The federal government is poised to spend about $81.3 billion on IT in fiscal 2018, according to the federal IT Dashboard. It's unclear how much of that will be spent on IoT technology, but that amount is growing. Analysts from the Immix Group estimated in April 2017 that the total federal IoT addressable market will hit $3 billion in fiscal 2018, up from $2.5 billion in fiscal 2016. Meanwhile, the contract and spending analysis firm Govini found that the government spent nearly $9 billion in 2015 on IoT technology.
Although there are differences of opinion on how much the government is spending on IoT right now, it is clear that agencies are adopting IoT technologies for all kinds of use cases, including sensors that measure the physical environment and smart utility systems in government buildings.
Yet the proliferation of sensors and connected devices also means that the attack surface for agencies is increasing. The security of IoT devices has been a constant concern for government IT leaders, especially at the Pentagon.
How can agencies enhance IoT security and engage in the effective management of IoT security risk issues? And are the cybersecurity best practices that have helped guard traditional networks and IT systems useful or adaptable enough to guard against IoT security attacks and weaknesses?
For many federal IT leaders, IoT security risks cannot be eliminated, only managed. “I think it's impossible to ensure network security. I think it's always a conversation about managing the risk,” Jeff Seaton, acting deputy CIO of NASA, tells FedTech magazine.
Within NASA, one of the things the agency is trying to do with respect to IoT is “not create a separate realm or sphere for the Internet of Things, but figure out how understanding the risk associated with IoT can fit within our existing security framework and risk management processes.”
NASA does not want to create a separate set of processes for IoT, Seaton says, “but instead build those into the existing processes we have and evolve those as needed.” The idea is to not treat IoT “as something unique and distinct and separate.”
Even though some agencies like NASA want to fold IoT security into their broader cybersecurity efforts, IoT is changing the nature of the role of the federal CISO. Speaking at a Washington, D.C., cybersecurity event in September, Rod Turk, the CISO and acting CIO of the Commerce Department, said that CISOs and those who work for them need to evaluate IoT security holistically and assess the risks associated with connecting new devices.
“Know what’s in your environment,” he said, according to Federal News Radio. “You may not know all of your IoT, but I’ve got a good hunch that you’ve probably got a sense of where it all is. You know your printers, you know your copiers now have computers in them, and they’re going to be storing information, and they have the ability to take that information and send it out to random places.”
How can federal IT leaders get a handle on IoT security and introduce effective IoT risk management policies? Thankfully, the National Institute of Standards and Technology has a robust program on cybersecurity for IoT. In February, NIST released a draft interagency report on IoT cybersecurity standards, and concludes that without a standardized set of cybersecurity requirements, malicious actors could exploit security gaps and IoT systems could be vulnerable to cyberattacks.
The report offers feds a handy primer on how to effectively address IoT risk management.
How Feds Can Guard Against IoT Security Issues
The NIST report notes that IoT networks are “deployed over a multitude of protocols and physical links” and that therefore “selecting the appropriate messaging and communication protocols depends on the use case and security requirements for each system.”
One characteristic of IoT deployments is the potential for spontaneous connections to be made without a system view. Viewed in this way, according to the NIST report, “IoT could not be ‘planned’ nor secured well using traditional approaches to security since system compositional or emergent properties would never be seen by a risk manager.”
The network interfaces used in these loosely coupled IoT deployments represent attack surfaces for agencies. “Therefore, without a system asset definition and subsequent threat analysis the security design is very unlikely to be useful,” NIST states.
NIST notes that many of the cybersecurity techniques designed for industrial control systems can be adapted for IoT.
For example, agencies can restrict logical access to the network and network activity by “using unidirectional gateways, a demilitarized zone network architecture with firewalls to prevent network traffic from passing directly between the corporate and IoT networks, and having separate authentication mechanisms and credentials for users of the corporate and IoT networks.” Additionally, agencies can restrict physical access to IoT network and components via as locks, card readers or guards.
NIST also advises agencies to protect individual IoT components from exploitation by deploying security patches “in as expeditious a manner as possible, after testing them under field conditions,” and “disabling all unused ports and services and assuring that they remain disabled.”
The principle of least privilege applies to IoT as well, and agencies should restrict IoT user privileges to only those required for each person’s role. Other best practices include tracking and monitoring audit trails, using security controls such as anti-virus software and “file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware,” notes the NIST report.
Additionally, agencies should seek to prevent the unauthorized modification of IoT data, either in transit or at rest.
Another key aspect of IoT security is to detect security events before they escalate into incidents, NIST argues. Agencies can do this by developing the capability to “detect failed IoT components, unavailable services, and exhausted resources that are important to provide proper and safe functioning of an IoT system.”
If there is a security event, IoT systems need to be able to maintain functionality during such adverse conditions, NIST states. That means designing IoT systems so that each critical component has a redundant counterpart. And if an IoT component fails, “it should fail in a manner that does not generate unnecessary traffic on IoT or other networks, or does not cause another problem elsewhere, such as a cascading event.”
Having an effective incident response plan is also essential. “A major characteristic of a good security program is how quickly IoT systems can be recovered after an incident has occurred,” NIST notes.
How to Effectively Manage IoT Security Issues
The proliferation and increased ubiquity of IoT components are likely to heighten the risks they present, according to NIST, particularly as malicious cyberactors “work to develop new generations of malware dedicated to exploiting them.”
As NIST has long argued, agencies must work with IoT vendors to “design components with security in mind.” Systems designers must also “pay attention to new attack surfaces revealed with unforeseen emergent properties of these systems.”
There are several supply chain risk management standards that NIST has approved. However, they are not specific to IoT and “they need to be reviewed to determine if they are sufficient or require revision for IoT systems,” the agency says.
Overall, NIST notes, “there is a multiplicity of risks associated with IoT” and that to mitigate IoT security risks, they “should not be assessed and monitored in a vacuum, but take into consideration the broader perspective of risk to ensure all aspects of threat and vulnerability are addressed.”
IoT Security Solutions: Next-Gen Firewalls, Encryption and Beyond
Although agencies face challenges related to IoT security, there are several best practices and technologies IT leaders can turn to secure their IT environments. “All of the security controls and techniques that we have known about and worked with for years can absolutely be applied to the IoT space,” says Christos Dimitriadis, board of directors chair for ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance.
“Existing best practices, such as network segmentation, will help take some of the security load off of these devices,” says Mark Blackmer, product marketing manager of industry solutions for Cisco Systems’ security business group.
“External mechanisms, such as machine-learning-based traffic analytics, can help close the [security] gap,” adds Mike Tennefoss, vice president of strategic partnerships for Aruba Networks.
There are other specific technology solutions agencies can use to secure IoT deployments. One is next-generation firewalls (NGFW), a hardware- or software-based network security system, can detect and block attacks by enforcing security policies at the application, port and protocol levels. “Looking at security best practices, the NGFW provides some of the most critical ingredients of total IoT protection,” notes Yariv Fishman, head of product management for vertical solutions and IoT for Check Point Software Technologies.
Encryption also plays an important role in securing IoT devices as well as network communications. “For example, establishing an encrypted virtual private network connection between a device and the network helps eliminate potential attacks, such as ‘Man in the Middle,’ that compromise the integrity and validity of the information provided from the device to the network and vice versa,” Fishman says.
Partitioning a network into secure segments helps isolate IoT devices from mainstream IT devices. While traditional network endpoints typically run endpoint protection services, that’s not true for IoT devices. “If an attacker is able to compromise an IoT device, they could sit there for months undetected while carrying out attacks behind your network perimeter,” warns Marc Laliberte, an information security threat analyst for security provider WatchGuard Technologies. “Because of this threat, IoT devices should be segmented from the rest of the network by an NGFW performing inspection on internetwork connections.”