Definition[edit | edit source]

An Internet of Things (ioT) device is

any object or device which connects to the Internet to automatically send and/or receive data.[1]
IoT Devices.png

Overview[edit | edit source]

IoT devices are an outcome of combining the worlds of information technology (IT) and operational technology (OT). Many IoT devices are the result of the convergence of cloud computing, mobile computing, embedded systems, big data, low-price hardware, and other technological advances. IoT devices can provide computing functionality, data storage, and network connectivity for equipment that previously lacked them, enabling new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also add the abilities to analyze data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events.

IoT devices are often called "smart" devices because they have sensors and complex data analysis programs (analytics). IoT devices collect data using sensors and offer services to the user based on the analyses of the data and according to user-defined parameters. For example, a smart refrigerator uses sensors (e.g., cameras) to inventory stored items and can alert the user when items run low based on image recognition analyses. Sophisticated IoT devices can "learn" by recognizing patterns in user preferences and historical use data. An IoT device can become "smarter" as its program adjusts to improve its prediction capability so as to enhance user experiences or utility.

IoT devices are connected to the internet: directly; through another IoT device; or both. Network connections are used for sharing information and interacting with users. The IoT creates linkages and connections between physical devices by incorporating software applications. IoT devices can enable users to access information or control devices from anywhere using a variety of internet-connected devices. For example, a smart doorbell and lock may allow a user to see and interact with the person at the door and unlock the door from anywhere using a smartphone.

IoT devices include:

Cybersecurity and privacy risks[edit | edit source]

There are three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices:

1. Many IoT devices interact with the physical world in ways conventional IT devices usually do not. The potential impact of some IoT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.

2. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IoT devices, expanding staff knowledge and tools to include a much wider variety of IoT device software, and addressing risks with manufacturers and other third parties having remote access or control over IoT devices.

3. The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.

Cybersecurity and privacy risks for IoT devices can be thought of in terms of three high-level risk mitigation goals:

1. Protect device security. In other words, prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. This goal applies to all IoT devices.

2. Protect data security. Protect the confidentiality, integrity, and/or availability of data (including personally identifiable information PII) collected by, stored on, processed by, or transmitted to or from the IoT device. This goal applies to each IoT device except those without any data that needs protection.

3. Protect individuals' privacy. Protect individuals' privacy impacted by PII processing beyond risks managed through device and data security protection. This goal applies to all IoT devices that process PII or that directly or indirectly impact individuals.

Each goal builds on the previous goal and does not replace it or negate the need for it. Meeting each of the risk mitigation goals involves addressing a set of risk mitigation areas. Each risk mitigation area defines an aspect of cybersecurity or privacy risk mitigation thought to be most significantly or unexpectedly affected for IoT by the risk considerations. For each risk mitigation area, there are one or more expectations organizations usually have for how conventional IT devices help mitigate cybersecurity and privacy risks for the area.

References[edit | edit source]

Sources[edit | edit source]

Community content is available under CC-BY-SA unless otherwise noted.