Do You Know What’s in Your Network? A Process-Driven Assessment of the Cybersecurity Risks that IoT Products and Services Present

The strong market for Internet of Things (IoT)-based products and services has resulted in a growing number of devices connected to the Internet. IoT applications are now being used not only in the home to monitor and control everyday appliances, but also for a variety of applications in the fields of industrial automation, healthcare, transportation and a host of other verticals. As these innovations increasingly touch our daily lives, the need for security is critical.  Many of these products, services and devices are associated with third-party components and platforms. This creates the need for adequate security controls to ensure the integrity of the information and communications technology (ICT) network.

As such, it is important that ICT network operators have the capability to perform a risk assessment to determine their own security IoT goals, identify and assess potential risks of new products and services as well as develop proactive steps to mitigate identified risks.  By performing such an assessment during the planning and design phase, security can be “built in,” instead of becoming an afterthought in the development of ICT solutions.

To help organizations implement a set of tools and practices to manage cybersecurity risks to their network, ATIS has developed An Architectural Risk Analysis for Internet of Things (IoT) Services. The Architectural Risk Analysis (ARA) process helps ICT providers and their associated third-party partners and suppliers to assess the architecture by identifying key points where security controls are needed to prevent potential threats and their associated risks.

Clear security objectives must be defined in order to provide an operational context for developing a threat model and conducting the detailed analysis.  Questions that should be asked include: What are the key assets that make up the solution?  What services do they provide?  How important are those assets to the organization?  What services and assets must be protected against attack?

Three key process steps are part of the ARA.  These include Architectural Discovery, Threat Identification and Risk Analysis, and can be defined as follows:

  • The primary objective of Architecture Discovery is to develop a view of the network that identifies major assets, interfaces, dataflows and functions.
  • In Threat Identification, the primary objective is to identify the major threats and attack points relevant to architecture.
  • The primary objective of Risk Analysis is to assess the effectiveness of security controls and countermeasures that may be used.

A major benefit of the ARA is that the most damaging threats are identified. This allows the organization to focus security investment and mitigations on the most serious issues, thus maximizing the protection provided for a given level of security investment. By identifying vulnerabilities in a quantifiable manner, operators can prioritize their time, money and resource expenditures to fortify an asset to mitigate the most serious risks.  Thus, the ARA aids in the process of determining which security capabilities should be employed to best secure the system at a risk level that is appropriate for the value of the service or device.

Furthermore, the ARA process helps to assess the architecture connecting the service provider’s network to the cloud provider by identifying where security controls are needed. It also includes an approach to properly identify and address security risks related to third-party components and platforms in service provider solutions – particularly important as operators are likely to partner for IoT solutions.

The ARA process is outlined in ATIS’ Architectural Risk Analysis for Internet of Things (IoT) Services. When used in conjunction with industry best practices, this resource provides a comprehensive and sound approach for performing a cybersecurity architectural risk analysis of both complete, carrier-grade solutions and the components that support them. Engaging in such an approach is essential to both securing the network and helping consumers have the maximum benefit from the burgeoning innovation taking place in the IoT space.

Tom Anderson, Principal Technologist, ‎ATIS
Tom Anderson is a Principal Technologist at ATIS specializing in standards, architecture and evolution of service provider networks. In the past, he has worked for major industry vendors including Bell Labs, Lucent, Alcatel-Lucent, Juniper and Cisco where he managed network technology evolution, strategy, standards and architecture. As a 30+ year veteran of the telecommunications industry, Tom has been active in telecommunications standards activities and has held numerous positions in the areas of architecture, product development, systems engineering, and product management. His more recent work has focused on Network Function Virtualization (NFV), SDN (Software Defined Networking), end-to-end  network optimization, and standards strategy and has chaired a variety of ATIS working groups as well the CSRIC WG8 on Priority Services.