As the Internet of Things (IoT) has grown in size over the past few years, the risks of a cyberattack associated with one of these connected devices have increased as well. There were 15.14 billion IoT devices online in 2023, and this year that number is expected to grow to 17.08 billion. Just one of them left without the proper security measures could spark a major attack that cripples an organization. 

The issue is that security weaknesses are common in connected devices, including issues in the firmware versions, devices developed without built-in security measures, and lack of vendor support for long-term use. These common weaknesses make IoT devices easy targets for threat actors. Beyond needing to defend these devices against threats, security teams also need to consider the third-party risk related to using these devices and integrate them into a cohesive third-party risk management (TPRM) strategy. 

The reason for this is simple. IoT device manufacturers commonly retain access to installed devices. They may still be able to access connected systems for any number of reasons, such as performance analytics or something else, but any external access should be cause for concern. Not least of which is for regulatory compliance. The new SEC cyber incident reporting rules require speedy breach reporting and more transparency around breaches. Publicly traded companies will now have to report their cyber risk management strategy on their 10-K financial reports, which means understanding their vendor risk profile is vital. 

Third-Party Risk Management in the Internet of Things

Device manufacturers may retain some measure of access to collect basic data, such as performance monitoring or user analytics, or even to push updates to firmware when needed. Such external access increases the third-party risk profile of your organization. Given that many of the most damaging breaches of the past few years originate with third parties or via the software supply chain, deploying a strong third-party risk management strategy is absolutely vital for the modern enterprise regardless of industry. 

Manufacturing companies risk breaches originating from a supplier of connected industrial machinery with the outcome of having to shut down production. Utility companies may have their remote sensors compromised and be unable to track usage throughout their system or risk compromise to critical safety devices. 

The use of trusted credentials is necessary for efficient interactions with suppliers, but they create an additional pathway for threat actors to exploit. According to research from Prevalent, 41% of companies experienced an impactful third-party breach in the last 12 months. Any security weakness that enables a threat actor to access critical data is one that should be closed or at the very least mitigated.

Adapting a New IoT Third-Party Risk Management Strategy

The increased number of breaches using vendors or suppliers as entry points requires a more robust approach to protecting the supply chain from threat actors. This methodology needs to include assessment, monitoring, and mitigation of potential third-party risks. 

Security questionnaires like the Standardized Information Gathering (SIG) assessment and audits, such as SOC2 or ISO 27001, are good starting points for understanding a vendor’s security practices. Sending out regular assessments – often yearly – is vital to understanding the security posture of your vendors. However, those certifications and assessments are point-in-time qualifiers that reflect reality only at the time they are collected. The average company’s security posture shifts rapidly enough that trusting point-in-time assessments or audits is not nearly enough. 

Security teams need to collect continuous intelligence from internet-facing and network-accessible assets into a centralized source of information for analysis and decision-making. This approach empowers security teams with more cohesive and complete risk data for compliance and improved TPRM.

The components of this strategy include:

• Automated inventory creation and discovery of network-accessible connected devices and other assets.
• Determining the security controls on those assets. 
• Resolving any asset vulnerabilities based on risk scoring. 
• Communicating issues to vendors or suppliers that will have an impact on the business.
• Continuous monitoring to easily track potential issues. 
• Increased monitoring of systems with third-party credentialed access.

The above strategy for managing third-party risk creates a more robust security posture and mitigates substantially more areas of weakness overall. It will also assist with fulfilling the risk management requirements of the SEC rules.

How Asimily Enables Proactive IoT Third-Party Risk Management

The Asimily platform is designed to enable a proactive third-party risk management approach for connected devices regardless of how many or how few are in your system architecture.

Strategy: Automated inventory creation and discovery of network-accessible connected devices and other assets.

The Asimily platform scans network traffic and discovers information about internet-accessible devices and other assets. This scanning provides insight into which assets or IoT devices are attached to networks. They also feature a topology report that shows which devices and systems the IoT device in question was communicating with. For environments where passive scanning is not enough and also safe, additional methods can be used such as harvesting data from other inventory systems and SNMP walks.

Strategy: Determining the security controls on those assets

Unknown or unmanaged internet-accessible assets are the biggest vector for third-party breach risk. With Asimily, you can be confident that security controls are applied to connected devices and risk is reduced accordingly.

Strategy: Resolving any asset vulnerabilities based on risk scoring

Risk-based vulnerability prioritization is one of the most effective methods of risk reduction. Asimily prioritizes vulnerability mitigation work based on the likelihood of exploitation and the impact of a successful exploit. This empowers security teams to make better decisions about what to work on and reduces the possibility of a successful attack originating in the vendor ecosystem. 

Strategy: Communicating issues to vendors or suppliers that will have an impact on the business.

Asimily provides easy reporting for security teams to share with their vendors and suppliers about identified risks. This can help vendors remediate issues in their defenses, thus ensuring that your business is more secure. 

Strategy: Continuous monitoring to track potential issues. 

Asimily monitors and detects misconfigurations, attacks, zero-day vulnerabilities, and anomalous behavior from connected devices. Knowing whether an IoT device is communicating with an unintended recipient is a powerful way to protect your critical systems. It’s also vital when it comes to the SEC’s incident reporting requirements. 

Strategy: Increased monitoring of systems with third-party credentialed access.

Asimily tracks the assets that vendors can access and what data is being transmitted. This increased monitoring reduces the strain on cybersecurity teams and ensures peace of mind. Asimily assists with monitoring for potential supply chain attacks so companies can focus on their core business. 

Through their use of Asimily, companies can be confident that they’re able to monitor their vendor ecosystem for possible security risks and understand the threats facing their IoT architecture. This ensures that the company remains protected as connected devices become more tightly interwoven into their operations.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.