EY Cybersecurity and The Internet of Things PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 15

Insights on

governance, risk
and compliance

March 2015

Cybersecurity
and the
Internet of Things
Introduction

The growth and spread of connected


digital technology
Contents Rapid technological change has resulted in many aspects of our lives being
connected and affected by digital communications. Mobility, digital business
With billions of people connected to the internet today, and the number of connected models, smart energy
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 devices to exceed 50 billion by the year 2020, the Internet of Things (IoT) represents infrastructures and the
What is the Internet of Things? . . . . . . . . . . . . . 2 a major transformation in a digital world that has the potential to affect everyone and
every business. adoption of cutting-
The rise of the cyber threat . . . . . . . . . . . . . . . 10 edge technologies for
IoT can be defined as physical objects that connect to the internet through embedded
The multiplying effect of todays systems and sensors, interacting with it to generate meaningful results and convenience transportation, consumer
cybersecurity challenges . . . . . . . . . . . . . . . . . 13 to the end-user community. The IoT will help to enable an environment with the flexibility
to provide services of all sorts, ranging from home automation to smart retail/logistics,
goods and services are
So how can organizations get ahead and from smart environmental monitoring to smart city services. transforming cybersecurity
of cybercrime? . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
In a very short time, the IoT will have sensing, analytics and visualization tools, which concerns. From the back
How can EY help? . . . . . . . . . . . . . . . . . . . . . . . . . 20 can be accessed by anyone, anytime and anywhere in the world on a personal, office to the forefront
community or a national level. The potential for it to enable any aspect of our lives is
Conclusion . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . 23 of service quality and
what is encouraging this idea to become established and flourish.

However, the real change is not that machines are talking to each other, but that business development,
people are talking more and more through machines the IoT is actually the medium security is now embedded
of interconnection for people and because human communication is mediated by
machines and is more and more indirect, there is a deeply rooted security problem with in the core strategies of a
the possibility of impersonation, identity theft, hacking and, in general, cyber threats. leading business.
The IoT will increasingly rely on cloud computing, and smart devices with sensors built
in, along with thousands (if not millions) of applications to support them. The problem
is that the truly integrated environments needed to support this connected technology
do not exist, and cloud computing is in need of serious improvement, especially in terms
of security.

There is no single object that can be described as the IoT infrastructure there are
many disparate and uneven networks. Because of the increasing stresses on these
networks, due to the demands of the data that needs to be supported, many technical
areas will need to be redesigned. Additionally, the number of connected devices
in circulation being used for the vast amount of interactions has created further
challenges in data privacy, data protection, safety, governance and trust.

Taking all of these factors into consideration, we see both opportunities and challenges
which require close attention and, in particular, the need for a comprehensive
strategic approach to cybersecurity. This report highlights why being in a proactive
position to anticipate and mitigate cyber threat is one of todays most important
business objectives.

Cybersecurity and the Internet of Things | 1


What is the Internet
of Things?

IoT is a future-facing development of the internet wherein objects and systems are
The Internet of Things is embedded with sensors and computing power, with the intention of being able to The cloud provides a
the network of physical
communicate with each other. Although the original concept of IoT puts excessive IoT is not new platform for IoT to flourish,
emphasis on machine-to-machine communications, the real change underlying this
objects that contains is the diversification of people-to-people communications in an increasingly indirect Although IoT is a hot topic today, its not a new concept. The phrase Internet of however, there are still
way. Machines may eventually be able to communicate, but so far this phenomenon is Things was coined by Kevin Ashton in 1999; the concept was relatively simple,
embedded technologies neither universal nor covers all types of networks; even when machines can connect to but powerful. many challenges. With the
to communicate and each other, the fact is that they will remain as instruments of human communications. plethora of data that they
sense or interact with The ever-increasing networking capabilities of machines and everyday devices used If we had computers that knew everything there was will hold, storage servers
their internal states or the in the home, office equipment, mobile and wearable technologies, vehicles, entire to know about things using data they gathered will have to be updated
factories and supply chains, and even urban infrastructure, open up a huge playing field
external environment. of opportunities for business improvement and customer satisfaction. without any help from us we would be able to track and secured all the time.
The Internet of Things, Gartner IT. (n.d.). Retrieved from and count everything, and greatly reduce waste,
Most IoT devices will use sensor-based technologies, in which the sensors will identify
http://www.gartner.com/it-glossary/internet-of-things
or measure any change in position, location, etc.; these sensors will transmit data loss and cost. We would know when things needed
to a particular device or server, which in turn will analyze the data to generate the replacing, repairing or recalling, and whether they
information for the user. In business terms, the sensors will also act as data gatherers; were fresh or past their best. The Internet of Things
cloud computing will be a platform for storing and analyzing the data, and Big Data
analytics will convert this raw data to knowledge or insights. has the potential to change the world, just as the
Internet did. Maybe even more so.
Business models for the employment of IoT may vary for every organization, depending
Kevin Ashton, That Internet of Things Thing, RFID Journal, July 22, 1999
upon whether it is handling the core operations, manufacturing or the services/
technologies. The retail and merchandizing sector, for example, could benefit from IoT
innovations in the future: if a new customer enters a shoe shop, his or her shoe size
could be measured by the measurement sensors; data could be sent over the cloud However, in 1999, there were still more questions than answers to IoT concepts:
about availability of stock; the inventory could then be replenished based on real-time How do we connect everything on the planet?
analytics and forecasted trends. Other examples for the same retail outlet could be
parking sensors, motion sensors, environmental sensors, door sensors that measure What type of wireless communications could be built into devices?
footfall, and mobile payment services. W
hat changes would be needed to support billions of new devices
communicating constantly?
The network of people and things W
hat would power these devices?
W
hat must be developed to make the solutions cost-effective?

2015 enabling technologies driving the successful growth of IoT


The size and cost of wireless radios has dropped tremendously.
IPv6 makes it possible to assign a communications address to billions of devices.
Electronics companies are building Wi-Fi and cellular wireless connectivity into a
wide range of devices (e.g., billions of wireless chips).
Mobile data coverage has improved significantly with many networks offering
The network of networks is the full-blown internet of people and things, where every broadband speeds.
machine-to-machine connection is actually mediated human interaction. These networks are
simultaneously networks of collaboration, but also networks of opposition and threat: there is Battery technology has improved significantly, and solar recharging has been
no inside or outside in this discontinuous, porous space. built into numerous devices.

2 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 3
Now that we have entered What opportunities does IoT offer? The ever-expanding IoT world
the era of coordination IoT is leading change within the digital landscape and its fast becoming the IoT is already integrated across several areas where technology adoption is accelerating.
of machine-to-machine, must-have element of business technology. Some of the primary forces driving the
The key areas of leading IoT integration are:
adoption of IoT are:
people-to-machine New business opportunities
and people-to-people,
connections have become
The web of connected devices, people and data will provide business opportunities
to many sectors. Organizations will be able to use IoT data to gain a better Smart life Smart mobility
understanding of their customers requirements and can improve processes, such as Innovative, state-of-the-art technology aims to make life Real-time route management and solutions aim to make
much easier. supply chain/inventory coordination, investments and public safety. simpler and safer for the consumer. Smart life includes: travel more enjoyable and transportation more reliable.
Potential for business revenue growth Health care a new patient-centric model is emerging Smart mobility includes:
There are multiple untapped opportunities for economic impact by finding creative Autonomous driving and the connected car
Consumer and retail businesses the age of the
ways to deploy IoT technology to drive top-line revenue growth and value creation
empowered customer and co-creator Urban mobility smart traffic management
through expense reduction and by improving asset productivity.
Banking convergence new models for banking and Interurban mobility connecting across the transport
Improved decision-making
finance networks
Personal computing smart devices are on the rise, leading to wider choice, real-time
updates, enhanced facilities, more accurate fact finding, etc. and thus leading to Insurance moving from statistics to individual fact- Fare management and payment solutions
more informed decision-making. based policies
Distribution and logistics
Cost reductions Public services driving efficiency and convenience for
Fleet management
The costs of IoT components, such as cloud services, sensors, GPS devices and governments and citizens
microchips, have fallen, meaning that the cost of IoT-linked devices is getting more
affordable day by day.
Safety and security
With the help of cameras and sensors, there is the possibility to guard against, or
Smart city Smart manufacturing
avoid, physical threats, which might occur at the workplace or home. In time, even Innovations will aim to improve the quality of life in cities, Factory and logistics solutions will be created specifically
disaster management or recovery systems will get help from IoT. encompassing security issues and energy resourcefulness. to optimize processes, controls and quality. Smart
Smart city includes: manufacturing includes:
Improved citizen experience
The citizen experience could improve considerably due to ease of access, ease of Smarter management of city infrastructure using Big Machine learning intelligent, automated decision-
living and ease of communicating. Think of an example where a citizen can pay his Data analytics making
or her taxes remotely, watch his or her parking space from the office, shut down or Collaboration across multiple and disparate agencies Machine communications more interaction and
communicate with gadgets or machines at home, and even proactively monitor his or using cloud technologies collaboration
her health.
Real-time data collection, enabling quick response Networking networked control and management of
Improved infrastructure. using mobile technologies manufacturing equipment
IoT could help to turn infrastructure into a living organism, especially when major
megacities transform into smart cities. Large population inflow in urban areas and
Enhanced security improved public safety and law Optimized processes rapid prototyping and
enforcement, and more efficient emergency response manufacturing, improved processes and more efficient
depleted non-renewable energy sources are making resource management a challenge,
supply chain operations
but intelligent infrastructure and interconnected networks are starting to provide Better city planning improved schematics, project
solutions with concepts, such as smart grid, smart waste management, smart traffic management and delivery Proactive asset management via preventive diagnostics
control, smart utilities and sustainable city. Microcomputer-enabled automated citizen and maintenance
Networked utilities smart metering and grid
services will also make future smart cities more secure and more efficient.
management Better infrastructure integration overcoming the
interface standards conundrum
Building developments more automation, and better
management and security

4 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 5
Economic benefits of IoT IoT will affect different business sectors According to industry
Just like any other market where demand is directly proportional to the supply, IoT also in different ways estimates, machine-to-
has a similar economy, with the potential for trillions of dollars of value waiting to be machine communications
created for both the end users and public and private sector enterprises. Key sectors , such as health care, education, financial, retail, communications,
hospitality, industry, transportation and agriculture, are already enriched by internet- alone will generate
With the growth of IoT, many IT technologies will grow in parallel. For example, cloud
computing and Big Data markets give IoT a platform from which to grow and evolve.
based technology, and further advancements will make other key economic sectors part
approximately US$900
of the digital connectivity landscape.
billion in revenues by 2020.
IoT will offer opportunities for companies which are manufacturing IoT goods, and also In the past decade, the health care sector has been one of the biggest beneficiaries
for those companies which are providing services related to IoT. The manufacturers from IoT. Although by no means universal, future solutions may become available such as:
of smart devices, sensors or actuators, and the application developers, marketing Personal information that could tell medics not only about individuals medical history,
strategists, analytic companies and internet service providers (ISPs) will all profit from but also about potential diseases
the evolution of IoT. According to industry estimates, machine-to-machine (M2M)
communications alone will generate approximately US$900 billion in revenues by 2020. Sensors and microcomputers fitted in the human body that could monitor health
conditions and even alarm emergency services in case of any distress
The market is currently focusing on the vertical domains of IoT since it is in relatively
early phases of development. But IoT cannot be treated as a single thing, or single
Similar technology could make living ambience more suitable to an individuals
medical requirements
platform, or even a single technology. In order to achieve the expected rapid growth
from IoT opportunities, more focus needs to be put on interfaces, platforms, mobile Highly automated devices and processes could help to increase critical treatments
applications and common/dominant standards. efficiency with a limited human interface
IoT in the education sector has already started to make the conventional education
system more automated interactive smart classrooms are helping students learn and
participate more, whilst automatic attendance and various student tracking systems
IoT policy framework: developing economies perspective could help to make schools more secure. Internet-enabled remote classrooms will be a
milestone for developing countries, making deep penetration in areas where setting up
a traditional school infrastructure is not possible.
India is planning to invest approximately US$11 billion Internet of Things
for developing 100 smart cities. A draftpolicy Internet-enabled manufacturing and industrial units are giving differentiating results,
framework document of IoT was released in October making them safer and more efficient through automated process controls. Plant and
2014 by the Indian government, which p  roposed the energy optimization, health and safety control and security management are now
Standards
following model. increasingly being provided by advanced sensors, networked with sophisticated
Incentives R&D and Capacity
Demonstration
Human microcomputers.
The two horizontal pillars are standards and and innovations building and
center
resource
engagement incubation development
governance structure, which are defined as the two Financial services are already leveraging the internet for many of their services.
governing forces. The future of IoT can b  e said to be Governance structure Exponential improvement in digital infrastructure and the next generation of IoT-
dependent on these two as the former will define the enabled products could further lead the growth of the financial sector, with innovations,
standards for communication,safety, privacy and such as smart wearable and smart monitoring devices, helping customers to keep better
security, whereas the latter will define the formation, track of their money and investments.
Supported by ve pillars
control and power of thegovernment agencies.
Source: Department of Electronics and Information Technology, G
 overnment of India
Telcos could face a surge in data usage due to IoT-enabled devices, thus raising their
ARPU (average revenue per user), while on the other hand, they will also have to deal
with some concerns, such as privacy and infrastructure security.

6 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 7
Focus

The connected car


The connected car is just one way in which IoT is going to impact our lives significantly (and very visibly) in the near future.
Here, we address the security requirements of the connected car platform and its environment, but the approach is relevant
for all IoT-related innovations.

Connected car security The target of protection, the object of After-sales market and relationship
security, becomes the network of networks, development can be enabled by a security
Similar to the grid (e.g., smart meter) not the individual car, and all cybersecurity model with clear opt-in and data sharing
and other mobile and internet-connected measures and technologies need to be rules, for example:
systems, the connected car ecosystem aligned with this goal in mind. Security
should be viewed as a network of requirements must be addressed at the New functions being adopted by the
networks (or a system of systems). The application/channel level, but in some business (e.g., operating incrementally
connected car is just one more link (albeit cases, this blocks the ability of the auto in several roles, including as service
the newest one and the most likely to manufacturer to have a coherent strategy. providers)
be the focus of attention) in a much wider
and complex network. When considering connected car initiatives, Business operates in an extended value
businesses need to establish a solid legal chain with no borders
When taking this point of view, we see understanding of data ownership and New partners are introduced (content
the need to shift the emphasis from the data protection policies. Only on that providers, etc.)
connected car as a cleanly defined system, basis will it be possible to design agile
with clear boundaries and input/output and secure services that will enhance Building new relationships with
points, and take instead as our object of business operations. So far, in Europe and customers (e.g., enabling customers to
protection the networks themselves, i.e., the rest of the world, issues around data select products and services online)
the interactions between the users/owners protection do not have a uniform answer
of the vehicles and the numerous other
Extending information networks and
yet, and this area requires more work technologies (e.g., linking transport and
actors in the ecosystem. Security becomes from the angle of information security. distribution networks; or establishing
then the security of those interactions and
Connected car networks need standard connections with vehicles for service,
is not limited to the car as a thing.
protection measures as security gateways maintenance and marketing purposes)
It is vital to understand the uneven (policy enforcement point) and firewalls Linking previously physically isolated
character of digital and network technologies. (to block DOS and protocol attacks), but systems under collaboration networks
So, for example, while some studies predict this also requires several layers or zones and enabling remote access (e.g., virtual
that 70-90% of the motor vehicles may (based on assurance levels and access desktops and software as a service)
be connected by year 2020, other data controls), where each layer implements
indicates that 80% of this connectivity a security policy. Data ownership and
will be very limited (e.g., only through the classification must underpin security
mobile phone and only for entertainment levels (separate access routes and roles,
and content services). There wont be data path segregation, etc.).
universal connections across brands and
much less for the entire functionality of Connecting to multiple trusted and
the cars for the foreseeable future. untrusted networks requires a new trust
model, but closing the trust gap between
the manufacturer and the car owner
Fundamental change and between the manufacturer and
commercial partners (providers) means
Because the connected car lives in the balancing risk and trust considerations to
network, security is not a matter of closing create a win-win situation for everyone.
doors and encrypting data; security means
managing shared data and a more complex
network of participants. Opening the
on-board network to the internet means
that legacy networks and applications The connected car is the focus of EYs
become exposed and the attack surface Inside Telecommunications newsletter,
increases as the business model expands issue 15, 2014: www.ey.com/insidetelco15
to new areas, partners and user types.

8 | Cybersecurity and the Internet of Things 9


The rise of the
cyber threat

Cyber attacks have transformed the risk landscape


70%
While the IoT is entering daily life more and more, security risks pertaining to IoT are
growing and are changing rapidly. In todays world of always on technology and not The security of the
Its important to remember that cybersecurity is a business-wide issue and not just
enough security awareness on the part of users, cyber attacks are no longer a matter of
a technology risk. Since many opportunities for IoT will arise through technological
thing is only as secure
if but when.
of the most commonly integration and collaboration, which will continue to increase in complexity this as the network in which
Cyber criminals are working on new techniques for getting through the security
used IoT devices contain of established organizations, accessing everything from IP to individual customer
complexity breeds risk.
it resides: this includes
vulnerabilities. information they are doing this so that they can cause damage, disrupt sensitive data Traditional proven risk management models have their origins and wisdom still focused
the people, processes and
and steal intellectual property. in a world where the organization owns and possesses most, if not all, of the data assets
HP study reveals 70% of Internet of Things devices vulnerable
to attack. (n.d.). Retrieved from http://h30499.www3.hp.com/
flowing through the systems. The increasing use of the internet and mobile working technologies involved in its
Every day, their attacks become more sophisticated and harder to defeat. Because of means that the boundary of the enterprise is disappearing: and as a result, the risk
t5/Fortify-Application-Security/HP-Study-Reveals-70-Percent-
of-Internet-of-Things-Devices/ba-p/6556284#.VHMpw4uUfVc this ongoing development, we cannot tell exactly what kind of threats will emerge next landscape also becomes unbounded.
development and delivery.
year, in five years time, or in 10 years time; we can only say that these threats will be
even more dangerous than those of today. We can also be certain that as old sources of With most of todays business being done outside the organizations defensive fence, it
this threat fade, new sources will emerge to take their place. Despite this uncertainty is vital for organizations to be able to communicate with their business partners and
in fact, because of it we need to be clear about the type of security controls needed. to do this they must create holes in the fence. As a result, a cybersecurity system
should also include the organizations broader network, including clients, customers,
Effective cybersecurity is increasingly complex to deliver. The traditional organizational suppliers/vendors, collaborators, business partners and even their alumni together
perimeter is eroding and existing security defenses are coming under increasing called the business ecosystem.
pressure. Point solutions, in particular antivirus software, IDS, IPS, patching and
encryption, remain a key control for combatting todays known attacks; however, they A standard approach to risk management assumes that the trust boundary is already
become less effective over time as hackers find new ways to circumvent controls. defined. What is missing in the risk-focused and techno-centric approach is everything
related to the management of trust, i.e., the new functions and processes, and the new
policies and structures required to expand the risk boundary.
Privacy
Privacy
Privacy Data and An extended ecosystem is governed and managed by various actors with individual
application policies and assurance requirements; and these actors sometimes have very different
nd en Phy interests and business objectives within the collaboration. It is therefore necessary to
vir
l a tory o adjust the organizations normal risk focus to take this into consideration.
sic men
reg ega

56%
ula

n
al t
L

For an organization to be able to effectively manage the risks in its ecosystem, it needs
to clearly define the limits of that ecosystem. It also needs to decide what it is willing
of respondents say that it is unlikely or highly to manage within those boundaries: is it just the risks faced by groups that are one
management

step from the organization itself (e.g., suppliers), or should the organization also try
Infrastructure

unlikely that their organization would be able to


Change

detect a sophisticated attack.** Risk to influence the mitigation of risks faced by groups that are two steps from the center **Survey statistics refer to EYs 17th
landscape (e.g., the suppliers of suppliers)? Global Information Security Survey
2014, which captures the responses of
1,825 C-suite leaders and information
security and IT executives/managers,
representing most of the worlds
do s an ty
rs d
er par
Se pri

largest and most-recognized global


it ird
cu v

ac y an Th ppli n companies. Responses were received


r

y d su ve from 60 countries and across nearly


Internal all industries. For further information,
employees please access: www.ey.com/GISS2014.

10 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 11
The multiplying effect of todays
cybersecurity challenges

The interconnectivity of people, devices and organizations in todays digital world, opens up a whole new playing field of vulnerabilities
access points where the cyber criminals can get in. The overall risk landscape of the organization is only a part of a potentially
contradictory and opaque universe of actual and potential threats that all too often come from completely unexpected and unforeseen
threat actors, which can have an escalating effect.

The speed of change Infrastructure


In this post-economic-crisis world, businesses move fast. New Finding loopholes to enter any network will be easier for any
product launches, mergers, acquisitions, market expansion, and attacker since there will be so many ways to attack. Traditionally
introductions of new technology are all on the rise: these changes closed operating technology systems have increasingly been
invariably have a complicating impact on the strength and breadth given IP addresses that can be accessed externally, so that cyber
of an organizations cybersecurity, and its ability to keep pace. threats are making their way out of the back office systems
and into critical infrastructures, such as power generation and
transportation systems and other automation systems.
A network of networks
The adoption of mobile computing has resulted in blurring
organizational boundaries, with IT getting closer to the user
Cloud computing
and further from the organization. The use of the internet via Cloud computing has been a prerequisite for IoT from the very
smartphones and tablets (in combination with bring-your-own- early days of its evolution. The cloud provides a platform for IoT
device strategies by employers) has made an organizations data to flourish, however, there are still many challenges which we
accessible everywhere and at any time. face today when it comes to cloud security or data security in
the cloud. Organizations are often discovering too late that their
Inevitably, one vulnerable device can lead to other vulnerable
cloud providers standards of security may not correspond to
devices, and it is almost impossible to patch all the vulnerabilities
their own. The recent events of CelebGate and Amazons IAAS
for all the devices. For the cyber criminals, it wont be hard to
compromise are the live examples of such flaws. These are the
find a target for their attack. The market of vulnerability (the
incidents which have led the critics to call these services as single
underground black market selling botnets, zero days, rootkits,
point of hack, instead of a single point of storage.
etc.) will be vast and so would be the number of victims. It is
easier for an attacker to plant a Trojan in a phone, if the phone With Big Data also coming into picture, there will be an enormous
is connected to the computer which has already been compromised. amount of data produced for the service providers as well. With
With even more devices connected, it will be even easier for a the plethora of data that they will have, the storage servers will
cyber criminal to get into your attack vector. have to be updated and secured all the time. There will be an
increase in risks for communication links too, since the sensors
Machines or devices will be help people in performing most of
and devices will be communicating sensitive personal information
their tasks, but consider the scenario when somebody gets a
all the time on the channels.
peep into any of our smart devices. In a recent event, the hackers
hacked into a baby monitor and after having a good look around With our data stored on such cloud services, there is also a risk
at their way in and way out through the camera, they broke into of increase in spam as the cloud servers are virtually moved
the house. from one geographic location to another in a matter of minutes,
depending upon the requirement. Hence, there is no IP-specific
blockage possible for any spam.

12 Cybersecurity and the Internet of Things | 13


Application risk Growing use of mobile devices Bandwidth consumption In the application of data protection and privacy law, as well as
the access control model, one of the main objectives is that
Apps have accelerated the integration of mobile devices within Smart phones have already become an integral part of our lives; Thousands of sensors, or actuators, trying to communicate to a aggregated customer data should not enable anti-competitive,
our daily lives. From mapping apps, to social networking, to we rely on them to hold significant information, such as our single server will create a flood of data traffic which can bring illegal or discriminatory uses. Collection of personal information
productivity tools, to games, apps have largely driven the home address, credit card details, personal photos/videos, e-mail down the server. Additionally, most of the sensors use an must be always formally justified (including an impact assessment)
smartphone revolution and have made it as significant and as accounts, official documents, contact numbers and messages. unencrypted link to communicate, and hence, there is a possibility and restricted to the minimum necessary for business purposes.
far-reaching as it is today. While apps demonstrate utility that is The information stored on our devices will include the places that of lag in the security. According to established regulations, data should be retained for
seemingly bound only by developer imagination, it also increases we visit frequently and a pattern that uniquely identifies us, so as short a time as possible, strictly to support business operations.
The bandwidth consumption from billions of devices will put a
the risk of supporting BYOD devices in a corporate environment. anyone who can hack into any of these devices can get into our
strain on the spectrum of other wireless communications, which If the organization is collecting personal data, the purpose,
lives very easily.
As the organization enables employees to bring their own devices, also operate on the megahertz frequencies like radio, television, expiration, security, etc., of the data collected must be clearly
the need for using the same devices to access work-related data The loss of a single smart device not only means the loss of emergency services, etc. However, companies have started stated in the information security policy. The organization also
inevitably presents itself. This presents mainly two security risks: information, but increasingly it also leads to a loss of identity taking this seriously; as a result, Qualcomm has launched its low must undertake a risk assessment of the risks associated with
(identity theft).The internet knows no monopoly and hence all power Wi-Fi connectivity platform for IoT. the processing.
Malicious apps (malware): the increase in the number of apps devices cannot have the same firmware or software running on
on the device increases the likelihood that some may contain If data is processed by a third party (i.e., if the organization
them. Hardware from different companies might not support each
malicious code or security holes
other and thus it might lead to interoperability issues of devices.
Governance and compliance issues utilizes a cloud email provider), it is important that the data be
App vulnerabilities: apps developed or deployed by the Increasing privacy legislation is a trend that likely will continue protected by a data processing agreement with the third party.
The increase in the number of devices can also be a problem With the transference of data, the responsibility of protecting
organization to enable access to corporate data may contain in the near future. As organizations design IoT security controls,
as the vulnerabilities that they are associated with will spread that data also should be transferred and compliance verified.
security weaknesses these may interfere with personal expectations of privacy. A
very rapidly. With thousands of vendors across the globe, it However, it is interesting to note that most cloud vendors currently
well-formed IoT policy should include defined, clear expectations
will be very difficult for the network engineers to patch these either dont have a privacy policy or have non-transparent policies,
on privacy-impacting procedures, bearing in mind that legislation
vulnerabilities, especially with thousands of new patches to which makes users a little uncomfortable about relying on them.
may differ in certain geographical regions.
update daily IoT network engineers will now have tenfold
devices communicating to their servers outside the network.
Privacy and data protection Breach investigation and notification
Organized cyber criminals will be able to sell hardware with
Trojans or backdoors already installed in them, and with the help All smart devices hold information about their users, ranging Following the impact of highly publicized cyber attacks, new and
of these vulnerabilities, they will hunt other victims and make a from their diet plan to where they work; smart devices will future legislation is proposed on cybersecurity, with fines being
botnet out of it. These devices, scattered all around the world, include personal life details and often even banking details. All levied on companies who do not protect consumer data, and
will be perfect for a DDOS attack on any of the servers, since IoT devices gather accurate data from the real world, which is mandatory actions are being introduced around data breach
sensors dont have antiviruses. excellent from an analytics prospective, but a user might not be notification. Organizations should prepare for this legislation by
comfortable with sharing that data with a third party even if keeping an active inventory of devices, the data on them and the
not all the data is confidential or sensitive. security controls in place to protect that data.
The bring your own device employer
With the surfeit of data from billions of devices, there will be
With most employees now owning mobile devices, organizations
plenty of opportunities for analytical organizations; these
have been exploiting the fact that their employees increasingly
analytical frameworks will be able to quantify the business
want to use their own personal mobile devices to conduct
environment around the users but, at the same time, the
work (often alongside corporate-provided devices), or if an
monetization of this data can lead to privacy issues. The question
organization requires its employees to do so, it is a cheaper
is: do we feel comfortable in sharing our data with people we are
Some of the top privacy risks are web
alternative than providing the organizations own. Many
not even aware of? Doesnt it feel like a breach into our privacy? application vulnerabilities, operator-side

253 billion
organizations are reaching out to corporate IT to support this.
Should there be better transparency on how data is stored, used
However, BYOD significantly impacts the traditional security and transported?
data leakage, insufficient data breach
model of protecting the perimeter of the IT organization by
According to OWASP (open source web application security
response, data sharing with third parties,
The estimated number of free apps is blurring the definition of that perimeter, both in terms of physical
project), some of the top privacy risks also contain web and insecure data transfer.*
location and in asset ownership. A holistic and methodical
projected to reach 253 billion by 2017.* approach should be used to define this risk and help to ensure
application vulnerabilities, operator-side data leakage, insufficient * OWASP, Top 10 Privacy Risks Project. (n.d.). Retrieved from https://www.owasp.org/index.
data breach response, data sharing with third parties, and php/OWASP_Top_10_Privacy_Risks_Project
* Retrieved from http://www.statista.com/statistics/241587/number-of-free-mobile-app- that controls exist to maintain both the security and usability of
downloads-worldwide insecure data transfer.
the devices in the enterprise.

14 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 15
Focus

Cybersecurity and smart energy grids


A step change in the evolution of the energy ecosystem
Smart meters and grid infrastructures important input and regulation from Customer data privacy and security are
will generate considerable benefits across the government. These partnerships critical to ensure customer adoption
the energy lifecycle from generation manage, or will manage, large amounts of smart meters and the expected
through to distribution and consumption. of consumption and operational data, a carbon footprint reduction. The
This includes: fact which calls for a large effort in the principles of privacy by design and
The ability to match supply and demand direction of a collaborative security security by design are required for the
strategy with specified roles and a implementation of security and privacy,
Reduced cost through remote joint approach to prevent and repel and efforts in this area must be well
administration of devices cyber attacks. understood, documented and visible to
Better informed consumers through support the credibility of the solution.
real-time availability of granular energy Comprehensive security It is important to highlight as we did in
consumption data
approach the context of the connected car that
However, if the transition to smart and the entire issue of consumer and citizen
grid energy management is not developed A multi-faceted, defense-in-depth data protection has not been resolved.
correctly, there are significant cybersecurity approach is required to ensure the There are large differences in legislation
threats to which organizations operating overall security of the smart metering between countries and regions, and
in this space will be exposed. system. The security solution should businesses face the lack of universally
aim to protect the system against accepted technical or industrial standards.
known and unknown attacks (day zero
Smart meter and smart attacks), unauthorized access, physical A secure solution could only be achieved
by taking a holistic view of the smart
grid complexity tampering, information compromise,
metering system and a structured
denial of service, eavesdropping and
The smart meter infrastructure depends other threats. approach to risk management. But to
on a wide complex of networked systems, make it truly successful, security must
with different technologies and security A set of preventive, detective and be embedded into the initial solution and
levels, creating an environment which corrective controls should be implemented not viewed as an add on.
is difficult to assess from the point of to ensure the security of the smart
view of data protection and cyber threat metering system, which includes end
management. devices, management and monitoring
systems, network infrastructure and
Enterprise networks of energy suppliers, payment environments. Some of the key
each with their own ecosystem, must be controls necessary to meet the smart
connected to the smart meter and grid metering security requirements are:
infrastructure, generating requirements network segregation, data encryption
for standardization and regulation of the (in transit and rest), near real-time
security mechanisms and processes. The monitoring, device/user authentication
complexity of this environment is not solution, device registration/
transparent for the general public. deregistration, etc.
Agreed legitimate uses of stored data The control environment needs to be
need to be complemented with mechanisms supported by a governance framework,
to minimize the risk of unauthorized appropriate policies and procedures,
access, including illegal commercialization continuous monitoring and a maturity
of data and data retention regulations model to ensure that the overall smart
covering data transferred beyond the metering system is protected against
original service supplier. known and unknown issues and
At a technical level, the grid and smart effectively responds to the changing For further perspectives around smart
meter infrastructure appears as a network threat landscape. metering, please see EYs Plug in report
of networks, governed by partnerships (November 2014): www.ey.com/smartmeter
and market-driven organizations, with an

16 | Cybersecurity and the Internet of Things 17


So how can
organizations get ahead
of cybercrime?
Your organization may already have strong IT policies, processes and technologies, Follow leading cybersecurity practices
but, is it prepared for what is coming? Early warning and detection of breaches are The future of IoT
decisive to being in a state of readiness, meaning that the emphasis of cybersecurity By leveraging-industry leading practices and adopting strategies that are flexible and
Dubbed by many as nothing

36%
has changed to threat intelligence. Most organizations already know that there are scalable, organizations will be better equipped to deal with incoming (sometimes
unforeseen) challenges to their security infrastructure. less than the 3rd industrial
threats for their information and operational systems, as well as for their products
the step beyond is to understand the nature of those threats and how these revolution, the Internet of
As technology advances and companies continue to innovate over the coming years, Things is one of the digital game
of respondents do not have a threat manifest themselves.
organizations using the IoT will need to continuously assess the security implications changers. We believe that when
intelligence program.**
An organization in a state of readiness to deal with cyber attacks inhabits an entirely of adopting these advancements. A consistent and agile multi-perspective security
everyone and everything is
different mind-set, sees the world differently and responds in a way the cyber criminals risk assessment methodology will help to evaluate the organizations risk exposure.
connected within seamless
would not expect. It requires behaviors that are thoughtful, considered and collaborative. The introduction of appropriate procedures and regular testing will help organizations
information networks and the
It learns, prepares and rehearses. No organization or government can ever predict or become smarter and make their employees more aware of the challenges that IoT poses
for the entire enterprise. resulting data is evaluated by
prevent all (or even most) attacks; but they can reduce their attractiveness as a target,
intelligent and predictive big
increase their resilience and limit damage from any given attack. Know your environment, inside and out
data analytics, and with robust
Comprehensive, yet targeted, situational awareness is critical to understanding
A state of readiness includes: cybersecurity measures in place,
the wider threat landscape and how it relates to the organization. Cyber threat
Designing and implementing a cyber threat intelligence strategy to support strategic intelligence can bring this knowledge it incorporates both external and internal we will see positive changes in
business decisions and leverage the value of security sources of risk, and covers both the present and future, while learning from the past. the way we all conduct business;
how we operate our factories,
Defining and encompassing the organizations extended cybersecurity ecosystem, Continually learn and evolve

37%
supply chains and logistics
including partners, suppliers, services and business networks Nothing is static not the criminals, not the organization or any part of its operating
networks; how we manage our
environment therefore the cycle of continual improvement remains. Become a learning
Taking a cyber economic approach understanding your vital assets and their value, infrastructure; and last but not
organization: study data (including forensics), maintain and explore new collaborative
say that real time insight on and investing specifically in their protection least, how we as consumers,
cyber risk is not available.** relationships, refresh the strategy regularly and evolve cybersecurity capabilities.
Using forensic data analytics and cyber threat intelligence to analyze and anticipate patients and citizens interact
where the likely threats are coming from and when, increasing your readiness
Be confident in your incident response and crisis response mechanisms with suppliers, retailers,
Organizations that are in a state of anticipation regularly rehearse their incident
Ensuring that everyone in the organization understands the need for strong health care providers and
response capabilities. This includes war gaming and table top exercises, through to
governance, user controls and accountability government agencies.
enacting complex incident scenarios that really test the organizations capabilities.
Organizations may not be able to control when information security incidents occur, but Paul van Kessel, EY Global Risk leader
Align cybersecurity to business objectives
they can control how they respond to them expanding detection capabilities is a good Cybersecurity should become a standing boardroom issue a vitally important item
place to start. A well-functioning security operations center (SOC) can form the heart of on the agenda. The organizations leadership should understand and discuss how
effective detection. cybersecurity enables the business to innovate, open new channels to market and
manage risk. To be successful, the information security function needs leadership
Managing cyber threats according to business priorities must be the focus of the SOC.
support in providing the appropriate revenue to support and grow better security
By correlating business-relevant information against a secure baseline, the SOC can
protection, to promote cybersecurity awareness within the workforce, and to sponsor
produce relevant reporting, enabling better decision-making, risk management and
cooperation with business peers.
business continuity. An SOC can enable information security functions to respond faster,
work more collaboratively and share knowledge more effectively.
Move from security as a cost, to security as a plus
Security is usually positioned as an obligatory cost a cost to pay to be

6%
of organizations claim to have a
compliant, or a cost to pay to reduce risk. But moving to a model of security
as risk and trust management implies looking upon security as a business
enabler; for example, managing consumer data access leverages the monetary
robust incident response program value of the data instead of focusing on the protection of the data itself. In fact,
that includes third parties and law this transformation means enabling the development of even more extended
enforcement and is integrated with
their broader threat and vulnerability networks of networks, of more and new forms of collaboration and mobility, and
management function.** of new business models. Security as a plus should be a mainstay of the business.

18 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 19
How can EY help?

EY has identified that organizations responses to cybercrime fall Helping you anticipate cybercrime
into three distinct stages of cybersecurity maturity Activate, Adapt We have seen that organizations need to change their way of thinking to stop being
and Anticipate (the three As) and the aim should be to implement simply reactive to future threats; yet in our recent Global Information Security Survey
ever more advanced cybersecurity measures at each stage. (www.ey.com/cybersecurity) we found that only 5% of the 1,800 organizations surveyed
had a threat intelligence team with dedicated staff.

Stage 1: Activate The only way to get ahead of the cyber criminals is to learn how to anticipate their
attacks; this means that your cybersecurity capability should be able to address the
Organizations need to have a solid foundation of cybersecurity. This comprises a following questions:
comprehensive set of information security measures, which will provide basic (but What is happening out there that our organization needs to learn from?
not good) defense against cyber attacks. At this stage, organizations establish their
fundamentals i.e., they activate their cybersecurity. How are other successful organizations dealing with threats and attacks?
How can our organization become hardened against attack?
Can our organization distinguish a random attack from a targeted one?

58%
Stage 2: Adapt
What would be the economic cost of an attack?
Organizations change whether for survival or for growth. Threats also change.
Therefore, the foundation of information security measures must adapt to keep pace
How would our customers be impacted by an attack? of organizations do not have a
and match the changing business requirements and dynamics otherwise they will What would the legal and regulatory consequences of a serious attack be? role or department focused on
emerging technologies and their
become less and less effective over time. At this stage, organizations work to keep
How can we help others in our ecosystem deal with threats and attacks? impact on information security.**
their cybersecurity up-to-date; i.e., they adapt to changing requirements.
EY can help organizations improve their ability to respond to changes in the threat
landscape. We provide services to assist organizations in developing in-house threat
Stage 3: Anticipate intelligence programs as well as several key threat intelligence services in subscription-
based models and full spectrum managed cyber threat intelligence services.
Organizations need to develop tactics to detect and detract potential cyber attacks.
They must know exactly what they need to protect their most valuable assets, and We believe that security assessments are an effective method of identifying vulnerabilities
rehearse appropriate responses to likely attack/incident scenarios: this requires a and understanding their impact. Together with IT security, risk management and
mature cyber threat intelligence capability, a robust risk assessment methodology, internal audit groups at our clients, we contextualize these technical findings within the
an experienced incident response mechanism and an informed organization. At this business to fully understand the risk to the most critical assets. It is this teaming between
stage, organizations are more confident about their ability to handle more technical testers and business owners that we believe will continue to be the most effective
predictable threats and unexpected attacks; i.e., they anticipate cyber attacks. method of evaluating the security of both established and emerging technologies.

Using EYs security practices and industry leading experience, we help our clients secure
both the device ecosystem and assess security at the network level, and we assist our
What it is Cybersecurity system building blocks Status clients in defining and implementing state-of-the-art security controls to:
Anticipate is about looking into the unknown. Anticipate is an emerging level. More and more Secure the data from device to data center to the cloud
Based on cyber threat intelligence, potential hacks organizations are using cyber threat intelligence to
Anticipate
are identified; measures are taken before any get ahead of cybercrime. It is an innovative addition Manage large volumes of data, utilizing our knowledge of data analytics
damage is done. to the below.
Comply with the applicable security and regulatory requirements
Adapt is not broadly implemented yet. It is not
Adapt is about change. The cybersecurity system
common practice to assess the cybersecurity Standardize the security controls for their offerings, thereby creating faster
is changing when the environment is changing. It is Adapt
focused on protecting the business of tomorrow.
implications every time an organization makes go-to-market capabilities
changes in the business.
However, we appreciate that many of our clients face location, time and cost constraints,
which make it difficult to determine what security measures are cost-effective and
Activate sets the stage. It is a complex set of Activate is part of the cybersecurity system of every
cybersecurity measures focused on protecting Activate organization. Not all necessary measures are taken make sense within the business strategy. We can help our clients gain a thorough
the business as it is today. yet; there is still a lot to do. understanding of the options.

16
20 | Cybersecurity and the Internet of Things Cybersecurity and the Internet of Things | 21
Conclusion

IoT must change the way businesses


do business

There is no doubt that IoT is changing the way we all live and
work. There are many opportunities for the public as well
as private sector markets through technological integration Next steps
and collaboration.
Take a look at your organization (public,
New innovations are being introduced daily, but along with private or NGO). What can you do that you
these, threats are being created which will challenge your couldnt do before? Start to do it now,
organization. You need to get ahead of the game now to be
before someone else does. Act rather
successful tomorrow.
than react.
IoT will increasingly have sensing, analytics and visualization Consider these key questions:
tools that may be accessed on a personal, community or national
level. Information sharing and ease of accessibility via the IoT
makes businesses vulnerable to targeted cyber attacks, so the W
hat IoT capabilities does your organization have today?
huge benefits must be weighed against the growing risks.
C an you harness the complementary insights of both
service and IT leaders?

IoT offers tremendous opportunities for H


ave you identified major IoT opportunity areas that link
personal improvements and for business with your vision and strategy?
innovation, but innovators need to be
C an you build an IoT culture around the possibilities of
aware of the risks involved in IoT to provide connecting the unconnected?
better and more powerful solutions for
the world. H
ow will IoT change the basis of competition?
Ken Allan, Global Cybersecurity Leader, EY.
H
ow will you delight customers as everything gets
connected?
As a consequence of IoT adoption, together with supporting
technologies and services based on cloud infrastructure and D
o your business plans reflect the full potential of IoT?
mobile devices, enterprise security requirements have to be
addressed with a focus on the relationships between the A
re your technology investments aligned with
organization and its environment. opportunities and threats?

Organizations must adapt and look ahead and beyond the H


ow will IoT improve your agility?
current business. With the understanding that attacks can never
be fully prevented, companies should advance their cyber D
o you have the capabilities to deliver value from IoT?
threat detection capabilities so they can respond appropriately
and proactively. W
hat is your accountability and governance structure/
model for IoT execution?
Learning how to stay ahead of cybercrime is challenging and takes
time, but the benefits for the organization are considerable the H
ow are the risks associated with IoT being addressed?
organization will be able to exploit the opportunities offered by
the digital world, while minimizing exposure to risks and the cost H
ow will you communicate about IoT to stakeholders?
of dealing with them.

If you are unsure about any of these answers,


speak to your EY representative.

22 Cybersecurity and the Internet of Things | 23


Want to learn more?

Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business
risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand
the issues and provide you with valuable insights about our perspective. Please visit our Insights on governance, risk and compliance
series at www.ey.com/GRCinsights.

Get ahead of cybercrime: Achieving resilience in the Bring your own device: security and risk
EYs Global Information cyber ecosystem considerations for your mobile
Security Survey 2014 www.ey.com/cyberecosystem device program
www.ey.com/GISS www.ey.com/byod

Security Operations Centers Cyber Program Management: identifying Cyber threat intelligence how to
helping you get ahead of cybercrime ways to get ahead of cybercrime get ahead of cybercrime
www.ey.com/SOC www.ey.com/CPM www.ey.com/CTI At EY, we have an integrated perspective on all aspects of organizational
risk. We are the market leaders in internal audit and financial risk and
controls, and we continue to expand our capabilities in other areas of
risk, including governance, risk and compliance as well as enterprise
risk management.
We innovate in areas, such as risk consulting, risk analytics and risk
technologies, to stay ahead of our competition. We draw on in-depth
industry-leading technical and IT-related risk management knowledge to
deliver IT controls services focused on the design, implementation and
rationalization of controls that potentially reduce the risks in our clients
Maximizing the value of a data Big data: changing the way Building trust in the cloud: creating applications, infrastructure and data. Information security is a key area
protection program businesses compete and operate confidence in your cloud ecosystem of focus where EY is an acknowledged leader in the current landscape
www.ey.com/dataprotect www.ey.com/bigdatachange www.ey.com/cloudtrust of mobile technology, social media and cloud computing.

24 | Cybersecurity and the Internet of Things


EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, About EYs Advisory Services
transaction and advisory services. The insights
and quality services we deliver help build Improving business performance while managing risk is an increasingly complex
trust and confidence in the capital markets business challenge. Whether your focus is on broad business transformation or, more
and in economies the world over. We develop
specifically, on achieving growth or optimizing or protecting your business, having the
outstanding leaders who team to deliver on
our promises to all of our stakeholders. In right advisors on your side can make all the difference.
so doing, we play a critical role in building a Our 30,000 advisory professionals form one of the broadest global advisory networks
better working world for our people, for our
of any professional organization, delivering seasoned multidisciplinary teams that work
clients and for our communities.
with our clients to deliver a powerful and exceptional client service. We use proven,
EY refers to the global organization, and may integrated methodologies to help you solve your most challenging business problems,
refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is
deliver a strong performance in complex market conditions and build sustainable
a separate legal entity. Ernst & Young Global stakeholder confidence for the longer term. We understand that you need services
Limited, a UK company limited by guarantee, that are adapted to your industry issues, so we bring our broad sector experience and
does not provide services to clients. For more deep subject matter knowledge to bear in a proactive and objective way. Above all, we
information about our organization, please are committed to measuring the gains and identifying where your strategy and change
visit ey.com.
initiatives are delivering the value your business needs.
2015 EYGM Limited.
All Rights Reserved. To find out more about how our Risk Advisory services could help your organization,
speak to your local EY professional or a member of our global team, or view:
EYG no. AU2979
ED None ey.com/advisory

In line with EYs commitment to minimize its impact Our Risk Advisory leaders are:
on the environment, this document has been printed
on paper with a high recycled content.
Global Risk Leader
This material has been prepared for general informational
purposes only and is not intended to be relied upon as Paul van Kessel +31 88 40 71271 [email protected]
accounting, tax, or other professional advice. Please refer
to your advisors for specific advice. Area Risk Leaders
ey.com/GRCinsights Americas

Amy Brachio +1 612 371 8537 [email protected]

EMEIA

Jonathan Blackmore +971 4 312 9921 [email protected]

Asia-Pacific

Iain Burnet +61 8 9429 2486 [email protected]

Japan

Yoshihiro Azuma +81 3 3503 1100 [email protected]

Our Cybersecurity leaders are:

Global Cybersecurity Leader

Ken Allan +44 20 795 15769 [email protected]

Area Cybersecurity Leaders


Americas

Bob Sydow +1 513 612 1591 [email protected]

EMEIA

Ken Allan +44 20 795 15769 [email protected]

Asia-Pacific

Paul ORourke +65 6309 8890 [email protected]

Japan

Shinichiro Nagao +81 3 3503 1100 [email protected]

You might also like