Conservative estimates predict there will be more than 50 billion devices connected to the internet by 2020. That's more than one internet enabled device per-person on the planet. "This smart technology is the fastest growing technology in history," said Peter Romness, Cybersecurity Lead for US Public Sector, Cisco. "But with every additional device comes increased security vulnerabilities."
Romness was one of three speakers at GovLoop and ConnellyWorks Internet of Things Event focused on security these devices. "The old security posture doesn't work anymore, we can't build a strong enough wall to protect all of these devices. We need a new paradigm."
For Cisco the new security posture is in three parts:
- Before an attack - Governments need to know everything in the environment. How many devices are connected? Are there different levels of security clearances? Should a toaster have access to end-of-point sales?
- During an attack - Governments need to be able to block, detect and defend as best as possible.
- After an attack - Can your IT department isolate and locate the network intruder quickly and efficiently?
The Department of Homeland Security is also rethinking the government's security posture. DHS heads the government-wide cybersecurity outreach and initiatives and is working with agencies to identify and mitigate threats at all levels of government.
In order to combat the new threats brought on by the billions of connected devices, DHS has established three core initiatives. Mark Kneidinger, Acting Director for Federal Network Resilience in the office of Cybersecurity and Communications at the Department of Homeland Security explained the three core initiatives.
Programs - DHS is focused on crafting, implementing and enforcing three distinct cybersecurity focused programs. The program that is the furthest along is continuous diagnostic mitigation (CDM). CDM programs are already in 98.7 percent of the government agencies. "CDM is focused on closing cyber gaps and increasing the capacity for agencies to aware of the number of devices on their network. CDM is also helping agencies improve personnel authentication with enhanced personal identification cards and dealing with live cyber crisis events," said Kneidinger.
The second program - Einstein - is focused on collecting malicious information and blocking malicious activity on a government-wide scale. The final program DHS is leading is Trusted Internet Connections (TIC) which is consolidating trusted internet connections so there is less exposure to outside malicious attacks.
Metrics - In order for cybersecurity programs to be truly successful they need to be measurable. "Right now, in conjuncture with the Office of Management and Budget's Cyber Sprint we are measuring how chief information officers are dealing with their high value assets. Right now, CIOs are responsible for reporting cyber incidents on a daily basis," explained Kneidinger. In addition, DHS put metrics in places for programs and critical areas that need to be addressed in order to close the cyber loop.
Communications - DHS has also taken lead to improve awareness both with humans and machines. "From a machine perspective, we are leading an initiative where US-CERT to make sure that information is available through threat briefs to the entire government. We are also creating a dashboard activity as part of the CDM program that shows agencies what is on their network and a prioritization of those issues." But Kneidinger cautioned agencies to not forget the human element. "People are also key. The OMB cyber sprint activity is much more about improving communication between CIOs and their chief security officers. We now have the DHS director announcing critical vulnerabilities."
While DHS is taking the government-wide approach to security, the National Institute for Standards and Technology is unsurprisingly focused on making sure IoT has standards that can be replicated across departments. "For IoT technologies to be successful, the user can be to able to securely take action based on the data provided," explained Sokwoo Rhee, Associate Director of Cyber-Physical Systems Program at NIST.
NIST is leading more than 50 states and more than 200 corporations to set up their own Smart City IoT applications. Rhee emphasized that security needs to be baked into each IoT solution. "These solutions needs to be replicable, scalable and sustainable models. If the programs are insecure they aren't sustainable."
In the end, making sure these internet connected devices are secure is a top priority. "The basis of IoT security is making sure we know what is on your network. Awareness is the first step," said Kneidinger.