The Limitations of Digital Trust Labels for IoT Device Security Risk Mitigation
To protect their data and mitigate risk, organizations should understand what these trust labels are, their limitations, and how they can verify a manufacturer’s security attestations.
In a digital world, new technologies give organizations a competitive edge by increasing productivity and reducing administrative costs. For example, Internet of Things (IoT) devices allow companies to perform remote monitoring. In the healthcare industry, teams use Internet of Medical Things (IoMT) devices to monitor and improve patient care. Meanwhile, in the manufacturing, energy, and utilities industries, IoT devices enable organizations to monitor and predict maintenance for operational technology (OT). Even the retail and hospitality verticals leverage IoT to gain insights into physical security, foot traffic, or temperature control.
Meanwhile, these devices have no standardized security requirements, creating an opportunity for malicious actors to exploit them. As data breaches continue to place sensitive data and organizational financial stability at risk, companies need transparency into the security posture of these mission-critical devices. While governments and regulatory bodies express concern over these new risks, the new digital trust labels that seek to implement best practices remain mostly voluntary.
Understanding Trust Labels: Causes and Initiatives
Increased data sharing and the adoption of new technology change the security and privacy risks landscape. Globally, concerns about supply chains continue to keep business and security leaders awake at night, even ones who may feel more confident in the security posture.
For example, the World Economic Forum Global Cybersecurity Outlook 2024 found that:
- 64% of executives who believe their organization’s cyber resilience meets minimum operational requirements have an inadequate understanding of their supply-chain cyber vulnerability
- 54% of organizations fail to understand cyber vulnerability in their supply chain sufficiently
- 51% of leaders say their supply-chain partners have not asked them for proof of their cybersecurity posture
- 41% of organizations that suffered a material incident in the past 12 months said that a third party caused it
In response, international legislative and regulatory bodies implemented new laws and regulations, hoping to hold organizations accountable.
Over the past three years, the global tide of international trust labels focused on data protection and supply chain risk mitigation has evolved from a ripple to a tidal wave. For example, a few recent required and voluntary labels include:
- FCC U.S. Cyber Trust Mark (2023): The proposed rule seeks to establish an Internet of Things (IoT) voluntary cybersecurity labeling program.
- German IT Security Act 2.0 (2021): Section 9 requires declaration of trustworthiness for manufacturers of critical components and introduces a uniform IT security label for consumer technologies
- Swiss Digital Trust Label (2022): The certification intends to aid buyers by increasing transparency, reducing complexity, and empowering decision-making.
Increasing Scrutiny on IoT Security
With no clear, standardized, enforced security requirements for IoT devices, organizations face new risks and challenges. Attackers seeking to exploit vulnerabilities across an organization’s systems increasingly look to IoT as a potential weakness. While these new digital trust labels seek to create baselines for vendors who sell them, organizations still face significant risk mitigation challenges. Since they are struggling for mostly voluntary adoption, they tend not to be as stringent as security practitioners might hope.
Expanded Attack Surface
Every new connected device creates an access point that attackers can use to compromise systems. This expanded attack surface can be challenging to manage since traditional asset identification tools often take IoT devices offline. Without a comprehensive inventory, organizations have limited insight into risk.
Unpatched Vulnerabilities
Along these same lines, traditional IT vulnerability scanners fail to respond to IoT devices’ unique needs, often causing costly service disruptions. Further, in certain industries, like manufacturing or healthcare, these disruptions can lead to physical harm.
Malicious actors can use IoT device vulnerabilities to compromise an organization’s systems and networks. To gain unauthorized access to sensitive data, attackers can leverage vulnerabilities in the devices:
- Memory
- Firmware
- Physical interface
- Web interface
- Network services
- Insecure default settings or update mechanisms
- Outdated components
Skills Gap
Many companies suffer from the cybersecurity skills gap, leaving them with IT professionals who have little experience with IoT devices’ unique security needs. As a new type of device, many experienced security professionals may not have insight into best practices for securing IoT. For many companies, finding people with the right experience becomes too difficult or cost-prohibitive to do consistently and well.
Legacy Systems and Technologies
Across many verticals, IoT devices connect legacy technologies to the public internet. For example, in healthcare, IoMT might send data from an imaging machine to a patient data portal. In manufacturing, the Industrial Internet of Things (IIoT) may connect traditionally segmented operational technology environments to the public Internet. Since these legacy technologies were not designed with connectivity in mind, they may lack the appropriate security requirements, placing them at risk.
Create Visibility to Build Trust
Since most of these trust label programs remain voluntary, organizations should take a “trust but verify” approach by proactively identifying risk and mitigating it across the device’s life cycle.
Procurement Risk Review
While the labels intend to help organizations make informed procurement decisions, they still rely on manufacturers’ attestations.
To proactively manage IoT security risk, companies should incorporate risk management before purchasing a networked device by leveraging an extensive device database :
- Simulate device risk scenarios by calculating the least risk associated with a device before configuring and connecting it
- Implement secure, active configurations during installation
Gain Visibility into Organizational Security Risk
For comprehensive security, organizations should create an asset inventory that provides visibility into overall IoT impact and risk by building an accurate device profile that contains:
- Operating system
- IP address
- MAC address
- Port numbers
- Hostname
Further, they need visibility into the impact that IoT devices have after procurement by:
- Identifying devices containing vulnerabilities
- Gaining insight into threat actors’ ability to use the devices in an attack
- Assessing the impact that an attack on those devices would have on organizational security posture
Create Baselines and Key Performance Indicators
Security risk mitigation is about continuous improvement. Organizations need solutions that provide metrics showing IoT device security improvement over time to assess the impact of their security investments. Using these metrics, they can prove that their current investments provided value and identify areas where they need to allocate additional financial and staffing resources.
Continuously Monitor Threats and Enhance Response
IoT monitoring data should be integrated into their security tools for a holistic approach to security incident detection and response.
To enable incident response and recovery, organizations need a solution that captures network packet data so that the security team can trace an attack back to its root cause faster. For example, security teams need a solution that can correlate IT and OT information with data like:
- RAM from servers (important for fileless malware, which doesn’t touch magnetic media)
- Traffic information from network devices
- Data transferred to an FTP server
Asimily: Validation that Builds Trust in IoT
Asimily provides holistic context into an organization’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.
Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.
Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that have the highest risk (due to the high likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can easily be applied in several ways, including but not limited to seamless integration with NACs, firewalls, or other network enforcement solutions. This makes teams more efficient, thus increasing resources available for other defensive needs.
To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.