation to satisfy requirements. By using an automated GRC tool, you can strengthen your compliance stance more easily. When you automate NIST 800-53 and FedRAMP for successful FISMA compliance, the end results are better audit outcomes and greater client confidence.

To better understand how ZenGRC automation can help you navigate your FedRAMP and NIST risk, read our eBook Compliance Management Best Practices: When Will Excel Crush You?

Preparing for a NIST Audit: A Step-by-Step Guide

How Connected Data is Transforming Risk Management