White House Cybersecurity Coordinator Rob Joyce says IoT cybersecurity is a significant issue partially caused by a lack of accountable responsibility for security. The proliferation of unknown IoT devices that connect to or interact with your IT system without organizational knowledge– Shadow IT – is a concern for Federal as well as public networks.

“You have to understand the environment,” says Joyce. “You can’t protect what you don’t know about.”

Understanding the organization’s comprehensive IT environment is a cornerstone of enterprise threat modeling. Enterprise threat modeling allows organizations to

  • Gain a deep appreciation for the assets at risk throughout their cyber ecosystem;
  • Analyze the comprehensive attack surface and drill down to the source of any threat;
  • Visualize each attack vector as contained in the threat model portfolio;
  • Study the effectiveness of deployed or contemplated compensating controls; and
  • Quantify the effectiveness of implemented or planned security initiatives – including IoT cybersecurity.

Joyce’s position in the White House includes coordinating the efforts of various agency heads to execute the president’s executive order on cybersecurity.[1] That order, in part, directs agency heads to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity. [2]

The NIST Framework provides a high-level, seven-step process for improving organizational cybersecurity including IoT. A fundamental aspect of this framework is understanding the organization’s current cybersecurity posture and risk profile, articulating improved cybersecurity posture, and prioritizing steps to achieve improvements.

Implementing Shadow IT and IoT Cybersecurity

The challenge for Federal agency heads and organizational security leaders, however, is not understanding the improvement process from a general, high-level view. Rather, the challenge lies in how Federal agencies or organizations undertake each step outlined in the Framework. Understanding the current cybersecurity posture is particularly challenging inasmuch as every organization’s cyber ecosystem is dynamic, with a very fluid Shadow IT and IoT cybersecurity component. Furthermore, the threat landscape is constantly evolving with a plethora of new threats added daily. Static scans, pen-testing, and compliance checklists simply cannot keep up with the dynamic, fluid nature of a highly interconnected IT ecosystem. Undoubtedly each of these practices has its value as part of an organization’s overall security practices. However, each of them falls far short of helping organizations understand the full cyber environment, let alone helping security professionals understand the organization’s fluid threat portfolio and risk profile in today’s fast-paced Agile DevOps environments.

Fortunately, ThreatModeler™ does far more than simply automate the creation of application threat models. By making it simple for any stakeholder – including architects, developers, and operations teams – to build visual diagrams based on the architecture of a DevOps project, ThreatModeler™ enables organizations to analyze the threats inherent to and risks imposed by any addition to the cyber ecosystem – whether from applications, or infrastructure, or cloud-based environments, or IoT, embedded or mobile devices, or from more complex industrial control and cyber-physical systems.

Rob Joyce is correct is saying that understanding the cybersecurity ‘big picture’ of an agency or an organization is a challenge. Moreover, the dynamic, fluid nature caused by Shadow IT and IoT devices only adds to the difficulties of securing assets and protecting infrastructure. The president’s cybersecurity executive order requires agency heads to objectively plan and prioritize specific objectives for improving cybersecurity following the NIST Framework. Every organization would do well to do the same. While the Framework specifically provides a high-level roadmap for improving cybersecurity, the means to implement that Framework is found in enterprise threat modeling with ThreatModeler™.

Learn more about enhancing your organization’s cybersecurity by scheduling a demo with a ThreatModeler™ expert.

[1] Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. May 11, 2017.

[2] Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology: Gaithersburg. February 12, 2014.