Shadow IT and IoT Cybersecurity

IoT Cybersecurity

White House Cybersecurity Coordinator Rob Joyce says IoT cybersecurity is a significant issue. In part, the issue is caused by a lack of responsible party. According to Joyce, it is difficult at best to know who is patching what and who is responsible for security. The proliferation of IoT devices that connect to or interact with your IT system – the so-called Shadow IT – is a concern for the Federal as well as public networks. “You have to understand the environment,” says Joyce. “You can’t protect what you don’t know about.”

Understanding the organization’s comprehensive IT environment is a cornerstone of enterprise threat modeling. Enterprise threat modeling allows organizations to

  • Gain a deep appreciation for the assets at risk throughout their cyber ecosystem;
  • Analyze the comprehensive attack surface and drill down to the source of any threat;
  • Visualize each attack vector as contained in the threat model portfolio;
  • Study the effectiveness of deployed or contemplated compensating controls; and
  • Quantify the effectiveness of implemented or planned security initiatives – including IoT cybersecurity.

Joyce’s position in the White House includes coordinating the efforts of various agency heads to execute the president’s executive order on cybersecurity.[i] That order, in part, directs agency heads to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity. [ii]

The NIST Framework provides a high-level, seven-step process for improving organizational cybersecurity including IoT cybersecurity. A fundamental aspect of the Framework is understanding the organization’s current cybersecurity posture and risk profile, articulating an improved cybersecurity posture, and prioritizing the steps to take to achieve the improvements.

Implementing Shadow IT and IoT Cybersecurity

The challenge for Federal agency heads and organizational security leaders, however, is not understanding the improvement process from a general, high-level view. Rather, the challenge lies in how Federal agencies or organizations will undertake each step outlined in the Framework. Understanding the current cybersecurity posture is particularly challenging inasmuch as every organization’s cyber ecosystem is dynamic, with a very fluid Shadow IT and IoT cybersecurity component. Furthermore, the threat landscape is constantly evolving with a plethora of new threats added daily. Static scans, pen-testing, and compliance checklists simply cannot keep up with the dynamic, fluid nature of a highly interconnected IT ecosystem. Undoubtedly each of these practices has its value as part of an organization’s overall security practices. However, each of them falls far short of helping organizations understand the full cyber environment, let alone helping security professionals understand the organization’s fluid threat portfolio and risk profile in today’s fast-paced Agile DevOps environments.

Fortunately, ThreatModelerTM does far more than simply automate the creation of application threat models. By making it simple for any stakeholder – including architects, developers, and operations teams – to build visual diagrams based on the architecture of a DevOps project, ThreatModelerTM enables organizations to analyze the threats inherent to and risks imposed by any addition to the cyber ecosystem – whether from applications, or infrastructure, or cloud-based environments, or IoT, embedded or mobile devices, or from more complex industrial control and cyber-physical systems.

Rob Joyce is correct is saying that understanding the cybersecurity ‘big picture’ of an agency or an organization is a challenge. Moreover, the dynamic, fluid nature caused by Shadow IT and IoT devices only adds to the difficulties of securing assets and protecting infrastructure. The president’s cybersecurity executive order requires agency heads to objectively plan and prioritize specific objectives for improving cybersecurity following the NIST Framework. Every organization would do well to do the same. While the Framework specifically provides a high-level roadmap for improving cybersecurity, the means to implement that Framework is found in enterprise threat modeling with ThreatModelerTM.

Learn more about enhancing your organization’s cybersecurity by scheduling a live ThreatModelerTM demo.


[i] Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. May 11, 2017. https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

[ii] Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology: Gaithersburg. February 12, 2014. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf