A modular framework for auditing IoT devices and networks

Abstract

In recent years, we have seen significant growth in the use of IoT devices as part of conventional enterprise networks to increase the operations, services, and functionality of business processes. The use of IoT technologies in businesses is expected to grow more in the coming years due to smart sensors, more computing power, and reliable mobile connectivity with 5 G capabilities. Since enterprise networks are liable to customers’ data and they generally have to follow certain compliances and regulations (e.g., PCI-DSS, HIPAA, etc.), they are always concerned about the overall security of their IT and security infrastructures. To address this concern, they have IT auditors that periodically analyse and assess different parts of IT infrastructure to ensure processes and systems run accurately and efficiently while remaining secure and meeting compliance regulations. Unfortunately, as of this writing, there is no customized or standalone standard that IT auditors can follow when they evaluate an IT infrastructure that has IoT devices installed. Since IoT devices have their own unique characteristics, it does not practical to use traditional IT auditing standards to audit IoT devices nor such practices can provide any meaningful audit results that can prevent corporations from violating their required compliances or regulations. This implies that if organizations want to take full advantage of IoT technologies for increasing profitability, they cannot rely on conventional IT auditing practices unless the auditors are equipped with a proper auditing framework tailored to audit IoT devices. Motivated by this, we present a modular IoT auditing framework to audit an enterprise network that consists of IoT devices. To support the implementation of the proposed framework, we provide a set of auditing questions covering all security-related features of IoT devices such as firmware, hardware, physical/logical security, communication, and data privacy.