IS Audit Basics: Auditing the IoT

I recently had the honor of being interviewed by ISACA about my role as an IT auditor as they begin the planning to update the Certified Information Systems Auditor (CISA) job practice areas in 2019. At the end of the interview, I was somewhat surprised when I was asked what type of people are attracted to IT audit. When I hesitated, I was asked if they were the “introverted, techie types.” Now, I cannot speak for all IT auditors, but I suppose I am.

Certainly, I enjoy technology in all its shapes and forms, including science fiction. I am especially a fan of Star Trek, my favorite being Star Trek: The Next Generation. However, as an IT auditor, do you ever find yourself watching an episode and wondering, “Who audits that?” Seriously, for example, when Captain Picard¹ asks the replicator² for an “Earl Grey, hot,” what does “hot” mean? How hot is hot? Does someone validate that it is really Earl Grey?

Of course, the real reason I enjoy Star Trek is that it is a predictor of technology. Certainly, the badge communicator, the tricorder,³ probes, sensors and the replicator predicted the Internet of Things (IoT).⁴ Which brings me back to my original question: How do we audit these items?

I must admit I never audited any IoT technologies. I am an experienced auditor, so if I had to audit them, I would perform any necessary research and do a reasonable job. However, ISACA’s IS Audit and Assurance Standard 1006, Proficiency,⁵ requires me to have adequate skills and proficiency and adequate knowledge of the subject matter.

So, what can we do? Another of ISACA’s IS Audit and Assurance Standards 1206, Using the Work of Other Experts, requires that IS audit and assurance professionals consider using the work of other experts for the engagement, where appropriate.⁶ At EuroCacs 2018, in Edinburgh, Scotland, I attended a session “Auditing the IoT” by R. V. Raghu. Raghu has experience with these technologies, so I reached out to him. Our combined thoughts are framed under the headings of the now familiar ISACA paper on creating audit programs.⁷

Determine Audit Subject

The first thing to establish is the audit subject. This is easier said than done as IoT has no universally accepted definition.⁸ ISACA has defined IoT as anyone or anything carrying embedded software that enables interaction with other animate or inanimate objects across networks, including the Internet. Interaction entails sharing and processing information to influence decision-making and/or actions with or without human intervention.⁹ Examples of commercial or business applications of IoT include:¹⁰

• Industrial appliances
• Devices for the medical profession
• Devices for agriculture
• Devices and features for the automobile industry

The key is to consider all IoT devices in use at your enterprise and to determine the audit subject(s). You need to answer the key question: What are you auditing?

Define Audit Objective

Once we have decided what we are auditing, we need to establish the objective of the audit. Why are we auditing it? From an auditor’s perspective, it is advisable to adopt a risk-based view (figure 1) and define the objectives accordingly.

The technical risk can be further defined as:¹¹

• Software updates and patches. The time for a patch to be released may be longer than the typical cycle for non-IoT devices.
• Hardware lifespan. IoT devices have their own life cycle, often with built-in obsolescence. Components such as nonreplaceable batteries in IoT devices require life cycle planning and asset management processes specific to IoT.
• User IDs and passwords to control access either do not exist or are hard coded.
• IoT devices can be hacked quickly but take days or weeks to rectify. The wider consequences remain unknown because it is difficult to know what has been seen, modified or stolen.
• Cybercriminals can plant back doors for future automated attacks in or from IoT devices; typical attacks include botnet distributed denial-ofservice (DDoS) attacks.
• Hackers can use IoT devices as an entry point to an enterprise’s networks.
• Hacking smart heating, ventilation and air conditioning (HVAC) systems and energy meters can destroy critical infrastructure by jamming and manipulating controls.

Set Audit Scope

When the objectives of the audit have been defined, the scoping process should identify the actual IoT devices that need to be audited. In other words, what are the limits to the audit? This is easier said than done, as the devices are not just the sensors and include supporting infrastructure such as the connectivity and data collection methods, the cloud or other storage means, and the algorithms used for processing the data.

Perform Pre-Audit Planning
Now that the risk scenarios have been identified, they should be evaluated to determine their significance. Conducting a risk assessment is critical in setting the final scope of a risk-based audit.¹² Assurance considerations for the IoT include:¹³

• How will the device be used from a business perspective? What business processes are supported and what business value is expected to be generated?
• What is the threat environment for the device? What threats are anticipated and how will they be mitigated?
• Who will have access to the device and how will their identities be established and proven?
• What is the process for updating the device in the event of a published attack or vulnerability?
• Who is responsible for monitoring for new attacks or vulnerabilities pertaining to the device? How will they perform that monitoring?
• Have all risk scenarios been evaluated and compared to anticipated business value?
• What personal information is collected, stored or processed by the IoT devices and systems?
• Do the individuals about whom the personal information applies know that their information is being collected and used? Have they given consent to such uses and collection?
• With whom will the data be shared/disclosed?

Finally, the auditee should be interviewed to inquire about activities or areas of concern that should be included in the scope of the engagement.

Determine Audit Procedures and Steps for Data Gathering

At this stage of the audit process, the audit team should have enough information to identify and select the audit approach or strategy and start developing the audit program.¹⁴ However, the testing steps do need to be defined.

It is important to reiterate that IoT has no universally accepted definition; therefore, there are no universally accepted standards for quality, safety or durability.¹⁵ Similarly, there are no universally accepted audit/assurance programs.

It is, therefore, proposed to review the distinct aspects of IoT by considering (figure 2):

• General baseline controls—Minimum controls that need to be applied to all aspects of the technology
• Data-related controls—Such as controls that apply to the data forming a key part of IoT
• Analysis and learning-related controls—Applied to ensure that the analysis is ethical and enables trusted use of the data and that outcomes of analysis can be applied to business decision-making
• Business and process alignment—Related aspects which ensure that the IoT implementation is aligned to business needs and that business benefits are delivered as required

Applicable sources of assurance for each of the previously mentioned are defined in figure 3. Some of these relate directly to the IoT while others are more generic and should be applied to relevant IoT components.

Conclusion

IoT is not science fiction and is very much here to stay and can bring great business value. Unfortunately, as is often the case with technology, it has developed ahead of many of the desired controls, including sources of assurance. It is, therefore, advisable to adopt a generic auditing model and to select the applicable controls from the available documentation. In our enterprises, it is up to each of us to “make it so.”³⁵

Endnotes

¹ Star Trek Database, Picard, Jean-Luc, www.startrek.com/database_article/picard-jean-luc
² Star Trek Database, Replicator, www.startrek.com/database_article/replicator
³ Raidió Teilifís Éireann, “Star Trek-Type Medical Tricorder a Step Closer,” 7 June 2018, https://www.rte.ie/news/2018/0607/968778-tricorder/
⁴ ISACA, Assessing IoT, USA, 2017
⁵ ITAF, Information Systems Audit and Assurance Framework, USA, 2014, p. 18
⁶ Ibid., p. 33
⁷ ISACA, Information Systems Auditing: Tools and Techniques, Creating Audit Programs, USA, 2016
⁸ ISACA, Assessing IoT Upsides, Downsides and Why We Should Care About Them, USA, 2017
⁹ Ibid.
¹⁰ Ibid.
¹¹ Ibid.
¹² ISACA, Audit Plan Activities: Step-By-Step, USA, 2016
¹³ ISACA, Internet of Things: Risk and Value Considerations, USA, 2015
¹⁴ Op cit, Audit Plan Activities: Step-By-Step
¹⁵ Op cit, Assessing IoT Upsides, Downsides and Why We Should Care About Them
¹⁶ The Open Web Application Security Project (OWASP), IoT Security Guidance, https://www.owasp.org/index.php/IoT_Security_Guidance
¹⁷ GSM Association, IoT Security Assessment, https://www.gsma.com/iot/iot-security-assessment/
¹⁸ Cloud Security Alliance, Future Proofing the Connected World, https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/
¹⁹ Information Assurance Support Environment, STIGs Master List (A-Z), https://iase.disa.mil/stigs/Pages/a-z.aspx
²⁰ Center for Internet Security, CIS Benchmarks, https://www.cisecurity.org/cis-benchmarks/
²¹ Op cit OWASP
²² Op cit Cloud Security Alliance
²³ ISACA, COBIT 5: Enabling Information, USA, 2013
²⁴ ISACA, HIPAA Audit/Assurance Program, USA, 2017
²⁵ ISACA, ISACA Privacy Principles, Governance and Management Program Guide, USA, 2016
²⁶ Cooke, I.; “Auditing Data Privacy,” ISACA Journal, vol. 3, 2018, https://www.isaca.org/resources/isaca-journal/issues
²⁷ ISACA, General Data Protection Regulation (GDPR) Readiness, Assessment and Compliance, https://www.isaca.org/search#q=gdpr
²⁸ Op cit OWASP
²⁹ Op cit Cloud Security Alliance
³⁰ Op cit ISACA Privacy Principles, Governance and Management Program Guide
³¹ Op cit Cooke
³² Op cit ISACA General Data Protection Regulation (GDPR) Readiness, Assessment and Compliance
³³ GitHub, Bias Testing for Generalized Machine Learning Applications, https://github.com/pymetrics/audit-ai
³⁴ ISACA, COBIT 5, USA, 2012
³⁵ “Make it so” is the phrase Star Trek’s Captain Picard uses when he wants an order implemented.