A glance at the hypothetical Internet of Things cybersecurity scenarios identified by the Department of Defense is enough to set off alarm bells.
In one IoT scenario highlighted in a July 2017 report issued by the Government Accountability Office, adversaries attack an electrical system linked to a smart meter, shutting down air conditioning systems and crashing DOD servers. In another, a malicious insider takes advantage of lax security to seize control of water systems and flood a ship in dry dock. The report even mentions the possibility of physical attacks on DOD leaders by hackers who exploit the systems of internet-connected vehicles.
“It is really, really critical that we get this right,” says Bob Scollar, IoT enterprise functional team lead at the National Security Agency, of IoT security. “You can see the potential of the technology to have life-changing impacts. We want to be prepared in every way that we can.”
The benefits that IoT solutions offer to the government are nearly limitless, but they come with challenges — some obvious, but others largely hidden. Agencies are exploring IoT deployments carefully, working to plug gaps that exist between security policies and IoT vulnerabilities. Federal IT leaders must strike a balance that addresses security risks while maintaining the utility of IoT systems.
IoT Systems Present a Diverse Set of Risks
Federal IT leaders have numerous security concerns about IoT.
According to the GAO report, “Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD,” defense agencies have issued policies and guidance for IoT devices, but those policies have gaps. “There’s an emerging recognition of the perils, and there’s an emerging response to them,” says Joseph Kirschbaum, director of defense capability and management at GAO and lead author of the report. “The agencies are not quite there yet, but they want to get there.”
Frank Konieczny, CTO for the Air Force, says the service’s mobility policies currently cover IoT, but he acknowledges it has more work to do.
“We probably need a broader and more expansive policy for IoT devices,” he says. “It’s a question of, what do we have to do to defend this part of the network, and what devices do we have to cut off?”
According to Army spokesperson Wayne Hall, the GAO report is “generally in line with” Army IT officials’ experience and expectations. “Internet of Things is an emerging space,” he says. “We still have extensive research and testing to do with devices as a networked asset.”
The Promise and Peril of IoT for Feds
Already, the Air Force uses IoT solutions for tasks such as monitoring vehicle engine wear, and it pilots a number of “smart base” tools. Konieczny acknowledges that these solutions leave the service’s physical assets vulnerable to a successful cyberattack.
For example, he says, an adversary might attack monitoring systems to make it appear as though a fuel tanker’s tires have gone flat, temporarily taking the vehicle out of commission.
The threat has agencies scrambling to tighten defenses before vulnerabilities are exploited. “We’re just trying to get ahead of the curve right now,” Scollar says.
While the prospect of hackers taking over building systems or vehicles is alarming, new IoT connections could also open up agencies to cyberattacks on IT systems, as well as physical facilities. A hacker could gain access to the network through a weakly protected IoT device and potentially move on to more critical IT assets if the device is not segmented from the rest of the network.
“There’s going to be so much more connectivity,” says Scollar. “The more interconnected and smart these devices are, the greater the challenge is going to become.”
How Agencies Can Address IoT Security Gaps
The GAO report notes that the Defense Department’s policies and guidance for IoT devices include wearables, portable electronic devices, smartphones and devices for industrial control systems. However, it also identifies three significant gaps:
- The policies are “insufficient” for certain devices, such as smart televisions in unsecured areas.
- DOD policy and guidance on cyber-, operational, information and physical security do not currently address IoT devices.
- The department does not require that existing security procedures be implemented on industrial control systems.
“We don’t necessarily want to see guidance for a list of certain devices,” says Kirschbaum. “We want to look at concepts, like how to deal with devices, whether you can control them, and how to mitigate risks if you can’t control them. If you confine yourself to a device, your policies are obsolete from the second you write them.”
Defense officials say that protecting IoT devices will be an ongoing effort that will require agencies to balance between securing their environments and allowing tools that support their missions and enhance service members’ quality of life.
Much of this calculation will depend on the IoT solutions that come to market in the coming years, how vendors protect those solutions and how well (and for how long) vendors support their products, says Nicole Newmeyer, capabilities strategy lead for the IoT enterprise functional team at the NSA. She adds that DOD agencies should seek a seat at the table as vendors make those decisions.
“Industry and academia are going to continue to be the leaders in how this technology evolves,” Newmeyer says. “We’re trying to understand where they’re going and figure out where we need to partner better and collaborate to get this technology where it needs to be.
“IoT represents the next phase in the evolution of technology. The devices that are becoming available now are forming the building blocks of how the technology is going to be shaped in the near future. If the government and Department of Defense aren’t involved in shaping the security of these devices, we’re going to find ourselves at a severe loss.”
According to Hall, the Army already permits some consumer IoT devices, such as personal fitness trackers, at certain facilities and locations, and it’s working with DOD and NSA to determine what else should be permitted and where. The Army also is working to respond to the recommendations of the GAO report, including suggestions that DOD agencies should review and assess existing IoT security policies and identify where new guidelines may be needed.
“We are deliberately taking steps to make sure we do not introduce any unknown or unmitigated risks or vulnerabilities,” Hall says. “The Army is leveraging IoT as a way to provide additional capability to the forces while minimizing risk.”