[IoT동향자료_국외기관발행] Securing the “Internet of Things” Survey(SANS)

Executive Summary

The “Internet of Things” has been attracting a lot of buzz—the latest Gartner Hype Cycle
for Emerging Technologies places it almost at the “Peak of Inflated Expectations” (see
Figure 1).

But what exactly is the Internet of Things? And what will it mean to cybersecurity?
There are other terms in use that generally mean the same thing. The National Security
Telecommunications Advisory Council (NSTAC) has initiated a working group to look at
the national security implications of the “Industrial Internet,”1 and the National Institute
of Standards and Technology (NIST) has used the term “Cyber-Physical Systems.”2 Several
vendors have also used the term the “Internet of Everything.” However, Internet of Things
(IoT) is the most widely used term.
SANS uses a simple definition of the Internet of Things:3
The Internet enables any-to-any connectivity. Smart buildings, HVAC and even
physical security technologies are now connected, as are handheld smart devices
and more. The latest wave of ’things’ connecting to users, businesses and other
‘things’ using mixtures of wired and wireless connectivity, includes but is not limited
to automobiles, airplanes, medical machinery and personal (implanted) medical
devices, and SCADA systems (windmills, environmental sensors, natural gas
extraction platforms, hydro systems, you name it).

SANS defines four waves of devices making up the Internet of Things:
1. PCs, servers, routers, switches and other such devices bought as IT devices by
enterprise IT people, primarily using wired connectivity
2. Medical machinery, SCADA, process control, kiosks and similar technologies
bought as appliances by enterprise operational technology (OT) people
primarily using wired connectivity
3. Smartphones and tablets bought as IT devices by consumers (employees)
exclusively using wireless connectivity and often multiple forms of wireless
connectivity
4. Single-purpose devices bought by both consumers, IT and OT people exclusively
using wireless connectivity, generally of a single form
It is this fourth wave that most people envision when they think of the IoT, but many in
the security community who responded to the SANS Securing the “Internet of Things”
Survey recognized that they are already dealing with the security issues of the first three
waves and have started to see the leading edge of the fourth wave.
Another important aspect of this fourth wave is the dramatic growth of embedded
computing and communications capabilities into just about everything—automobiles,
trains, electric meters, vending machines and so on. Many of these items have had
embedded software and processors, but mobile Internet connectivity is being added
and bringing them onto the IoT. The embedded nature of the software causes problems
for enterprise vulnerability assessment and configuration management processes.
In October 2013, SANS set out to find out what the security community thought about
the current and future security realities of the IoT by posting a survey for security
personnel active in the IT space. This report documents in detail the results provided by
the 391 respondents. Key findings include the following:
• The majority of the cybersecurity community is already familiar with the security
issues around the IoT, largely driven by the impact they have already seen from
smartphones, tablets and industrial control systems.
• After consumer devices (such as smartphones and tablets), smart building and
industrial control systems are the most frequently cited near-term sources of new
devices to secure, followed by medical devices.
• While 40% of respondents feel that securing the IoT will require only minor
enhancements to their security controls, 78% either are unsure about their
capabilities for basic visibility and management of Things they will need to secure
or lack the capability to secure them.
• Because of the perceived difficulties in securing the IoT, the SANS security
community would like to see the manufacturers of Things play a major role in
responsibility for security of devices.