1.2.2.9 Lab – Evaluate the IoT Security Risk in an Industry Sector (Instructor Version)
Objectives
- Part 1: Research Risks for an Industry Sector
- Part 2: Investigate the Potential Impact of a Security Breach
- Part 3: Describe Security Measures for Your Industry Sector
Background / Scenario
Any implementation of IoT is going to have risk associated with it. Risks could range from fairly insignificant to very destructive depending on the market, equipment, number of people affected, and numerous other factors.
In this lab, you will research an industry sector and evaluate the risks associated with implementing an IoT solution. One of the following industry sectors will be assigned to you.
- agriculture
- automotive
- banking
- construction
- education
- healthcare
- manufacturing
- mining
- retail
- technology industries
- utilities
Required Resources
- Computer with Internet access to be used for research
Part 1: Research Risks for an Industry Sector
In Part 1, you will research your industry sector to determine the risks posed by a security breach. The questions will guide through some of the things you should look for when determining the severity of an IoT security breach. There are many other questions that could be asked to determine risk. Try to formulate other questions that would be important to determine risk.
a. What types of communications services or protocols are used for connecting IoT devices in your industry sector?
Wired or wireless Ethernet, serial communication, 12C, Bluetooth, cellular, http. https
b. What are some of the known vulnerabilities?
With WiFi weak encryption, http is plain text, Bluetooth can be highjacked, serial communication can be tapped into, Ethernet in traffic in general can be sniffed and captured.
c. What type of data is being transmitted or stored?
Would altering the data transmitted or stored be damaging? Altered data such as health readings could have pose a life-threatening situation. Data such as storm information could cause a panic much like what happened in Hawaii earlier this year.
d. What types of equipment are being monitored or managed?
Depending on the vertical, equipment monitored could be an ything from a healthcare device to electrical grid equipment.
e. What other questions are unique to your industry sector?
_____________________________________________________________
Part 2: Investigate the Potential Impact of a Security Breach
In this part, use the information gathered from your research above to answer the following questions:
a. What is the security risk with the data being compromised?
Is the risk life threatening, financial, personal, etc.?
b. Is the security risk life threatening? In what way is safety impacted?
Certainly, healthcare device tampering has the potential to be life threatening. Tampering with things like the electrical grid could have a major impact on many peoples’ lives
c. Does the security risk pose a financial loss? Describe the financial impact.
Most any security breach has some financial impact. Loss could stem from lost time, damaged equipment or confidential data.
d. Does the security risk expose personal identity information? What types of information might be exposed?
If the breach lets the attacker gain internal access it is possible that PIl may be compromised. The Target
breach exposed millions of individuals.
Part 3: Describe Security Measures for Your Industry Sector
Based on your research, construct an argument for what security measures are needed in your industry sector. Discuss your findings with the other groups to see if you can come to a consensus on security measures that all the industry sectors have in common. What security measures are unique to your industry sector?
_____________________________________________________________