: IoT Risk Assessment
Table of Contents

IoT Risk Assessment

IoT Security assesses risk and assigns a risk score for devices, device profiles, sites, and organizations.
Assessing risk is a continuous process of discovering vulnerabilities and detecting threats. During this ongoing process, IoT Security measures risk and assigns a score for the amount of risk it observes. In fact, IoT Security measures and scores risk at four levels, starting from individual IoT devices and expanding in scope to device profile, site, and finally organization. The different scores provide a simple means to check the risk posed at various points and areas of your network.
When assessing risk, IoT Security uses both static and dynamic factors. Static risks form a baseline and include the following:
  • All MDS2 risks (for medical equipment)
  • Intrinsic risk factors specific to a profile such as OS, applications, roles, environment
  • Trending threats that are hard to mitigate
  • The usage behavior specific to a profile or a device
Dynamic risks are added on top of the baseline risk:
  • Threats detected in real time (example: alerts)
  • Behavioral risks (anomalies, user practice issues) which also trigger alerts
  • Vulnerabilities (discovered through passive analysis and detections and through vulnerability scans using integrated third-party vulnerability scanning engines like Qualys and Rapid7)
By collecting and modeling data and analyzing vulnerabilities and threats, IoT Security calculates risk on a daily basis. The risk scores it generates consists of alerts, vulnerabilities, behavioral anomalies, and threat intelligence. When calculating the risk scores of device profiles, sites, and organizations, IoT Security considers not only the scores of individual devices within a particular group but also the percent of risky devices in relation to all devices in the group.
The following sections provide more information about the risk scores that IoT Security generates for these four levels: device, device profile, site, and organization.

Device Risk

IoT Security displays the risk score for each device in the Risk column on the Devices page (
). It generates risk scores for devices on a daily basis.
Also see the
Device Details
page (
> Device Details
) where the device risk score is listed twice—at the top and in the Security summary section. The Risks section includes a graph that charts changes in the risk score over the specified period of time: day, week, month, year, or all to date. The graph lets you see how the risk score trends over time. Hover your cursor over a marker on the line to see a list of alerts for that point in time. Click a marker to see a list of alerts below the graph.

Device Profile Risk

IoT Security displays risk scores for device profiles in the Risk column on the Profiles page (
IoT Security uses the scores of individual at-risk devices (that is, those with a risk score of 40 or higher) in the same profile to calculate the risk score for the entire device profile. However, it’s not as simple as averaging the risk scores of all the devices in the profile. The computation takes other factors into consideration such as the number of risky devices in the profile.
For example, if five devices in the same profile have individual risk scores of 42, IoT Security would calculate the risk score for the profile to be 89. In this case, because all of the devices in the profile are at risk, the profile score becomes higher than you might have expected at first.
Consider another example, again with five devices in the same profile. One device is at high risk with a score of 98. The other four devices are at normal risk each with a score of 30. In this case, IoT Security calculates the risk score for their profile to be 64. In such a small set, the one high-risk device has a much greater impact on the profile score than it would if the scores of more devices had been involved in the calculation.

Site Risk

See the Risk Score column in the Risk column on the Sites page (
Networks and Sites
The formula that IoT Security uses to calculate the risk score for a site uses a weighted average of device profile risk scores, the weight for each profile being determined by the number of devices in the profile and the profile risk level.

Organization Risk

See the Risk Score in the Risk panel on the
Security Dashboard
IoT Security uses the same method to calculate the risk score for an organization as it does for sites.

Risk Scores and Severity Levels

The following explains how the severity of a risk score is ranked:
Risk score
Risk severity
< 40
This is a normal risk level.
There might be a few anomalous network behaviors, medium-level alerts, and vulnerabilities with CVSS (Common Vulnerability Scoring System) scores between 4.0 and 6.9.
There might be multiple highly anomalous behaviors, high-level alerts, and vulnerabilities with CVSS scores between 7.0 and 8.9.
There might be multiple extremely anomalous behaviors, critical alerts (such as a malware attack), and vulnerabilities with the highest CVSS score of 10.

Adjust Device Risk Scores

It’s possible to adjust how much individual risks contribute to the overall risk score of a device. On the
page, click a number in either the Confirmed Instances or Potential Instances column to see details of a vulnerability including which devices it affects or potentially affects. Then click a device name in the Instance column to open the Device Details page for it.
IoT Security categorizes CVE-based risks differently based on their source. When IoT Security discovers them through its internal vulnerability-matching logic (Source = IoT Security Device Software Library) or as a result of a vulnerability scan, it categorizes them as vulnerabilities. When a firewall applies Threat Protection and reports them to IoT Security (Alert Source = Firewall), IoT Security categorizes them as alerts. This is why the Risks section on the Device Details page sometimes has two subsections: <number>
Risks Associated
and <number>
Alerts Detected
. The Adjust option only appears in the Action menu for vulnerabilities; or, in other words, for risks not categorized as alerts.
In the Risks section, expand the Actions menu for a vulnerability and then click
Take the severity of this risk and its impact on the organization into account and adjust how much you think it should contribute to the overall risk score of the device. Choose whether it makes a low, medium, or high contribution.
Note that the influence of the change you make on the overall score depends on the number and severity of other risk factors. If there are lots of risks, adjusting how much a single risk contributes to the score might not affect it much if at all. On the other hand, if there are only a few risks, adjusting the contribution of one can change the score significantly.

Alerts for Risk Score Changes

When the increase of a risk score causes it to cross a threshold separating one risk level from another, IoT Security generates a risk change alert. (Crossing a risk level threshold as the result of a risk decrease does not trigger an alert.) A risk increase triggers an alert with differing severity levels depending on the new severity of the risk:
  • Warning
    when the risk level increases from high to critical
  • Caution
    when the risk level increases from medium to high
    To reduce the overall number of alerts generated, no alert is triggered when the risk level increases from low to medium.
In addition to risk scores changing because of a manually adjusted risk factor, they can also change for the following reasons:
Increased risk
  • A daily risk refresh discovers new vulnerabilities or increased CVSS risk scores.
Decreased risk
  • A user resolves a risk factor.
  • A daily risk refresh discovers reduced vulnerabilities or decreased CVSS scores or mitigated risks.

Resolve Risks

You can resolve vulnerabilities and security alerts through a workflow built into the IoT Security portal. Essentially, you resolve them by either mitigating or ignoring the vulnerability or alert. As a result, the device risk score might be lowered depending on other contributing factors such as the severity of the risk and the number and severity of other risks. Resolving a vulnerability or alert on a device might similarly affect its profile, site, and organization risk scores depending on how big of an impact the change makes in relation to the number and risk levels of other devices in the same group. For information about resolving vulnerabilities and security alerts, see Vulnerability Details Page and Act on Security Alerts.

Recommended For You