Operational Risk Assessment on Internet of Things: Mitigating Inherent Vulnerabilities

摘要

Internet of Things (IoT) is a relatively new term attributed to the wave of technologies that connect to the Internet to provide connectivity and remote access to users. However, this seemingly convenient new capability brought with it an influx of security vulnerabilities that provide new points of entries for potential adversaries. One of the most infamous attacks on loT was the Mirai botnet, which caused one of the largest and most disruptive Distributed Denial of Service (DDoS) attacks. Unfortunately, even in the aftermaths of the attack, the 351-billion-dollar industry (as of Jan 2018) continues to manufacture IoT with a myriad of security flaws without strictly enforced guidelines. Consequently, there has been numerous attempts to highlight the different security vulnerabilities associated with IoT. In a 2017 report, the U.S. Department of Defense identified multiple IoT-related risks including potential exploitations from supply chain, limited encryption as well as poor built-in security of the systems. However, there is still limited research in terms of their operational impact in the network. With countless systems currently deployed in critical environments such as the U.S. government, medical facilities, and critical infrastructure, deeper investigation of these vulnerabilities in their operational context are warranted. Here we present a preliminary analysis of IoT systems' operational risk factors based on the current methodologies of assessing security risks, and propose policies on their acquisition and proper use for organizations that employ the systems to help mitigate the risks discussed. We assert that an assessment of the operational risk in conjunction with the security vulnerabilities is necessary in order to fully capture the potential effects of the integration of IoT in an organization. Finally, we conclude with a discussion of future directions in research that will help visualize the risks and implications in IoT-saturated networks.