New Release: CIS Controls® Internet of Things Companion Guide
Internet of Things (IoT) devices aren’t just invading our homes; these smart, connected machines have taken root in the workplace. And they’re here to stay. To help secure this new frontier, CIS is releasing a CIS Controls Companion Guide to help organizations apply the CIS Controls to the IoT. This new resource helps organizations implement consensus-developed best practices using Version 7.1 of the CIS Controls. This guidance is aimed to provide security recommendations for a variety of IoT devices that often present unique and complex challenges for security professionals.
Security challenges for IoT
IoT devices have become embedded into enterprises across the globe and often can’t be secured via standard enterprise security methods, such as traditional antivirus software. Yet for ease of use and flexibility, IoT devices are often connected to the same workplace networks employees use day in and day out. IoT devices include smart speakers, security cameras, door locks, window sensors, thermostats, headsets, watches, and more - all devices that may be integrated into a typical business IT environment.
There is no universally agreed upon definition for IoT. Perspectives from industry, academia, governments, and others across the world focus on the needs of their sector, business, or area of interest. Regardless of which definition your organization chooses to use, there are certain common features:
- Communications – IoT devices can communicate with other devices. This could be via a local medium, such as radio frequency identification (RFID), Bluetooth, WiFi, or via a wide area network (WAN) protocol, such as cellular.
- Functionality – IoT devices typically have a core function as well as some additional functionality, but they do not do everything. Most IoT devices do one thing and do it well.
- Processing Capability – IoT devices have sufficient processing capability to make their own decisions and act on inputs received from outside sources, but not enough intelligence to do complex tasks. For instance, they generally cannot run a rich operating system designed for a traditional desktop or mobile device.
The lack of a consistent, agreed upon definition is actually part of the challenge with security in the IoT arena. IoT is a large, complex space and common issues include:
- Ubiquity – A large number of overall devices.
- Uniqueness – Devices are developed by different manufacturers with varying version numbers.
- Ecosystem – Multiple vendors are involved in creating each device, including hardware, firmware, and software.
This makes securing the Internet of Things difficult.
Hardening embedded technology
IoT devices often cannot be secured via standard enterprise security methods. After fostering the development of a community of dedicated IoT security professionals, the CIS IoT Community’s first task was to develop a consistent approach on how to apply the CIS Controls to IoT devices commonly found within an enterprise. The approach used throughout the IoT Guide was to assess:
- How applicable the CIS Control or Sub-Controls are to IoT – For instance, recommendations surrounding firewalls or network visibility may not directly apply to IoT.
- What challenges exist to implement a given CIS Control for IoT – Some IoT devices are “smarter” than others and may not offer the functionality needed to take advantage of advanced security measures.
- Any additional discussion necessary to secure a device.
By working together with subject matter expert volunteers, we developed the IoT Companion Guide to help your organization implement best practices across a range of connected devices.
Focus on the future
IoT devices are everywhere and our security needs to move with them. Devices are the thing within IoT and are the primary focus of this guide. Ready to start applying the CIS Controls Implementation Group to your IoT devices? Download the free guide now.