The Internet of Things (IoT) is allowing government to dive into a new era of information technology. Connected devices are changing the way that governments operate internally and interact with constituents, making processes more effective and efficient. For example, through these connected devices, agencies can use sensors to collect data on everything from weather, to traffic patterns, to trash collection.
However, while increasing connectedness gives governments unprecedented insights, it also makes them more vulnerable to cyberthreats. In order to help agencies understand how to leverage sensors and devices while remaining secure, GovLoop and Brocade brought together cybersecurity experts from across sectors during GovLoop’s recent “Securing Government’s Connected Devices” roundtable.
Brian Wright, Manager of Systems Engineers at Brocade Federal, Department of Defense; Sokwoo Rhee, Associate Director of Cyber-Physical Systems at the National Institute of Standards and Technology; and Gregory Wilshusen, Director of Information Security Issues at the Government Accountability Office led a discussion where three trends became clear:
Get back to the basics. Securing connected devices in the Internet of Things is just one element of a holistic cybersecurity approach. However, in order to effectively secure sensors and devices, agencies must remember the fundamentals of cybersecurity. Wilshusen explained, “A big problem agencies have is that we are operating with vulnerable software where patches are not being implemented in a timely manner, leaving systems vulnerable to unauthorized access.”
This is especially problematic as agencies move into a more connected environment because new devices provide new ways to infiltrate a network. Wright emphasized that agencies must be diligent in their basic patch management processes but also take it a step further and secure the mechanisms between the user, the cloud and the device. “The channels in IoT open up windows into the agencies cloud, network, and devices for attackers to inject malicious code,” he said. As a result, it is critical that agencies are implementing a cyber framework that addresses all of these facets.
Take an enterprise approach. As more departments within agencies begin using connected devices to drive their mission, it is important to remember that cybersecurity is not only an IT issue. “Cyber is everyone’s responsibility,” Wilshusen explained. “While it is an integral part of the jobs of CIOs and CISOs, it is also these leaders’ responsibility to assist other senior managers in implementing security safeguards over their individual program areas in order to secure the entire enterprise.”
However, it can be challenging to promote top-down support in an agency. In order to alleviate this challenge, Rhee recommended demonstrating the value of security devices in real world scenarios. “Once you start showing governments benefits of security, they will start implementing a security framework and other governments will start looking at how that works and start replicating those secure methods throughout their agency,” he said.
Include securing devices in your risk management profile. Taking an enterprise approach to cybersecurity also means including cybersecurity as a risk factor in agencies’ overall risk profile. Wilshusen explained, “Cyber is not the only risk an agency will hav,e but it needs to be considered as one and agencies must appropriately evaluate that risk and devote the resources necessary to mitigate it.”
While there is no black or white way to do a IoT risk assessment, Wright emphasized that agencies can strike a balance between connected and not connected. He recommended looking at how important a sensor or device is to your agency’s mission, deciding if you absolutely need it or not, and if you do, building a framework of security around the particular device and the network that it is connected to.
Looking forward, agencies have to embrace connectivity and ensure that all devices are secure. “There will be 34 million connected devices by 2020,” Wright said. “IoT is not going to go away so we have to be proactive in thinking about it and include security elements from procurement all the way through deployment and implementation.”